Skip to content

python3Packages.cryptography: 3.1.1 -> 3.2 (security, CVE-2020-25659)#101751

Merged
primeos merged 1 commit intoNixOS:stagingfrom
primeos:python-cryptography
Oct 28, 2020
Merged

python3Packages.cryptography: 3.1.1 -> 3.2 (security, CVE-2020-25659)#101751
primeos merged 1 commit intoNixOS:stagingfrom
primeos:python-cryptography

Conversation

@primeos
Copy link
Member

@primeos primeos commented Oct 26, 2020

SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@primeos
python3Packages.cryptography: 3.1.1 -> 3.2 (security, CVE-2020-25659)
1083cdd 
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
@primeos primeos added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 26, 2020
@ofborg ofborg bot added 6.topic: python Python is a high-level, general-purpose programming language. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Oct 26, 2020
@andir
Copy link
Member

andir commented Oct 28, 2020

We also have a 2.9 version, should we apply the same patch there? Is that version now considered "insecure"? The CVE description says everything < 3.2 is vulnerable.

@primeos
Copy link
Member Author

primeos commented Oct 28, 2020

We also have a 2.9 version, should we apply the same patch there?

Yeah, I think we should try to apply pyca/cryptography@58494b4, the tests should hopefully cover that code path.

Personally I'd like to mark it as insecure, but I don't think we should given that there are probably still a lot of legacy Python 2 packages around that depend on it :o

Is that version now considered "insecure"?

AFAIK, yes. When I opened the PR the CVE details weren't available, but now it seems pretty clear. Though I'm not sure if / how many Python packages are really affected by this (and how practical the attack is for them). (But I don't mean that we should just ignore it.)

@primeos primeos added the 9.needs: port to stable A PR needs a backport to the stable release. label Oct 28, 2020
@primeos primeos merged commit 41822dd into NixOS:staging Oct 28, 2020
This was referenced Oct 28, 2020
Merged
Closed
@erictapen erictapen added 8.has: port to stable This PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python Python is a high-level, general-purpose programming language. 8.has: port to stable This PR already has a backport to the stable release. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@primeos @andir @erictapen