Bug 809267 (CVE-2012-3458)

Summary: CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmalcolm, mitr, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:58:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 847898    
Bug Blocks: 826710    

Description Vincent Danen 2012-04-02 22:28:46 UTC 
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend.  The encryption backend can use one of several backends, including python-crypto.  With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions.  An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.

When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.

In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.

In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.

Statement:

Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.
Comment 7 Vincent Danen 2012-08-13 23:26:43 UTC 
This is now public:

https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5

Probably also want this patch as well (to prefer nsscrypto over pycrypto):

https://github.com/bbangert/beaker/commit/4733630c0359636f5ab8e1b2b33470c67b5ba4fc
Comment 8 Vincent Danen 2012-08-13 23:29:25 UTC 
Created python-beaker tracking bugs for this issue

Affects: epel-5 [bug 847898]