Bug 809267 (CVE-2012-3458) - CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
Summary: CVE-2012-3458 python-beaker: weak use of crypto can leak information to remot...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-3458
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 847898
Blocks: 826710
TreeView+ depends on / blocked
 
Reported: 2012-04-02 22:28 UTC by Vincent Danen
Modified: 2021-02-24 12:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:58:26 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-04-02 22:28:46 UTC
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend.  The encryption backend can use one of several backends, including python-crypto.  With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions.  An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.

When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.

In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.

In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.

Statement:

Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.

Comment 7 Vincent Danen 2012-08-13 23:26:43 UTC
This is now public:

https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5

Probably also want this patch as well (to prefer nsscrypto over pycrypto):

https://github.com/bbangert/beaker/commit/4733630c0359636f5ab8e1b2b33470c67b5ba4fc

Comment 8 Vincent Danen 2012-08-13 23:29:25 UTC
Created python-beaker tracking bugs for this issue

Affects: epel-5 [bug 847898]


Note You need to log in before you can comment on or make changes to this bug.