[python-elixir/el5] CVE-2012-2146: patched to allow using AES instead of insecure Blowfish

Dan Callaghan dcallagh at fedoraproject.org
Mon Aug 25 03:07:44 UTC 2014 

commit f59625640b9e8fe05f69e03baf4fc02fee115780
Author: Dan Callaghan <dcallagh at redhat.com>
Date:   Thu Aug 21 09:18:21 2014 +1000

    CVE-2012-2146: patched to allow using AES instead of insecure Blowfish

 0001-fix-for-CVE-2012-2146.patch |   95 ++++++++++++++++++++++++++++++++++++++
 python-elixir.spec               |   10 +++-
 2 files changed, 103 insertions(+), 2 deletions(-)
---
diff --git a/0001-fix-for-CVE-2012-2146.patch b/0001-fix-for-CVE-2012-2146.patch
new file mode 100644
index 0000000..7bca91c
--- /dev/null
+++ b/0001-fix-for-CVE-2012-2146.patch
@@ -0,0 +1,95 @@
+From e1d03d1868eaedb5b557fce52187211f86c6ace6 Mon Sep 17 00:00:00 2001
+From: Dan Callaghan <dcallagh at redhat.com>
+Date: Thu, 21 Aug 2014 09:34:04 +1000
+Subject: [PATCH] fix for CVE-2012-2146
+
+Backport of patch by Stanislav Ochotnicky <sochotnicky at redhat.com>.
+---
+ elixir/ext/encrypted.py | 44 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 6 deletions(-)
+
+diff --git a/elixir/ext/encrypted.py b/elixir/ext/encrypted.py
+index afb4df9..2399fc5 100644
+--- a/elixir/ext/encrypted.py
++++ b/elixir/ext/encrypted.py
+@@ -26,7 +26,9 @@ ssn columns on save, update, and load.  Different secrets can be specified on
+ an entity by entity basis, for added security.
+ '''
+ 
+-from Crypto.Cipher          import Blowfish 
++import sys
++import os
++from Crypto.Cipher          import Blowfish, AES
+ from elixir.statements      import Statement
+ from sqlalchemy.orm         import MapperExtension, EXT_PASS
+ 
+@@ -37,7 +39,9 @@ __doc_all__ = []
+ #
+ # encryption and decryption functions
+ #
+-
++# WARNING!!! Blowfish encryption method is vulnerable to attacks
++# because it doesn't properly use random seed. It is provided just for
++# backward compatibility needed to migrate data. Use AES instead!
+ def encrypt_value(value, secret):
+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
+                    .encrypt(value).encode('string_escape')
+@@ -46,6 +50,24 @@ def decrypt_value(value, secret):
+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
+                    .decrypt(value.decode('string_escape'))
+ 
++# Crypto.Cipher.AES is AES128
++def encrypt_value_aes(value, secret):
++    iv = os.urandom(AES.block_size)
++
++    pad_len = AES.block_size - len(value) % AES.block_size
++    padded_value = value + pad_len * chr(pad_len)
++    res = iv + AES.new(secret, AES.MODE_CBC, iv).encrypt(padded_value)
++    return res.encode('string_escape')
++
++def decrypt_value_aes(value, secret):
++    value = value.decode('string_escape')
++    iv = value[:AES.block_size]
++    encrypted = value[AES.block_size:]
++
++    padded_value = AES.new(secret, AES.MODE_CBC, iv).decrypt(encrypted)
++    pad_len = ord(padded_value[-1])
++    assert pad_len >= 1 and pad_len <= AES.block_size
++    return padded_value[:-pad_len]
+ 
+ #
+ # acts_as_encrypted statement
+@@ -53,16 +75,26 @@ def decrypt_value(value, secret):
+ 
+ class ActsAsEncrypted(object):    
+ 
+-    def __init__(self, entity, for_fields=[], with_secret='abcdef'):
+-        
++    def __init__(self, entity, for_fields=[], with_secret='abcdef', with_aes=False):
++        if not with_aes:
++            sys.stderr.write("""******* WARNING!!! ********
++Blowfish encryption method is vulnerable to attacks.
++Migrate your data and use with_aes=True\n""")
++
+         def perform_encryption(instance, decrypt=False):
+             for column_name in for_fields:
+                 current_value = getattr(instance, column_name)
+                 if current_value:
+                     if decrypt:
+-                        new_value = decrypt_value(current_value, with_secret)
++                        if with_aes:
++                            new_value = decrypt_value_aes(current_value, with_secret)
++                        else:
++                            new_value = decrypt_value(current_value, with_secret)
+                     else:
+-                        new_value = encrypt_value(current_value, with_secret)
++                        if with_aes:
++                            new_value = encrypt_value_aes(current_value, with_secret)
++                        else:
++                            new_value = encrypt_value(current_value, with_secret)
+                     setattr(instance, column_name, new_value)
+         
+         def perform_decryption(instance):
+-- 
+1.9.3
+
diff --git a/python-elixir.spec b/python-elixir.spec
index 83b442c..a544b2c 100644
--- a/python-elixir.spec
+++ b/python-elixir.spec
@@ -2,13 +2,16 @@
 
 Name:           python-elixir
 Version:        0.5.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A declarative mapper for SQLAlchemy
 
 Group:          Development/Languages
 License:        MIT
 URL:            http://elixir.ematia.de/
 Source0:        http://cheeseshop.python.org/packages/source/E/Elixir/Elixir-%{version}.tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2146
+# http://elixir.ematia.de/trac/ticket/119
+Patch0:         0001-fix-for-CVE-2012-2146.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -30,7 +33,7 @@ not need the full expressiveness of SQLAlchemy's manual mapper definitions.
 
 %prep
 %setup -q -n Elixir-%{version}
-
+%patch0 -p1
 
 %build
 %{__python} setup.py build
@@ -54,6 +57,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Aug 21 2014 Dan Callaghan <dcallagh at redhat.com> - 0.5.0-2
+- CVE-2012-2146: patched to allow using AES instead of insecure Blowfish
+
 * Thu Dec 13 2007 James Bowes <jbowes at redhat.com> - 0.5.0-1
 - Update to 0.5.0

More information about the scm-commits mailing list