From 54dee6a67ecaf886cd3713c0d45011d7962af285 Mon Sep 17 00:00:00 2001 From: sevan Date: Tue, 7 Mar 2017 23:17:51 +0000 Subject: Patch CVE-2013-7459, obtained from: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Bump rev. Reviewed by: wiz --- security/py-crypto/Makefile | 4 +- security/py-crypto/distinfo | 4 +- .../patch-lib_Crypto_SelfTest_Cipher_common.py | 49 ++++++++++++++++++++++ .../py-crypto/patches/patch-src_block_template.c | 25 +++++++++++ 4 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py create mode 100644 security/py-crypto/patches/patch-src_block_template.c diff --git a/security/py-crypto/Makefile b/security/py-crypto/Makefile index 9fe529d6131..1120d67c96f 100644 --- a/security/py-crypto/Makefile +++ b/security/py-crypto/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.39 2017/01/12 16:36:35 rodent Exp $ +# $NetBSD: Makefile,v 1.40 2017/03/07 23:17:51 sevan Exp $ DISTNAME= pycrypto-2.6.1 PKGNAME= ${DISTNAME:S/^py/${PYPKGPREFIX}-/} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= security python MASTER_SITES= http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/ diff --git a/security/py-crypto/distinfo b/security/py-crypto/distinfo index 23a8bca0ea7..be7742a424c 100644 --- a/security/py-crypto/distinfo +++ b/security/py-crypto/distinfo @@ -1,7 +1,9 @@ -$NetBSD: distinfo,v 1.11 2015/11/04 01:18:03 agc Exp $ +$NetBSD: distinfo,v 1.12 2017/03/07 23:17:51 sevan Exp $ SHA1 (pycrypto-2.6.1.tar.gz) = aeda3ed41caf1766409d4efc689b9ca30ad6aeb2 RMD160 (pycrypto-2.6.1.tar.gz) = ac0db079e5e4be9daf739e094c10e96291dbc009 SHA512 (pycrypto-2.6.1.tar.gz) = 20a4aed4dac4e9e61d773ebc1d48ea577e9870c33f396be53d075a9bf8487d93e75e200179882d81e452efd0f6751789bac434f6f431b3e7c1c8ef9dba392847 Size (pycrypto-2.6.1.tar.gz) = 446240 bytes SHA1 (patch-ab) = 2c72b0e70fdebd2e62aff28284afd919e935de08 +SHA1 (patch-lib_Crypto_SelfTest_Cipher_common.py) = 4e4f3c0a705ceb8fbc922c5d44bd33fce347ac83 +SHA1 (patch-src_block_template.c) = 646bb15e41290922c417a2104e401c82379e97dd diff --git a/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py b/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py new file mode 100644 index 00000000000..7c8b20ddb9a --- /dev/null +++ b/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py @@ -0,0 +1,49 @@ +$NetBSD: patch-lib_Crypto_SelfTest_Cipher_common.py,v 1.1 2017/03/07 23:17:51 sevan Exp $ + +CVE-2013-7459 backport +https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 + +--- lib/Crypto/SelfTest/Cipher/common.py.orig 2017-03-07 16:48:08.000000000 +0000 ++++ lib/Crypto/SelfTest/Cipher/common.py +@@ -239,19 +239,33 @@ class RoundtripTest(unittest.TestCase): + return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,) + + def runTest(self): +- for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP): ++ ## ECB mode ++ mode = self.module.MODE_ECB ++ encryption_cipher = self.module.new(a2b_hex(self.key), mode) ++ ciphertext = encryption_cipher.encrypt(self.plaintext) ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode) ++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext) ++ self.assertEqual(self.plaintext, decrypted_plaintext) ++ ++ ## OPENPGP mode ++ mode = self.module.MODE_OPENPGP ++ encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) ++ eiv_ciphertext = encryption_cipher.encrypt(self.plaintext) ++ eiv = eiv_ciphertext[:self.module.block_size+2] ++ ciphertext = eiv_ciphertext[self.module.block_size+2:] ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) ++ decrypted_plaintext = decryption_cipher.decrypt(ciphertext) ++ self.assertEqual(self.plaintext, decrypted_plaintext) ++ ++ ## All other non-AEAD modes (but CTR) ++ for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB): + encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) + ciphertext = encryption_cipher.encrypt(self.plaintext) +- +- if mode != self.module.MODE_OPENPGP: +- decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) +- else: +- eiv = ciphertext[:self.module.block_size+2] +- ciphertext = ciphertext[self.module.block_size+2:] +- decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) ++ decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) + decrypted_plaintext = decryption_cipher.decrypt(ciphertext) + self.assertEqual(self.plaintext, decrypted_plaintext) + ++ + class PGPTest(unittest.TestCase): + def __init__(self, module, params): + unittest.TestCase.__init__(self) diff --git a/security/py-crypto/patches/patch-src_block_template.c b/security/py-crypto/patches/patch-src_block_template.c new file mode 100644 index 00000000000..6ef5ef43234 --- /dev/null +++ b/security/py-crypto/patches/patch-src_block_template.c @@ -0,0 +1,25 @@ +$NetBSD: patch-src_block_template.c,v 1.1 2017/03/07 23:17:51 sevan Exp $ + +CVE-2013-7459 backport +https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 + +--- src/block_template.c.orig 2017-03-07 16:58:09.000000000 +0000 ++++ src/block_template.c +@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, P + "Key cannot be the null string"); + return NULL; + } ++ if (IVlen != 0 && mode == MODE_ECB) ++ { ++ PyErr_Format(PyExc_ValueError, "ECB mode does not use IV"); ++ return NULL; ++ } ++ if (IVlen != 0 && mode == MODE_CTR) ++ { ++ PyErr_Format(PyExc_ValueError, ++ "CTR mode needs counter parameter, not IV"); ++ return NULL; ++ } + if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR) + { + PyErr_Format(PyExc_ValueError, -- cgit v1.2.3