pkg/54883: python-ecdsa 0.15 (important security update)

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/54883: python-ecdsa 0.15 (important security update)
From: js-pkgsrc%heap.zone@localhost
Date: Wed, 22 Jan 2020 00:40:00 +0000 (UTC)
>Number:         54883
>Category:       pkg
>Synopsis:       python-ecdsa 0.15 (important security update)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 22 00:40:00 +0000 2020
>Originator:     Jonathan Schleifer
>Release:        HEAD
>Organization:
>Environment:
>Description:
The python-ecdsa 0.13 has broken signature verification. This could have catastrophic effects.
    
I also switches the source from GitHub to PyPi, because for whatever reason, the archive is different. Hashes for the archive from GitHub are nowhere to be found, and I could not find a single distro that uses the archive from GitHub instead of PyPi. So instead, I used the PyPi one and compared the hashes to what Alpine has. Since this is a dependency of Electrum, a Bitcoin wallet, it is necessary to be extra cautious here.

>How-To-Repeat:

>Fix:
commit 77be555f9e29d476e73ef3f4c085058b23803c22
Author: Jonathan Schleifer <js%nil.im@localhost>
Date:   Wed Jan 22 01:33:03 2020 +0100

    py-ecdsa 0.15, includes important security updates
    
    Also switches the source from GitHub to PyPi, because for whatever
    reason, the archive is different. Hashes for the archive from GitHub are
    nowhere to be found, and I could not find a single distro that uses the
    archive from GitHub instead of PyPi. So instead, I used the PyPi one and
    compared the hashes to what Alpine has.

diff --git a/security/py-ecdsa/Makefile b/security/py-ecdsa/Makefile
index 496eb0b8bd5..916618a7002 100644
--- a/security/py-ecdsa/Makefile
+++ b/security/py-ecdsa/Makefile
@@ -1,17 +1,16 @@
 # $NetBSD: Makefile,v 1.7 2015/06/29 17:00:00 gls Exp $
 
-DISTNAME=	python-ecdsa-0.13
-PKGNAME=	${PYPKGPREFIX}-ecdsa-0.13
+DISTNAME=	ecdsa-0.15
+PKGNAME=	${PYPKGPREFIX}-ecdsa-0.15
 EGG_NAME=	ecdsa-${PKGVERSION}
 CATEGORIES=	security
-MASTER_SITES=	https://github.com/warner/python-ecdsa/archive/
+MASTER_SITES=	${MASTER_SITE_PYPI:=e/ecdsa/}
 
 MAINTAINER=	gls%NetBSD.org@localhost
 HOMEPAGE=	https://github.com/warner/python-ecdsa/
 COMMENT=	Easy-to-use implementation of ECDSA cryptography
 LICENSE=	mit
 
