Debian Bug report logs - #782276
python-debian: Insecure parsing of OpenPGP Armor Header lines

version graph

Package: src:python-debian; Maintainer for src:python-debian is Debian python-debian Maintainers <pkg-python-debian-maint@lists.alioth.debian.org>;

Reported by: Guillem Jover <guillem@debian.org>

Date: Thu, 9 Apr 2015 21:21:01 UTC

Severity: important

Tags: security

Found in version python-debian/0.1.26

Fixed in version python-debian/0.1.27

Done: Stuart Prescott <stuart@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian python-debian Maintainers <pkg-python-debian-maint@lists.alioth.debian.org>:
Bug#782276; Package src:python-debian. (Thu, 09 Apr 2015 21:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Guillem Jover <guillem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian python-debian Maintainers <pkg-python-debian-maint@lists.alioth.debian.org>. (Thu, 09 Apr 2015 21:21:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>
To: submit@bugs.debian.org
Subject: python-debian: Insecure parsing of OpenPGP Armor Header lines
Date: Thu, 9 Apr 2015 23:19:29 +0200
[Message part 1 (text/plain, inline)]
Source: python-debian
Source-Version: 0.1.26
Severity: important
Tags: security

[ Because I've not tried to check the extent of the vulnerability,
  I've set the severity to important, if it is really bad then it
  probably deserves to be serious. ]

Hi!

While dealing with the dpkg security issue (fixed in 1.16.16, and the
upcoming 1.17.25), I checked other implementations and found that it
also affects the python-debian modules.

The parser is too lax and accepts any whitespace while GnuPG only
accepts [\r\t ] at the end of an Armor Header line, which means that a
message could be doctored to include lines that will be ignored by GnuPG
but parsed by the python-debian modules.

The attached untested patch should in principle fix this issue.

Thanks,
Guillem

[0001-deb822-Fix-OpenPGP-Armor-Header-Line-parsing.patch (text/x-diff, attachment)]

Reply sent to Stuart Prescott <stuart@debian.org>:
You have taken responsibility. (Tue, 14 Apr 2015 15:39:06 GMT) (full text, mbox, link).

Notification sent to Guillem Jover <guillem@debian.org>:
Bug acknowledged by developer. (Tue, 14 Apr 2015 15:39:06 GMT) (full text, mbox, link).

Message #10 received at 782276-close@bugs.debian.org (full text, mbox, reply):

From: Stuart Prescott <stuart@debian.org>
To: 782276-close@bugs.debian.org
Subject: Bug#782276: fixed in python-debian 0.1.27
Date: Tue, 14 Apr 2015 15:36:39 +0000
Source: python-debian
Source-Version: 0.1.27

We believe that the bug you reported is fixed in the latest version of
python-debian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782276@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stuart Prescott <stuart@debian.org> (supplier of updated python-debian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 15 Apr 2015 00:53:27 +1000
Source: python-debian
Binary: python-debian python3-debian
Architecture: source all
Version: 0.1.27
Distribution: unstable
Urgency: medium
Maintainer: Debian python-debian Maintainers <pkg-python-debian-maint@lists.alioth.debian.org>
Changed-By: Stuart Prescott <stuart@debian.org>
Description:
 python-debian - Python modules to work with Debian-related data formats
 python3-debian - Python 3 modules to work with Debian-related data formats
Closes: 782276
Changes:
 python-debian (0.1.27) unstable; urgency=medium
 .
   * Tighten whitespace handling in GPG Armor Header lines, with thanks to
     Guillem Jover for the patch (Closes: #782276).
Checksums-Sha1:
 0d62d0d71852e0de77f29b740f83fe6cbef60d15 2227 python-debian_0.1.27.dsc
 ba63fb6094e67c2108fea7606c654ba1cd4b3669 289692 python-debian_0.1.27.tar.xz
 226ee0145bf2b3ff0063d83edb632b28f4ce439e 71538 python-debian_0.1.27_all.deb
 3528c6aa3e94a15141702f5c734572dedb69f593 50902 python3-debian_0.1.27_all.deb
Checksums-Sha256:
 fd49b2a2e9cc5ddc66a49a6e41d1297579abfdfba4e79eb7bc7e277555b9870b 2227 python-debian_0.1.27.dsc
 3a21d07553d46c0cf7961b13483e62005d8793a3780e79d1191b357f50174eab 289692 python-debian_0.1.27.tar.xz
 d0db40c82aacde5572ff1e5195d142f25f9610a9906e3e6e93b23989c37eadeb 71538 python-debian_0.1.27_all.deb
 b33ee3331960c7c3321e97656a0c0262c0957d74041db7705b91265f74a7bd73 50902 python3-debian_0.1.27_all.deb
Files:
 ada9f55ce3965bd34f0b052f05cc527e 2227 python optional python-debian_0.1.27.dsc
 5028680b5db5b5c7f2ef016dbf766b4d 289692 python optional python-debian_0.1.27.tar.xz
 f05637e34a0badc08e76c84ea9fd2bff 71538 python optional python-debian_0.1.27_all.deb
 f7da00aa937682ac6f1d23d039abf80a 50902 python optional python3-debian_0.1.27_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVLSp4AAoJELvBfrsTlvL3DuAP/AgjsMIpNnrDBGX6LwreEh1D
JT67jr2HPQ7zbXTGTaaWi+NKqnVMFIeluAHqGrFrUBO0nP2ewc6PHGYnJk6YFzQA
0JwnT5XjGrabwpVrb6QdEZLkiY49r276j34cw82LEUmNS1zf6DLfNTS+PXBXCDLA
BNGj8f8Ru3gXpEtwInbyims7wucAf/8XKWpjjYie156k70wX0B/EDwUqITwaOhHV
Jn4j6h8+WvzV2HmRC/n8gYdQmWeLZ4/AnjY5lRu8eyJ+Cr378C5B5fxMp6lsyIsx
BiTc31sncx1C2bMTsYTlkkxSmMSK7NNdNwFceUG3MhIkX32rpOtzCpK6xTScmA50
o2oAi/H3Ov9iHdbbmjVcJ5FQSxb7/LvDZqDFs78vE1mfeZRsm1t1J1H00vhF6gyo
kcQv7L03n0DxySBsYEVcS/ZleD3yAvt3GEH7gWh++q1DnntTyThPUvTW3Zyyf3RQ
8IJRZ1goJvwopcfDwa4A/n1kXePt74WMId6t5xmUBFcZ+TnGa06qpbIyvu3R3saM
+SF9AaiqaZawzV4kZTJwydUwX8qvAWExzWG0C9lMqwQwdO/8s5ZHCOq5BqmCroly
NP9Kr3Z0SrYPwSeMsjvg1so5Ih5Lu4ZUx4aFPfB+H9bAfrUj7WD1VuWU+Cmh8vSN
1aIjgaU7cVZfM7HqW6aL
=1Abl
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 16 May 2015 07:30:14 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 15 12:18:26 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.