Bug 1210757 - python-debian: GPG keys verification bypass (similar to CVE-2015-0840)
Summary: python-debian: GPG keys verification bypass (similar to CVE-2015-0840)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1210758 1210759
Blocks: 1210762
TreeView+ depends on / blocked
 
Reported: 2015-04-10 13:46 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:31 UTC (History)
11 users (show)

Fixed In Version: python-debian 0.1.27
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-15 07:44:36 UTC
Embargoed:

Attachments (Terms of Use)
upstream patch (1.11 KB, application/mbox)
2015-04-14 13:58 UTC, Ján Rusnačko 		no flags Details
View All

Description Vasyl Kaigorodov 2015-04-10 13:46:31 UTC 
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782276:
"""
While dealing with the dpkg security issue (fixed in 1.16.16, and the
upcoming 1.17.25), I checked other implementations and found that it
also affects the python-debian modules.

The parser is too lax and accepts any whitespace while GnuPG only
accepts [\r\t ] at the end of an Armor Header line, which means that a
message could be doctored to include lines that will be ignored by GnuPG
but parsed by the python-debian modules.
"""

This issue is similar to bug 1210748, the patch is attached to the Debian bug.
Comment 1 Vasyl Kaigorodov 2015-04-10 13:47:48 UTC 
Created python-debian tracking bugs for this issue:

Affects: fedora-all [bug 1210758]
Affects: epel-all [bug 1210759]
Comment 2 Ján Rusnačko 2015-04-14 13:58:26 UTC 
Created attachment 1014333 [details]
upstream patch
Comment 3 Miroslav Suchý 2015-04-14 16:48:33 UTC 
Upstream released new version 0.1.27, which fix this issue. The tar file will be accessible in matter of hours, I will rebase the package tomorrow.
Comment 4 Ján Rusnačko 2015-04-15 07:37:51 UTC 
Analysis:

The vulnerable line was introduced in commit 785cef6faca4496549946a552a03b988871b6e3b authored 2014-08-25 as a fix for #695932. The 0.1.21, which is currently present in Fedora and EPEL was released 2014-06-01 and does not contain the vulnerable code.
Note You need to log in before you can comment on or make changes to this bug.