Bug 1758704 (CVE-2019-14853) - CVE-2019-14853 python-ecdsa: Unexpected and undocumented exceptions during signature decoding
Summary: CVE-2019-14853 python-ecdsa: Unexpected and undocumented exceptions during s...
Keywords:
Status: NEW
Alias: CVE-2019-14853
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760095 1762802 1807859 1758705 1758706 1762803 1779461
Blocks: 1758708
TreeView+ depends on / blocked
 
Reported: 2019-10-04 22:41 UTC by Pedro Sampaio
Modified: 2020-07-10 21:37 UTC (History)
47 users (show)

Fixed In Version: python-ecdsa 0.13.3
Doc Type: If docs needed, set a value
Doc Text:
An error-handling flaw was found in python-ecdsa. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-10-04 22:41:10 UTC
A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can be raised during signature decoding may lead to denial of service in some cases. All the versions between at least 0.5 and 0.13.2 are thought to be vulnerable.

Upstream issue:

https://github.com/warner/python-ecdsa/issues/114

Upstream patch:

https://github.com/warner/python-ecdsa/pull/115

References:

https://github.com/warner/python-ecdsa/blob/bb359d32e93acc3eb4d216aff4ba0e7531599cfb/ecdsa/keys.py#L98-L113

Comment 1 Pedro Sampaio 2019-10-04 22:42:01 UTC
Created python-ecdsa tracking bugs for this issue:

Affects: epel-all [bug 1758706]
Affects: fedora-all [bug 1758705]

Comment 2 Hubert Kario 2019-10-07 14:12:00 UTC
Version 0.13.3 of the library, that addresses this issue has been released:
 * https://pypi.org/project/ecdsa/0.13.3/
 * https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

Comment 15 Doran Moppert 2019-12-10 00:00:58 UTC
Statement:

Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time.

Current releases of Red Hat Virtualization Manager no longer includes python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.

Comment 16 Yadnyawalk Tale 2020-01-21 11:45:02 UTC
Red Hat CloudForms Management Engine 5.9 (4.6), 5.10 (4.7) and 5.11 (5.0) is not affected since we don't ship python-ecdsa. Cloudforms 5.8 (4.5) however vulnerable but unsupported by Red Hat by December 1, 2019.

Comment 17 Yadnyawalk Tale 2020-01-21 11:53:50 UTC
External References:

https://github.com/advisories/GHSA-pwfw-mgfj-7g3g


Note You need to log in before you can comment on or make changes to this bug.