Package: pyjwt Version: 1.4.2-1 Severity: important Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer, Upstream already fixed that issue, here is the debdiff that was applied in order to fix this. * SECURITY UPDATE: symmetric/asymmetric key confusion attacks - debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1 PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py, jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem, tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py. - CVE-2017-11424 Thanks for considering the patch. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru pyjwt-1.4.2/debian/files pyjwt-1.4.2/debian/files --- pyjwt-1.4.2/debian/files 1969-12-31 21:00:00.000000000 -0300 +++ pyjwt-1.4.2/debian/files 2017-08-30 11:51:30.000000000 -0300 @@ -0,0 +1 @@ +pyjwt_1.4.2-1ubuntu1_source.buildinfo python optional diff -Nru pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch --- pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 1969-12-31 21:00:00.000000000 -0300 +++ pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 2017-08-29 11:40:17.000000000 -0300 @@ -0,0 +1,139 @@ +From 1922f0972b065077404c0dafa0946f2132400a2b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadi...@webapplicate.com> +Date: Wed, 21 Jun 2017 15:49:41 -0400 +Subject: [PATCH 1/3] Throw if key is an PKCS1 PEM-encoded public key + +--- + jwt/algorithms.py | 1 + + jwt/api_jws.py | 9 +++++++++ + jwt/api_jwt.py | 9 +++++++++ + tests/keys/testkey_pkcs1.pub.pem | 5 +++++ + tests/test_algorithms.py | 7 +++++++ + tests/test_api_jws.py | 10 ++++++++++ + tests/test_api_jwt.py | 10 ++++++++++ + 7 files changed, 51 insertions(+) + create mode 100644 tests/keys/testkey_pkcs1.pub.pem + +diff --git a/jwt/algorithms.py b/jwt/algorithms.py +index 51e8f16..fd9c3ac 100644 +--- a/jwt/algorithms.py ++++ b/jwt/algorithms.py +@@ -121,6 +121,7 @@ class HMACAlgorithm(Algorithm): + invalid_strings = [ + b'-----BEGIN PUBLIC KEY-----', + b'-----BEGIN CERTIFICATE-----', ++ b'-----BEGIN RSA PUBLIC KEY-----', + b'ssh-rsa' + ] + +diff --git a/jwt/api_jws.py b/jwt/api_jws.py +index 177f5ff..a91137c 100644 +--- a/jwt/api_jws.py ++++ b/jwt/api_jws.py +@@ -107,6 +107,15 @@ class PyJWS(object): + + def decode(self, jws, key='', verify=True, algorithms=None, options=None, + **kwargs): ++ ++ if not algorithms: ++ warnings.warn( ++ 'It is strongly recommended that you pass in a ' + ++ 'value for the "algorithms" argument when calling decode(). ' + ++ 'This argument will be mandatory in a future version.', ++ DeprecationWarning ++ ) ++ + payload, signing_input, header, signature = self._load(jws) + + if verify: +diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py +index 9703b8d..e0e6c25 100644 +--- a/jwt/api_jwt.py ++++ b/jwt/api_jwt.py +@@ -58,6 +58,15 @@ class PyJWT(PyJWS): + + def decode(self, jwt, key='', verify=True, algorithms=None, options=None, + **kwargs): ++ ++ if not algorithms: ++ warnings.warn( ++ 'It is strongly recommended that you pass in a ' + ++ 'value for the "algorithms" argument when calling decode(). ' + ++ 'This argument will be mandatory in a future version.', ++ DeprecationWarning ++ ) ++ + payload, signing_input, header, signature = self._load(jwt) + + decoded = super(PyJWT, self).decode(jwt, key, verify, algorithms, +diff --git a/tests/keys/testkey_pkcs1.pub.pem b/tests/keys/testkey_pkcs1.pub.pem +new file mode 100644 +index 0000000..f690179 +--- /dev/null ++++ b/tests/keys/testkey_pkcs1.pub.pem +@@ -0,0 +1,5 @@ ++-----BEGIN RSA PUBLIC KEY----- ++MIGHAoGBAOV/0Vl/5VdHcYpnILYzBGWo5JQVzo9wBkbxzjAStcAnTwvv1ZJTMXs6 ++fjz91f9hiMM4Z/5qNTE/EHlDWxVdj1pyRaQulZPUs0r9qJ02ogRRGLG3jjrzzbzF ++yj/pdNBwym0UJYC/Jmn/kMLwGiWI2nfa9vM5SovqZiAy2FD7eOtVAgED ++-----END RSA PUBLIC KEY----- +diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py +index e3cf1d0..fea654c 100644 +--- a/tests/test_algorithms.py ++++ b/tests/test_algorithms.py +@@ -84,6 +84,13 @@ class TestAlgorithms: + with open(key_path('testkey2_rsa.pub.pem'), 'r') as keyfile: + algo.prepare_key(keyfile.read()) + ++ def test_hmac_should_throw_exception_if_key_is_pkcs1_pem_public(self): ++ algo = HMACAlgorithm(HMACAlgorithm.SHA256) ++ ++ with pytest.raises(InvalidKeyError): ++ with open(key_path('testkey_pkcs1.pub.pem'), 'r') as keyfile: ++ algo.prepare_key(keyfile.read()) ++ + @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library') + def test_rsa_should_parse_pem_public_key(self): + algo = RSAAlgorithm(RSAAlgorithm.SHA256) +diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py +index c56ec4b..0c6854e 100644 +--- a/tests/test_api_jws.py ++++ b/tests/test_api_jws.py +@@ -266,6 +266,16 @@ class TestJWS: + + pytest.deprecated_call(jws.decode, example_jws, verify=False) + ++ def test_decode_with_optional_algorithms(self, jws): ++ example_secret = 'secret' ++ example_jws = ( ++ b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.' ++ b'aGVsbG8gd29ybGQ.' ++ b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI' ++ ) ++ ++ pytest.deprecated_call(jws.decode, example_jws, key=example_secret) ++ + def test_load_no_verification(self, jws, payload): + right_secret = 'foo' + jws_message = jws.encode(payload, right_secret) +diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py +index 211f0df..62c4ef7 100644 +--- a/tests/test_api_jwt.py ++++ b/tests/test_api_jwt.py +@@ -479,3 +479,13 @@ class TestJWT: + secret, + verify_expiration=True + ) ++ ++ def test_decode_with_optional_algorithms(self, jwt, payload): ++ secret = 'secret' ++ jwt_message = jwt.encode(payload, secret) ++ ++ pytest.deprecated_call( ++ jwt.decode, ++ jwt_message, ++ secret ++ ) +-- +2.7.4 + diff -Nru pyjwt-1.4.2/debian/patches/series pyjwt-1.4.2/debian/patches/series --- pyjwt-1.4.2/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ pyjwt-1.4.2/debian/patches/series 2017-08-29 11:40:48.000000000 -0300 @@ -0,0 +1 @@ +CVE-2017-11424.patch