Control: tags 873244 + pending Dear maintainer,
I've prepared an NMU for pyjwt (versioned as 1.4.2-1.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru pyjwt-1.4.2/debian/changelog pyjwt-1.4.2/debian/changelog --- pyjwt-1.4.2/debian/changelog 2016-09-09 01:07:26.000000000 +0200 +++ pyjwt-1.4.2/debian/changelog 2017-09-16 14:49:38.000000000 +0200 @@ -1,3 +1,11 @@ +pyjwt (1.4.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Throw if key is an PKCS1 PEM-encoded public key (CVE-2017-11424) + (Closes: #873244) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 16 Sep 2017 14:49:38 +0200 + pyjwt (1.4.2-1) unstable; urgency=medium * New upstream release. diff -Nru pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch --- pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch 1970-01-01 01:00:00.000000000 +0100 +++ pyjwt-1.4.2/debian/patches/0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch 2017-09-16 14:48:51.000000000 +0200 @@ -0,0 +1,49 @@ +From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadi...@webapplicate.com> +Date: Wed, 21 Jun 2017 15:49:41 -0400 +Subject: Throw if key is an PKCS1 PEM-encoded public key +Origin: https://github.com/jpadilla/pyjwt/commit/37926ea0dd207db070b45473438853447e4c1392 +Bug: https://github.com/jpadilla/pyjwt/pull/277 +Bug-Debian: https://bugs.debian.org/873244 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11424 + +--- + jwt/algorithms.py | 1 + + tests/keys/testkey_pkcs1.pub.pem | 5 +++++ + tests/test_algorithms.py | 7 +++++++ + 3 files changed, 13 insertions(+) + create mode 100644 tests/keys/testkey_pkcs1.pub.pem + +--- a/jwt/algorithms.py ++++ b/jwt/algorithms.py +@@ -121,6 +121,7 @@ class HMACAlgorithm(Algorithm): + invalid_strings = [ + b'-----BEGIN PUBLIC KEY-----', + b'-----BEGIN CERTIFICATE-----', ++ b'-----BEGIN RSA PUBLIC KEY-----', + b'ssh-rsa' + ] + +--- /dev/null ++++ b/tests/keys/testkey_pkcs1.pub.pem +@@ -0,0 +1,5 @@ ++-----BEGIN RSA PUBLIC KEY----- ++MIGHAoGBAOV/0Vl/5VdHcYpnILYzBGWo5JQVzo9wBkbxzjAStcAnTwvv1ZJTMXs6 ++fjz91f9hiMM4Z/5qNTE/EHlDWxVdj1pyRaQulZPUs0r9qJ02ogRRGLG3jjrzzbzF ++yj/pdNBwym0UJYC/Jmn/kMLwGiWI2nfa9vM5SovqZiAy2FD7eOtVAgED ++-----END RSA PUBLIC KEY----- +--- a/tests/test_algorithms.py ++++ b/tests/test_algorithms.py +@@ -63,6 +63,13 @@ class TestAlgorithms: + with open(key_path('testkey2_rsa.pub.pem'), 'r') as keyfile: + algo.prepare_key(keyfile.read()) + ++ def test_hmac_should_throw_exception_if_key_is_pkcs1_pem_public(self): ++ algo = HMACAlgorithm(HMACAlgorithm.SHA256) ++ ++ with pytest.raises(InvalidKeyError): ++ with open(key_path('testkey_pkcs1.pub.pem'), 'r') as keyfile: ++ algo.prepare_key(keyfile.read()) ++ + def test_hmac_should_throw_exception_if_key_is_x509_certificate(self): + algo = HMACAlgorithm(HMACAlgorithm.SHA256) + diff -Nru pyjwt-1.4.2/debian/patches/series pyjwt-1.4.2/debian/patches/series --- pyjwt-1.4.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ pyjwt-1.4.2/debian/patches/series 2017-09-16 14:49:38.000000000 +0200 @@ -0,0 +1 @@ +0001-Throw-if-key-is-an-PKCS1-PEM-encoded-public-key.patch
