Package: pyjwt
Version: 1.4.2-1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
Upstream already fixed that issue, here is the debdiff that was applied in
order to fix this.
* SECURITY UPDATE: symmetric/asymmetric key confusion attacks
- debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1
PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py,
jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem,
tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py.
- CVE-2017-11424
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500,
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pyjwt-1.4.2/debian/files pyjwt-1.4.2/debian/files
--- pyjwt-1.4.2/debian/files 1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/files 2017-08-30 11:51:30.000000000 -0300
@@ -0,0 +1 @@
+pyjwt_1.4.2-1ubuntu1_source.buildinfo python optional
diff -Nru pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch
--- pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 2017-08-29 11:40:17.000000000 -0300
@@ -0,0 +1,139 @@
+From 1922f0972b065077404c0dafa0946f2132400a2b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadi...@webapplicate.com>
+Date: Wed, 21 Jun 2017 15:49:41 -0400
+Subject: [PATCH 1/3] Throw if key is an PKCS1 PEM-encoded public key
+
+---
+ jwt/algorithms.py | 1 +
+ jwt/api_jws.py | 9 +++++++++
+ jwt/api_jwt.py | 9 +++++++++
+ tests/keys/testkey_pkcs1.pub.pem | 5 +++++
+ tests/test_algorithms.py | 7 +++++++
+ tests/test_api_jws.py | 10 ++++++++++
+ tests/test_api_jwt.py | 10 ++++++++++
+ 7 files changed, 51 insertions(+)
+ create mode 100644 tests/keys/testkey_pkcs1.pub.pem
+
+diff --git a/jwt/algorithms.py b/jwt/algorithms.py
+index 51e8f16..fd9c3ac 100644
+--- a/jwt/algorithms.py
++++ b/jwt/algorithms.py
+@@ -121,6 +121,7 @@ class HMACAlgorithm(Algorithm):
+ invalid_strings = [
+ b'-----BEGIN PUBLIC KEY-----',
+ b'-----BEGIN CERTIFICATE-----',
++ b'-----BEGIN RSA PUBLIC KEY-----',
+ b'ssh-rsa'
+ ]
+
+diff --git a/jwt/api_jws.py b/jwt/api_jws.py
+index 177f5ff..a91137c 100644
+--- a/jwt/api_jws.py
++++ b/jwt/api_jws.py
+@@ -107,6 +107,15 @@ class PyJWS(object):
+
+ def decode(self, jws, key='', verify=True, algorithms=None, options=None,
+ **kwargs):
++
++ if not algorithms:
++ warnings.warn(
++ 'It is strongly recommended that you pass in a ' +
++ 'value for the "algorithms" argument when calling decode(). ' +
++ 'This argument will be mandatory in a future version.',
++ DeprecationWarning
++ )
++
+ payload, signing_input, header, signature = self._load(jws)
+
+ if verify:
+diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
+index 9703b8d..e0e6c25 100644
+--- a/jwt/api_jwt.py
++++ b/jwt/api_jwt.py
+@@ -58,6 +58,15 @@ class PyJWT(PyJWS):
+
+ def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
+ **kwargs):
++
++ if not algorithms:
++ warnings.warn(
++ 'It is strongly recommended that you pass in a ' +
++ 'value for the "algorithms" argument when calling decode(). ' +
++ 'This argument will be mandatory in a future version.',
++ DeprecationWarning
++ )
++
+ payload, signing_input, header, signature = self._load(jwt)
+
+ decoded = super(PyJWT, self).decode(jwt, key, verify, algorithms,
+diff --git a/tests/keys/testkey_pkcs1.pub.pem b/tests/keys/testkey_pkcs1.pub.pem
+new file mode 100644
+index 0000000..f690179
+--- /dev/null
++++ b/tests/keys/testkey_pkcs1.pub.pem
+@@ -0,0 +1,5 @@
++-----BEGIN RSA PUBLIC KEY-----
++MIGHAoGBAOV/0Vl/5VdHcYpnILYzBGWo5JQVzo9wBkbxzjAStcAnTwvv1ZJTMXs6
++fjz91f9hiMM4Z/5qNTE/EHlDWxVdj1pyRaQulZPUs0r9qJ02ogRRGLG3jjrzzbzF
++yj/pdNBwym0UJYC/Jmn/kMLwGiWI2nfa9vM5SovqZiAy2FD7eOtVAgED
++-----END RSA PUBLIC KEY-----
+diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
+index e3cf1d0..fea654c 100644
+--- a/tests/test_algorithms.py
++++ b/tests/test_algorithms.py
+@@ -84,6 +84,13 @@ class TestAlgorithms:
+ with open(key_path('testkey2_rsa.pub.pem'), 'r') as keyfile:
+ algo.prepare_key(keyfile.read())
+
++ def test_hmac_should_throw_exception_if_key_is_pkcs1_pem_public(self):
++ algo = HMACAlgorithm(HMACAlgorithm.SHA256)
++
++ with pytest.raises(InvalidKeyError):
++ with open(key_path('testkey_pkcs1.pub.pem'), 'r') as keyfile:
++ algo.prepare_key(keyfile.read())
++
+ @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library')
+ def test_rsa_should_parse_pem_public_key(self):
+ algo = RSAAlgorithm(RSAAlgorithm.SHA256)
+diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
+index c56ec4b..0c6854e 100644
+--- a/tests/test_api_jws.py
++++ b/tests/test_api_jws.py
+@@ -266,6 +266,16 @@ class TestJWS:
+
+ pytest.deprecated_call(jws.decode, example_jws, verify=False)
+
++ def test_decode_with_optional_algorithms(self, jws):
++ example_secret = 'secret'
++ example_jws = (
++ b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
++ b'aGVsbG8gd29ybGQ.'
++ b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
++ )
++
++ pytest.deprecated_call(jws.decode, example_jws, key=example_secret)
++
+ def test_load_no_verification(self, jws, payload):
+ right_secret = 'foo'
+ jws_message = jws.encode(payload, right_secret)
+diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
+index 211f0df..62c4ef7 100644
+--- a/tests/test_api_jwt.py
++++ b/tests/test_api_jwt.py
+@@ -479,3 +479,13 @@ class TestJWT:
+ secret,
+ verify_expiration=True
+ )
++
++ def test_decode_with_optional_algorithms(self, jwt, payload):
++ secret = 'secret'
++ jwt_message = jwt.encode(payload, secret)
++
++ pytest.deprecated_call(
++ jwt.decode,
++ jwt_message,
++ secret
++ )
+--
+2.7.4
+
diff -Nru pyjwt-1.4.2/debian/patches/series pyjwt-1.4.2/debian/patches/series
--- pyjwt-1.4.2/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/patches/series 2017-08-29 11:40:48.000000000 -0300
@@ -0,0 +1 @@
+CVE-2017-11424.patch
