Bug 844882 - (CVE-2013-4347) VUL-0: CVE-2013-4347: python-oauth2: insufficient randomness
VUL-0: CVE-2013-4347: python-oauth2: insufficient randomness
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-10-09 09:21 UTC by Marcus Meissner
Modified: 2015-03-24 17:10 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-09 09:21:44 UTC
via oss-sec



Hello Kurt, all, I recently gave python-oauth2 a quick audit and believe
it needs three CVE entries:

- _check_signature() ignores the nonce value when validating signed urls

    def _check_signature(self, request, consumer, token):
        timestamp, nonce = request._get_timestamp_nonce()
        signature_method = self._get_signature_method(request)

            signature = request.get_parameter('oauth_signature')
            raise MissingSignature('Missing oauth_signature.')

        # Validate the signature.
        valid = signature_method.check(request, consumer, token, signature)

        if not valid:
            key, base = signature_method.signing_base(request, consumer, token)

            raise Error('Invalid signature. Expected signature base '
                'string: %s' % base)

Ignoring the nonce value enables replay attacks.

This appears to already be known (ignoring the misleading title):

- _check_timestamp() does not constrain how far into the future times may be,
Comment 1 Swamp Workflow Management 2013-10-11 07:41:41 UTC
bugbot adjusting priority
Comment 2 Sascha Peilicke 2013-12-06 12:52:01 UTC
Upstream is dead, so everybody waits for a fix ATM. 

It's an optional dependency for OpenStack Keystone but we don't use it so far. So the impact is not that big.

JFR, https://bugzilla.redhat.com/show_bug.cgi?id=1007746
Comment 3 Sascha Peilicke 2014-01-28 14:42:17 UTC
Havana moved to python-oauthlib. It is not yet known if there will be a backport.