Bug 1760843 (CVE-2019-14859) - CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures
Summary: CVE-2019-14859 python-ecdsa: DER encoding is not being verified in signatures
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1760844 1760845 1764505 1764506 1817095
Blocks: 1760846
TreeView+ depends on / blocked
 
Reported: 2019-10-11 13:09 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
39 users (show)

Fixed In Version: python-ecdsa 0.13.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-ecdsa, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:11:56 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:07:45 UTC

Description Pedro Sampaio 2019-10-11 13:09:02 UTC
A flaw was found in python-ecdsa before 0.13.3. The library is not verifying if the signatures actually use DER encoding for the signatures. This makes the signatures malleable and exposes use cases that further sign the signatures. In particular bitcoin. 

Upstream issue:

https://github.com/warner/python-ecdsa/issues/114

Upstream patch:

https://github.com/warner/python-ecdsa/pull/115
https://github.com/warner/python-ecdsa/pull/124

References:

https://en.bitcoinwiki.org/wiki/Transaction_Malleability

Comment 1 Pedro Sampaio 2019-10-11 13:09:23 UTC
Created python-ecdsa tracking bugs for this issue:

Affects: epel-all [bug 1760845]
Affects: fedora-all [bug 1760844]

Comment 14 Doran Moppert 2021-03-04 07:04:49 UTC
Statement:

Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time.

Red Hat CloudForms 5.9, 5.10 and 5.11 is not affected as these versions no longer ship the python-ecdsa library. Only CloudForms 5.8, which is now EOL, delivered the python-ecdsa library.

Current releases of Red Hat Virtualization Manager no longer include python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.

Current releases of Red Hat Satellite no longer include python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.

Comment 28 errata-xmlrpc 2021-11-16 14:07:42 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.