Bug 809267 - (CVE-2012-3458) CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
CVE-2012-3458 python-beaker: weak use of crypto can leak information to remot...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120813,repor...
: Security
Depends On: 847898
Blocks: 826710
  Show dependency treegraph
 
Reported: 2012-04-02 18:28 EDT by Vincent Danen
Modified: 2012-08-13 19:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-04-02 18:28:46 EDT
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend.  The encryption backend can use one of several backends, including python-crypto.  With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions.  An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.

When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.

In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.

In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.

Statement:

Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.
Comment 7 Vincent Danen 2012-08-13 19:26:43 EDT
This is now public:

https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5

Probably also want this patch as well (to prefer nsscrypto over pycrypto):

https://github.com/bbangert/beaker/commit/4733630c0359636f5ab8e1b2b33470c67b5ba4fc
Comment 8 Vincent Danen 2012-08-13 19:29:25 EDT
Created python-beaker tracking bugs for this issue

Affects: epel-5 [bug 847898]

Note You need to log in before you can comment on or make changes to this bug.