gentoo resync : 14.07.2018

5 files changed, 191 insertions, 0 deletions

diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest
new file mode 100644
index 000000000000..df4518736544
--- /dev/null
+++ b/dev-python/rsa/Manifest
@@ -0,0 +1,6 @@
+AUX rsa-3.2.3-CVE-2016-1494.patch 3843 BLAKE2B 94721282f4079aa0a77813dd8ad1c0aefd0924272d4e2b3e8a6ad745375bafb6b6fe5e50af621232df632a1f2261be097fde92b5ad3f57b74ff7976c22daa9bc SHA512 9150b25bc1a9dacc8eee0fb93d46b9d024c868d540097b9166be9a7879fe116d8fd47cacaaf5614b86cd44e7cd10602a0ad290eb2ef116539683101d4057a231
+DIST rsa-3.2.3.tar.gz 35628 BLAKE2B fa30e8212d0102b7763a5e8eb408d0778520d85d9428e12b603fdfa5982c559682c04fec2eac4723a8c9e06c9ed77365021a832c8ad96b07fa07eb93c5a626e2 SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2
+DIST rsa-3.4.2.tar.gz 40956 BLAKE2B 9a6353c84329303c655e7a25fcfa2ca42ea846c913fac0c26fee4a27bb85f9380de876b2ec07ae2212eb37efe5d2e401b2672f187f74bbeee1e9ef1099629e36 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267
+EBUILD rsa-3.2.3-r1.ebuild 777 BLAKE2B d776553eb2c3022a7f101b8cb5c6cf1f815020291f290ee12eaf41dbf7271e41dfebc1fcaa8aaaf5dc8b73f86ac5b670b534067ff70e1a2289a9b328727eb4f5 SHA512 816c7a69a4aa5f67de6835e308023d5b6a59a64e02bf3daaceb3bc8f060f70da009eb6d328325e77aec3ee6746ec27c89bd83a1089c64df8d2fb8fbbde0d40a5
+EBUILD rsa-3.4.2.ebuild 734 BLAKE2B 4eb74bed96bd4a9bc97db05b7ae711285f3637112fbaf5b5b6eaddec63165880dfcd14a284c6a847e7a6eeb3c9e732ce6d847f9a2ffd8ab4fcd57335bc23a307 SHA512 520e2e4cb4ac5500d556f71b0c35b6fbcc3cf61d8b62be9e4f65e0fb9aa30ea4ca435253b6f651d3d695b6c50c5d8bbdd6974fdca10a34190984199df94d4f84
+MISC metadata.xml 316 BLAKE2B fd1e4f7bdee45f5ab99e67cc3918634b9ac5ecfad75167aad5f2ee33cea308f99d8d03aab5b5e0c01e8c1bf41ca8a45f67146c5126f84af4b6d914f58af0ea38 SHA512 4d8c48ae8e4360727f5c4b83e426f42a597a175dfa2a965c9f966e5824a83291c78d3e8e636d21b4f28d73f7e912abc7db1b09078baaa0e3a1b25713abd3d0a1
diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
new file mode 100644
index 000000000000..bfcfc33ed01b
--- /dev/null
+++ b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
@@ -0,0 +1,104 @@
+# HG changeset patch
+# User Filippo Valsorda <hi@filippo.io>
+# Date 1450226563 0
+# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
+# Parent  2baab06c8b867b01ec82b02118d4872a931a0437
+Fix BB'06 attack in verify() by switching from parsing to comparison
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -22,10 +22,10 @@
+ At least 8 bytes of random padding is used when encrypting a message. This makes
+ these methods much more secure than the ones in the ``rsa`` module.
+ 
+-WARNING: this module leaks information when decryption or verification fails.
+-The exceptions that are raised contain the Python traceback information, which
+-can be used to deduce where in the process the failure occurred. DO NOT PASS
+-SUCH INFORMATION to your users.
++WARNING: this module leaks information when decryption fails. The exceptions
++that are raised contain the Python traceback information, which can be used to
++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
++to your users.
+ '''
+ 
+ import hashlib
+@@ -288,37 +288,23 @@
+     :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
+     :raise VerificationError: when the signature doesn't match the message.
+ 
+-    .. warning::
+-
+-        Never display the stack trace of a
+-        :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
+-        the code the exception occurred, and thus leaks information about the
+-        key. It's only a tiny bit of information, but every bit makes cracking
+-        the keys easier.
