[Python-modules-commits] [elixir] 02/03: merge patched into master

Piotr Ożarowski piotr at moszumanska.debian.org
Fri Nov 18 13:12:59 UTC 2016 

This is an automated email from the git hooks/post-receive script.

piotr pushed a commit to branch master
in repository elixir.

commit 6ee0255bb1b44de64c2a56a689f369c321c38f54
Merge: ffbd77f 3a06ca5
Author: Piotr Ożarowski <piotr at debian.org>
Date:   Fri Nov 18 14:03:38 2016 +0100

    merge patched into master

 debian/.git-dpm                                    |  4 +-
 ...002-CVE-2012-2146-aes-encryption-addition.patch | 91 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 elixir/ext/encrypted.py                            | 42 ++++++++--
 4 files changed, 131 insertions(+), 7 deletions(-)

diff --cc debian/.git-dpm
index 6ad01aa,0000000..a1141ec
mode 100644,000000..100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@@ -1,11 -1,0 +1,11 @@@
 +# see git-dpm(1) from git-dpm package
- 2c43934c7dfba603a841a86989cd13ab7ded2e8b
- 2c43934c7dfba603a841a86989cd13ab7ded2e8b
++3a06ca56dc701e244c7e5240afc84f434aaa6b3d
++3a06ca56dc701e244c7e5240afc84f434aaa6b3d
 +3dcd3abf09121451b9cc81cb1a7b4daad7a36f9f
 +3dcd3abf09121451b9cc81cb1a7b4daad7a36f9f
 +elixir_0.7.1.orig.tar.gz
 +22a1fbdc0163532b7cfbbd54c074a0a5ccf7d060
 +47110
 +debianTag="debian/%e%v"
 +patchedTag="patched/%e%v"
 +upstreamTag="upstream/%e%u"
diff --cc debian/patches/0002-CVE-2012-2146-aes-encryption-addition.patch
index 0000000,0000000..cfbfc5e
new file mode 100644
--- /dev/null
+++ b/debian/patches/0002-CVE-2012-2146-aes-encryption-addition.patch
@@@ -1,0 -1,0 +1,91 @@@
++From 3a06ca56dc701e244c7e5240afc84f434aaa6b3d Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Piotr=20O=C5=BCarowski?= <piotr at debian.org>
++Date: Fri, 18 Nov 2016 14:02:47 +0100
++Subject: CVE-2012-2146: aes encryption addition
++
++---
++ elixir/ext/encrypted.py | 42 +++++++++++++++++++++++++++++++++++++-----
++ 1 file changed, 37 insertions(+), 5 deletions(-)
++
++diff --git a/elixir/ext/encrypted.py b/elixir/ext/encrypted.py
++index 410855d..ec99fbf 100644
++--- a/elixir/ext/encrypted.py
+++++ b/elixir/ext/encrypted.py
++@@ -32,7 +32,9 @@ that attribute will be crypted in the in-memory object in addition to the
++ database row.
++ '''
++ 
++-from Crypto.Cipher import Blowfish
+++import sys
+++import os
+++from Crypto.Cipher import Blowfish, AES
++ from elixir.statements import Statement
++ from sqlalchemy.orm import MapperExtension, EXT_CONTINUE, EXT_STOP
++ 
++@@ -49,7 +51,9 @@ __doc_all__ = []
++ #
++ # encryption and decryption functions
++ #
++-
+++# WARNING!!! Blowfish encryption method is vulnerable to attacks
+++# because it doesn't properly use random seed. It is provided just for
+++# backward compatibility needed to migrate data. Use AES instead!
++ def encrypt_value(value, secret):
++     return Blowfish.new(secret, Blowfish.MODE_CFB) \
++                    .encrypt(value).encode('string_escape')
++@@ -58,6 +62,24 @@ def decrypt_value(value, secret):
++     return Blowfish.new(secret, Blowfish.MODE_CFB) \
++                    .decrypt(value.decode('string_escape'))
++ 
+++# Crypto.Cipher.AES is AES128
+++def encrypt_value_aes(value, secret):
+++    iv = os.urandom(AES.block_size)
+++
+++    pad_len = AES.block_size - len(value) % AES.block_size
+++    padded_value = value + pad_len * chr(pad_len)
+++    res = iv + AES.new(secret, AES.MODE_CBC, iv).encrypt(padded_value)
+++    return res.encode('string_escape')
+++
+++def decrypt_value_aes(value, secret):
+++    value = value.decode('string_escape')
+++    iv = value[:AES.block_size]
+++    encrypted = value[AES.block_size:]
+++
+++    padded_value = AES.new(secret, AES.MODE_CBC, iv).decrypt(encrypted)
+++    pad_len = ord(padded_value[-1])
+++    assert pad_len >= 1 and pad_len <= AES.block_size
+++    return padded_value[:-pad_len]
++ 
++ #
++ # acts_as_encrypted statement
++@@ -65,7 +87,11 @@ def decrypt_value(value, secret):
++ 
++ class ActsAsEncrypted(object):
++ 
++-    def __init__(self, entity, for_fields=[], with_secret='abcdef'):
+++    def __init__(self, entity, for_fields=[], with_secret='abcdef', with_aes=False):
+++        if not with_aes:
+++            sys.stderr.write("""******* WARNING!!! ********
+++Blowfish encryption method is vulnerable to attacks.
+++Migrate your data and use with_aes=True\n""")
++ 
++         def perform_encryption(instance, encrypt=True):
++             encrypted = getattr(instance, '_elixir_encrypted', None)
++@@ -77,9 +103,15 @@ class ActsAsEncrypted(object):
++                 instance._elixir_encrypted = encrypt
++ 
++             if encrypt:
++-                func = encrypt_value
+++                if with_aes:
+++                    func = encrypt_value_aes
+++                else:
+++                    func = encrypt_value
++             else:
++-                func = decrypt_value
+++                if with_aes:
+++                    func = decrypt_value_aes
+++                else:
+++                    func = decrypt_value
++ 
++             for column_name in for_fields:
++                 current_value = getattr(instance, column_name)
diff --cc debian/patches/series
index b4463b7,0000000..5f8de60
mode 100644,000000..100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@@ -1,1 -1,0 +1,2 @@@
 +sa_0.9_compatibility.patch
++0002-CVE-2012-2146-aes-encryption-addition.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/elixir.git

More information about the Python-modules-commits mailing list