← Back to team overview

freeipa team mailing list archive

[Bug 1869215] Re: [MIR] python-jwcrypto

 

I reviewed python-jwcrypto 0.6.0-2 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-jwcrypto is an implementation of the Javascript Object Signing and
Encryption (JOSE) Web Standards as they are being developed in the JOSE
IETF Working Group and related technology. JWCrypto is Python2 and Python3
compatible and uses the Cryptography package for all the crypto functions.

- CVE History:
  - CVE-2016-6298: Million Message Attack
  - Upstream quickly resolved it
- Build-Depends:
  - debhelper
  - dh-python
  - python3-all
  - python3-cryptography
  - python3-nose
  - python3-setuptools
- postinst and prerm scripts added automatically
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- Tests
  - Unit test available through tox
  - No autopkgtest
- No cron jobs
- Build logs:
  - No relevant errors or warnings

- No processes spawned
- No memory management
- No File IO
- No logging
- No environment variable usage
- No use of privileged functions
- Use of cryptography / random number sources
  - Depends on cryptography (python3-cryptography) for all crypto operations
  - python3-cryptography already in main
- No use of temp files
- No use of networking
- No use of WebKit
- No use of PolicyKit

- No Coverity results
- Bandit found the following issues:
  - B303: Use of insecure SHA1 hash function (in jwa.py)
    - we consider it a False Positive as the definition of JSON Web
      Algorithms (JWA) specifies RSA OAEP using default parameters as:
      "Those default parameters are the SHA-1 hash function and the MGF1
       with SHA-1 mask generation function."
      (https://tools.ietf.org/html/rfc7518#section-4.3)
  - B505: RSA key sizes below 2048 bits
    - this happens in test code, therefore, False Positive.

Security team ACK for promoting python-jwcrypto to main.


** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6298

** Tags added: security-review-done

** Changed in: python-jwcrypto (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to python-jwcrypto in Ubuntu.
https://bugs.launchpad.net/bugs/1869215

Title:
  [MIR] python-jwcrypto

Status in python-jwcrypto package in Ubuntu:
  New

Bug description:
  [Availability]
  In universe

  [Rationale]
  New dependency for websockify

  [Security]
  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jwcrypto

  One CVE from 2016 in older released version (resolved).

  [Quality assurance]
  Package has tests which are run as part of the package build.

  [Dependencies]
  All in main.

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  [Background Information]
  JWCrypto is an implementation of the Javascript Object Signing and Encryption (JOSE) Web Standards as they are being developed in the JOSE IETF Working Group and related technology.

  JWCrypto is Python2 and Python3 compatible and uses the Cryptography
  package for all the crypto functions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1869215/+subscriptions


References