diff --git a/CVE-2020-25657-Bleichenbacher-attack.patch b/CVE-2020-25657-Bleichenbacher-attack.patch new file mode 100644 index 0000000..77db808 --- /dev/null +++ b/CVE-2020-25657-Bleichenbacher-attack.patch @@ -0,0 +1,73 @@ +--- + src/SWIG/_m2crypto_wrap.c | 10 ++++++---- + src/SWIG/_rsa.i | 10 ++++++---- + tests/test_rsa.py | 2 -- + 3 files changed, 12 insertions(+), 10 deletions(-) + +--- a/src/SWIG/_m2crypto_wrap.c ++++ b/src/SWIG/_m2crypto_wrap.c +@@ -7159,9 +7159,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, P + tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -7213,9 +7214,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, + tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); + +--- a/src/SWIG/_rsa.i ++++ b/src/SWIG/_rsa.i +@@ -269,9 +269,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, P + tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -323,9 +324,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, + tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); + +--- a/tests/test_rsa.py ++++ b/tests/test_rsa.py +@@ -147,8 +147,6 @@ class RSATestCase(unittest.TestCase): + with self.assertRaises(RSA.RSAError): + setattr(rsa, 'e', '\000\000\000\003\001\000\001') + with self.assertRaises(RSA.RSAError): +- rsa.private_encrypt(1) +- with self.assertRaises(RSA.RSAError): + rsa.private_decrypt(1) + assert rsa.check_key() + diff --git a/python-M2Crypto.changes b/python-M2Crypto.changes index 123c641..4916a96 100644 --- a/python-M2Crypto.changes +++ b/python-M2Crypto.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jul 12 20:49:47 UTC 2022 - Matej Cepl + +- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657, + bsc#1178829), which mitigates the Bleichenbacher timing attacks + in the RSA decryption API. + ------------------------------------------------------------------- Thu Apr 7 15:45:07 UTC 2022 - Matej Cepl diff --git a/python-M2Crypto.spec b/python-M2Crypto.spec index 2834a58..041610e 100644 --- a/python-M2Crypto.spec +++ b/python-M2Crypto.spec @@ -27,6 +27,9 @@ Group: Development/Languages/Python URL: https://gitlab.com/m2crypto/m2crypto Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc +# PATCH-FIX-UPSTREAM CVE-2020-25657-Bleichenbacher-attack.patch bsc#1178829 mcepl@suse.com +# Mitigate the Bleichenbacher timing attacks in the RSA decryption API +Patch0: CVE-2020-25657-Bleichenbacher-attack.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module parameterized} BuildRequires: %{python_module pytest}