+-
+     '''
+     
+-    blocksize = common.byte_size(pub_key.n)
++    keylength = common.byte_size(pub_key.n)
+     encrypted = transform.bytes2int(signature)
+     decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
+-    clearsig = transform.int2bytes(decrypted, blocksize)
+-
+-    # If we can't find the signature  marker, verification failed.
+-    if clearsig[0:2] != b('\x00\x01'):
+-        raise VerificationError('Verification failed')
++    clearsig = transform.int2bytes(decrypted, keylength)
+     
+-    # Find the 00 separator between the padding and the payload
+-    try:
+-        sep_idx = clearsig.index(b('\x00'), 2)
+-    except ValueError:
+-        raise VerificationError('Verification failed')
+-    
+-    # Get the hash and the hash method
+-    (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
++    # Get the hash method
++    method_name = _find_method_hash(clearsig)
+     message_hash = _hash(message, method_name)
+ 
+-    # Compare the real hash to the hash in the signature
+-    if message_hash != signature_hash:
++    # Reconstruct the expected padded hash
++    cleartext = HASH_ASN1[method_name] + message_hash
++    expected = _pad_for_signing(cleartext, keylength)
++
++    # Compare with the signed one
++    if expected != clearsig:
+         raise VerificationError('Verification failed')
+ 
+     return True
+@@ -351,24 +337,20 @@
+     return hasher.digest()
+ 
+ 
+-def _find_method_hash(method_hash):
+-    '''Finds the hash method and the hash itself.
++def _find_method_hash(clearsig):
++    '''Finds the hash method.
+     
+-    :param method_hash: ASN1 code for the hash method concatenated with the
+-        hash itself.
++    :param clearsig: full padded ASN1 and hash.
+     
+-    :return: tuple (method, hash) where ``method`` is the used hash method, and
+-        ``hash`` is the hash itself.
++    :return: the used hash method.
+     
+     :raise VerificationFailed: when the hash method cannot be found
+ 
+     '''
+ 
+     for (hashname, asn1code) in HASH_ASN1.items():
+-        if not method_hash.startswith(asn1code):
+-            continue
+-        
+-        return (hashname, method_hash[len(asn1code):])
++        if asn1code in clearsig:
++            return hashname
+     
+     raise VerificationError('Verification failed')
+ 
diff --git a/dev-python/rsa/metadata.xml b/dev-python/rsa/metadata.xml
new file mode 100644
index 000000000000..35bbfa239754
--- /dev/null
+++ b/dev-python/rsa/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>python@gentoo.org</email>
+    <name>Python</name>
+  </maintainer>
+  <upstream>
+    <remote-id type="pypi">rsa</remote-id>
+  </upstream>
+</pkgmetadata>
diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild
new file mode 100644
index 000000000000..01d4935db649
--- /dev/null
+++ b/dev-python/rsa/rsa-3.2.3-r1.ebuild
@@ -0,0 +1,37 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy )
+
+inherit distutils-r1
+
+DESCRIPTION="Pure-Python RSA implementation"
+HOMEPAGE="https://stuvel.eu/rsa https://pypi.org/project/rsa/"
+SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="amd64 arm x86"
+IUSE="test"
+
+RDEPEND="
+	>=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
+	dev-python/traceback2[${PYTHON_USEDEP}]
+	"
+DEPEND="${RDEPEND}
+	>=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]
+	test? (
+		dev-python/nose[${PYTHON_USEDEP}]
+		dev-python/unittest2[${PYTHON_USEDEP}]
+		)
+	"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2016-1494.patch
+)
+
+python_test() {
+	nosetests --verbose || die
+}
diff --git a/dev-python/rsa/rsa-3.4.2.ebuild b/dev-python/rsa/rsa-3.4.2.ebuild
new file mode 100644
index 000000000000..06b84e4231d8
--- /dev/null
+++ b/dev-python/rsa/rsa-3.4.2.ebuild
@@ -0,0 +1,33 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy )
+
+inherit distutils-r1
+
+DESCRIPTION="Pure-Python RSA implementation"
+HOMEPAGE="https://stuvel.eu/rsa https://pypi.org/project/rsa/"
+SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+IUSE="test"
+
+RDEPEND="
+	>=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
+	dev-python/traceback2[${PYTHON_USEDEP}]
+	"
+DEPEND="${RDEPEND}
+	>=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]
+	test? (
+		dev-python/nose[${PYTHON_USEDEP}]
+		dev-python/unittest2[${PYTHON_USEDEP}]
+		)
+	"
+
+python_test() {
+	nosetests --verbose || die
+}