Bug 1760843 (CVE-2019-14859) - CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures
Summary: CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures
Keywords:
Status: NEW
Alias: CVE-2019-14859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1817095 1760844 1760845 1764505 1764506
Blocks: 1760846
TreeView+ depends on / blocked
 
Reported: 2019-10-11 13:09 UTC by Pedro Sampaio
Modified: 2020-09-10 21:19 UTC (History)
47 users (show)

Fixed In Version: python-ecdsa 0.13.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-10-11 13:09:02 UTC
A flaw was found in python-ecdsa before 0.13.3. The library is not verifying if the signatures actually use DER encoding for the signatures. This makes the signatures malleable and exposes use cases that further sign the signatures. In particular bitcoin. 

Upstream issue:

https://github.com/warner/python-ecdsa/issues/114

Upstream patch:

https://github.com/warner/python-ecdsa/pull/115
https://github.com/warner/python-ecdsa/pull/124

References:

https://en.bitcoinwiki.org/wiki/Transaction_Malleability

Comment 1 Pedro Sampaio 2019-10-11 13:09:23 UTC
Created python-ecdsa tracking bugs for this issue:

Affects: epel-all [bug 1760845]
Affects: fedora-all [bug 1760844]

Comment 12 Doran Moppert 2019-12-17 03:11:32 UTC
Statement:

Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time.

Red Hat CloudForms 5.9, 5.10 and 5.11 is not affected as these versions no longer ship the python-ecdsa library. Only CloudForms 5.8, which is now EOL, delivered the python-ecdsa library.

Current releases of Red Hat Virtualization Manager no longer includes python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.


Note You need to log in before you can comment on or make changes to this bug.