CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code

[ran-isenberg]

Hey guys,
There's a new high level risk vulnerability in the RSA python library that this repo uses. I'm not familiar with the fine details but is there any way for you guys to solve this in this repo?
There's an open issue in the rsa repo from 16 days ago but it seems that they are not going to fix it.

sybrenstuvel/python-rsa#165
He mentioned that "python-jose depends on python-rsa, but it will not use it if better libraries are available, you should use python-jose with pyca/cryptography, then python-rsa code will be unused and unexploitable".

Can you elaborate on this?

[tomato42]

I was referring to this section of readme: https://github.com/mpdavis/python-jose#cryptographic-backends

[ran-isenberg]

@tomato42 thx! so this means that our security scanner is giving a false positive since we are install python-jose[cryptography] which doesnt use rsa.
can rsa not be installed at all in this case so the security scanner wont give these alarams?

[blag]

If you are using pip, and you are sure you might be able to workaround your security scanner by uninstalling python-rsa after installing python-jose:

pip install 'python-jose[cryptography]'  # will install python-jose with PyCrypto backend
pip uninstall ecdsa  # You may need to pass a `--yes` or `--force` flag to `pip uninstall` to get it to skip asking for confirmation.

If this works, it works because pip is not yet a full package manager - it does not ensure that installed packages don't conflict upon invocation, it only cares that it can successfully execute the immediate command. And it can install all of the dependencies for python-jose, and it can then uninstall python-rsa. At no point does it check that it left the virtualenv in a consistent state.

The fix for this is to transition python-jose to only depend on external libraries via extras_require. See this TODO. This will require users to install backends explicitly, but I think that's probably the for the best anyway.