search

mpdavis / python-jose

A JOSE implementation in Python
MIT License
1.55k stars 237 forks source link

CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code #195

Open ran-isenberg opened 4 years ago

ran-isenberg commented 4 years ago

Hey guys, There's a new high level risk vulnerability in the RSA python library that this repo uses. I'm not familiar with the fine details but is there any way for you guys to solve this in this repo? There's an open issue in the rsa repo from 16 days ago but it seems that they are not going to fix it.

https://github.com/sybrenstuvel/python-rsa/issues/165 He mentioned that "python-jose depends on python-rsa, but it will not use it if better libraries are available, you should use python-jose with pyca/cryptography, then python-rsa code will be unused and unexploitable".

Can you elaborate on this?

tomato42 commented 4 years ago

I was referring to this section of readme: https://github.com/mpdavis/python-jose#cryptographic-backends

ran-isenberg commented 4 years ago

@tomato42 thx! so this means that our security scanner is giving a false positive since we are install python-jose[cryptography] which doesnt use rsa. can rsa not be installed at all in this case so the security scanner wont give these alarams?

blag commented 4 years ago

If you are using pip, and you are sure you might be able to workaround your security scanner by uninstalling python-rsa after installing python-jose:

pip install 'python-jose[cryptography]'  # will install python-jose with PyCrypto backend
pip uninstall ecdsa  # You may need to pass a `--yes` or `--force` flag to `pip uninstall` to get it to skip asking for confirmation.

If this works, it works because pip is not yet a full package manager - it does not ensure that installed packages don't conflict upon invocation, it only cares that it can successfully execute the immediate command. And it can install all of the dependencies for python-jose, and it can then uninstall python-rsa. At no point does it check that it left the virtualenv in a consistent state.

The fix for this is to transition python-jose to only depend on external libraries via extras_require. See this TODO. This will require users to install backends explicitly, but I think that's probably the for the best anyway.