The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2016/01/05/3 | third party advisory mailing list |
| http://www.securityfocus.com/bid/79829 | vdb entry third party advisory |
| https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ | third party advisory exploit |
| http://www.openwall.com/lists/oss-security/2016/01/05/1 | third party advisory mailing list |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.html | third party advisory vendor advisory |
| http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.html | mailing list third party advisory vendor advisory |
| https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff | third party advisory patch |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.html | third party advisory vendor advisory |