Bug 1758704 (CVE-2019-14853) - CVE-2019-14853 python-ecdsa: Unexpected and undocumented exceptions during signature decoding
Summary: CVE-2019-14853 python-ecdsa: Unexpected and undocumented exceptions during s...
Keywords:
Status: NEW
Alias: CVE-2019-14853
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760095 1762802 1758705 1758706 1762803 1779461
Blocks: 1758708
TreeView+ depends on / blocked
 
Reported: 2019-10-04 22:41 UTC by Pedro Sampaio
Modified: 2019-12-10 00:00 UTC (History)
48 users (show)

Fixed In Version: python-ecdsa 0.13.3
Doc Type: If docs needed, set a value
Doc Text:
An error-handling flaw was found in python-ecdsa. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-10-04 22:41:10 UTC
A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can be raised during signature decoding may lead to denial of service in some cases. All the versions between at least 0.5 and 0.13.2 are thought to be vulnerable.

Upstream issue:

https://github.com/warner/python-ecdsa/issues/114

Upstream patch:

https://github.com/warner/python-ecdsa/pull/115

References:

https://github.com/warner/python-ecdsa/blob/bb359d32e93acc3eb4d216aff4ba0e7531599cfb/ecdsa/keys.py#L98-L113

Comment 1 Pedro Sampaio 2019-10-04 22:42:01 UTC
Created python-ecdsa tracking bugs for this issue:

Affects: epel-all [bug 1758706]
Affects: fedora-all [bug 1758705]

Comment 2 Hubert Kario 2019-10-07 14:12:00 UTC
Version 0.13.3 of the library, that addresses this issue has been released:
 * https://pypi.org/project/ecdsa/0.13.3/
 * https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

Comment 6 Summer Long 2019-10-17 06:06:58 UTC
External References:

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

Comment 15 Doran Moppert 2019-12-10 00:00:58 UTC
Statement:

Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time.

Current releases of Red Hat Virtualization Manager no longer includes python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.


Note You need to log in before you can comment on or make changes to this bug.