[python-elixir] CVE-2012-2146: patched to allow using AES instead of insecure Blowfish

Dan Callaghan dcallagh at fedoraproject.org
Mon Aug 25 01:36:05 UTC 2014 

commit d29dfde2f14705e3ef1f2eb021d2a7061778cdcc
Author: Dan Callaghan <dcallagh at redhat.com>
Date:   Thu Aug 21 09:18:21 2014 +1000

    CVE-2012-2146: patched to allow using AES instead of insecure Blowfish

 python-elixir-aes-encryption-addition.patch |   82 +++++++++++++++++++++++++++
 python-elixir.spec                          |    9 +++-
 2 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/python-elixir-aes-encryption-addition.patch b/python-elixir-aes-encryption-addition.patch
new file mode 100644
index 0000000..64164bb
--- /dev/null
+++ b/python-elixir-aes-encryption-addition.patch
@@ -0,0 +1,82 @@
+Index: elixir/ext/encrypted.py
+===================================================================
+--- elixir/ext/encrypted.py	(revision 534)
++++ elixir/ext/encrypted.py	(working copy)
+@@ -32,7 +32,9 @@
+ database row.
+ '''
+ 
+-from Crypto.Cipher import Blowfish
++import sys
++import os
++from Crypto.Cipher import Blowfish, AES
+ from elixir.statements import Statement
+ from sqlalchemy.orm import MapperExtension, EXT_CONTINUE, EXT_STOP
+ 
+@@ -49,7 +51,9 @@
+ #
+ # encryption and decryption functions
+ #
+-
++# WARNING!!! Blowfish encryption method is vulnerable to attacks
++# because it doesn't properly use random seed. It is provided just for
++# backward compatibility needed to migrate data. Use AES instead!
+ def encrypt_value(value, secret):
+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
+                    .encrypt(value).encode('string_escape')
+@@ -58,14 +62,36 @@
+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
+                    .decrypt(value.decode('string_escape'))
+ 
++# Crypto.Cipher.AES is AES128
++def encrypt_value_aes(value, secret):
++    iv = os.urandom(AES.block_size)
+ 
++    pad_len = AES.block_size - len(value) % AES.block_size
++    padded_value = value + pad_len * chr(pad_len)
++    res = iv + AES.new(secret, AES.MODE_CBC, iv).encrypt(padded_value)
++    return res.encode('string_escape')
++
++def decrypt_value_aes(value, secret):
++    value = value.decode('string_escape')
++    iv = value[:AES.block_size]
++    encrypted = value[AES.block_size:]
++
++    padded_value = AES.new(secret, AES.MODE_CBC, iv).decrypt(encrypted)
++    pad_len = ord(padded_value[-1])
++    assert pad_len >= 1 and pad_len <= AES.block_size
++    return padded_value[:-pad_len]
++
+ #
+ # acts_as_encrypted statement
+ #
+ 
+ class ActsAsEncrypted(object):
+ 
+-    def __init__(self, entity, for_fields=[], with_secret='abcdef'):
++    def __init__(self, entity, for_fields=[], with_secret='abcdef', with_aes=False):
++        if not with_aes:
++            sys.stderr.write("""******* WARNING!!! ********
++Blowfish encryption method is vulnerable to attacks.
++Migrate your data and use with_aes=True\n""")
+ 
+         def perform_encryption(instance, encrypt=True):
+             encrypted = getattr(instance, '_elixir_encrypted', None)
+@@ -77,9 +103,15 @@
+                 instance._elixir_encrypted = encrypt
+ 
+             if encrypt:
+-                func = encrypt_value
++                if with_aes:
++                    func = encrypt_value_aes
++                else:
++                    func = encrypt_value
+             else:
+-                func = decrypt_value
++                if with_aes:
++                    func = decrypt_value_aes
++                else:
++                    func = decrypt_value
+ 
+             for column_name in for_fields:
+                 current_value = getattr(instance, column_name)
diff --git a/python-elixir.spec b/python-elixir.spec
index 5e18b35..9dfb3de 100644
--- a/python-elixir.spec
+++ b/python-elixir.spec
@@ -2,7 +2,7 @@
 
 Name:           python-elixir
 Version:        0.7.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Declarative mapper for SQLAlchemy
 
 Group:          Development/Languages
@@ -12,6 +12,9 @@ Source0:        http://pypi.python.org/packages/source/E/Elixir/Elixir-%{version
 # Include the license file from upstream
 # Bug to get them to add it to releases http://elixir.ematia.de/trac/ticket/118
 Source1:        http://elixir.ematia.de/trac/export/534/elixir/trunk/LICENSE
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2146
+# http://elixir.ematia.de/trac/ticket/119
+Patch0:         python-elixir-aes-encryption-addition.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -36,6 +39,7 @@ not need the full expressiveness of SQLAlchemy's manual mapper definitions.
 %prep
 %setup -q -n Elixir-%{version}
 cp %{SOURCE1} .
+%patch0 -p0
 
 %build
 %{__python} setup.py build
@@ -57,6 +61,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Thu Aug 21 2014 Dan Callaghan <dcallagh at redhat.com> - 0.7.1-14
+- CVE-2012-2146: patched to allow using AES instead of insecure Blowfish
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.7.1-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

More information about the scm-commits mailing list