-WRKSRC=		${WRKDIR}/python-ecdsa-${DISTNAME}
 USE_LANGUAGES=	# none
 
 REPLACE_PYTHON=	ecdsa/ecdsa.py ecdsa/ellipticcurve.py ecdsa/numbertheory.py
diff --git a/security/py-ecdsa/PLIST b/security/py-ecdsa/PLIST
index 32517559708..bb716364a29 100644
--- a/security/py-ecdsa/PLIST
+++ b/security/py-ecdsa/PLIST
@@ -1,41 +1,75 @@
-@comment $NetBSD: PLIST,v 1.3 2015/06/29 17:00:00 gls Exp $
+@comment $NetBSD$
 ${PYSITELIB}/${EGG_INFODIR}/PKG-INFO
 ${PYSITELIB}/${EGG_INFODIR}/SOURCES.txt
 ${PYSITELIB}/${EGG_INFODIR}/dependency_links.txt
+${PYSITELIB}/${EGG_INFODIR}/requires.txt
 ${PYSITELIB}/${EGG_INFODIR}/top_level.txt
 ${PYSITELIB}/ecdsa/__init__.py
-${PYSITELIB}/ecdsa/__init__.pyc
 ${PYSITELIB}/ecdsa/__init__.pyo
-${PYSITELIB}/ecdsa/_version.py
-${PYSITELIB}/ecdsa/_version.pyc
+${PYSITELIB}/ecdsa/__init__.pyc
+${PYSITELIB}/ecdsa/_compat.pyo
+${PYSITELIB}/ecdsa/_compat.pyc
+${PYSITELIB}/ecdsa/_rwlock.pyo
+${PYSITELIB}/ecdsa/_rwlock.pyc
 ${PYSITELIB}/ecdsa/_version.pyo
-${PYSITELIB}/ecdsa/curves.py
-${PYSITELIB}/ecdsa/curves.pyc
+${PYSITELIB}/ecdsa/_version.pyc
 ${PYSITELIB}/ecdsa/curves.pyo
-${PYSITELIB}/ecdsa/der.py
-${PYSITELIB}/ecdsa/der.pyc
+${PYSITELIB}/ecdsa/curves.pyc
 ${PYSITELIB}/ecdsa/der.pyo
-${PYSITELIB}/ecdsa/ecdsa.py
-${PYSITELIB}/ecdsa/ecdsa.pyc
+${PYSITELIB}/ecdsa/der.pyc
+${PYSITELIB}/ecdsa/ecdh.pyo
+${PYSITELIB}/ecdsa/ecdh.pyc
 ${PYSITELIB}/ecdsa/ecdsa.pyo
-${PYSITELIB}/ecdsa/ellipticcurve.py
-${PYSITELIB}/ecdsa/ellipticcurve.pyc
+${PYSITELIB}/ecdsa/ecdsa.pyc
 ${PYSITELIB}/ecdsa/ellipticcurve.pyo
-${PYSITELIB}/ecdsa/keys.py
-${PYSITELIB}/ecdsa/keys.pyc
+${PYSITELIB}/ecdsa/ellipticcurve.pyc
 ${PYSITELIB}/ecdsa/keys.pyo
-${PYSITELIB}/ecdsa/numbertheory.py
-${PYSITELIB}/ecdsa/numbertheory.pyc
+${PYSITELIB}/ecdsa/keys.pyc
 ${PYSITELIB}/ecdsa/numbertheory.pyo
-${PYSITELIB}/ecdsa/rfc6979.py
-${PYSITELIB}/ecdsa/rfc6979.pyc
+${PYSITELIB}/ecdsa/numbertheory.pyc
 ${PYSITELIB}/ecdsa/rfc6979.pyo
-${PYSITELIB}/ecdsa/six.py
-${PYSITELIB}/ecdsa/six.pyc
-${PYSITELIB}/ecdsa/six.pyo
-${PYSITELIB}/ecdsa/test_pyecdsa.py
-${PYSITELIB}/ecdsa/test_pyecdsa.pyc
+${PYSITELIB}/ecdsa/rfc6979.pyc
+${PYSITELIB}/ecdsa/test_der.pyo
+${PYSITELIB}/ecdsa/test_der.pyc
+${PYSITELIB}/ecdsa/test_ecdh.pyo
+${PYSITELIB}/ecdsa/test_ecdh.pyc
+${PYSITELIB}/ecdsa/test_ecdsa.pyo
+${PYSITELIB}/ecdsa/test_ecdsa.pyc
+${PYSITELIB}/ecdsa/test_ellipticcurve.pyo
+${PYSITELIB}/ecdsa/test_ellipticcurve.pyc
+${PYSITELIB}/ecdsa/test_jacobi.pyo
+${PYSITELIB}/ecdsa/test_jacobi.pyc
+${PYSITELIB}/ecdsa/test_keys.pyo
+${PYSITELIB}/ecdsa/test_keys.pyc
+${PYSITELIB}/ecdsa/test_malformed_sigs.pyo
+${PYSITELIB}/ecdsa/test_malformed_sigs.pyc
+${PYSITELIB}/ecdsa/test_numbertheory.pyo
+${PYSITELIB}/ecdsa/test_numbertheory.pyc
 ${PYSITELIB}/ecdsa/test_pyecdsa.pyo
-${PYSITELIB}/ecdsa/util.py
-${PYSITELIB}/ecdsa/util.pyc
+${PYSITELIB}/ecdsa/test_pyecdsa.pyc
+${PYSITELIB}/ecdsa/test_rw_lock.pyo
+${PYSITELIB}/ecdsa/test_rw_lock.pyc
 ${PYSITELIB}/ecdsa/util.pyo
+${PYSITELIB}/ecdsa/util.pyc
+${PYSITELIB}/ecdsa/_compat.py
+${PYSITELIB}/ecdsa/_rwlock.py
+${PYSITELIB}/ecdsa/_version.py
+${PYSITELIB}/ecdsa/curves.py
+${PYSITELIB}/ecdsa/der.py
+${PYSITELIB}/ecdsa/ecdh.py
+${PYSITELIB}/ecdsa/ecdsa.py
+${PYSITELIB}/ecdsa/ellipticcurve.py
+${PYSITELIB}/ecdsa/keys.py
+${PYSITELIB}/ecdsa/numbertheory.py
+${PYSITELIB}/ecdsa/rfc6979.py
+${PYSITELIB}/ecdsa/test_der.py
+${PYSITELIB}/ecdsa/test_ecdh.py
+${PYSITELIB}/ecdsa/test_ecdsa.py
+${PYSITELIB}/ecdsa/test_ellipticcurve.py
+${PYSITELIB}/ecdsa/test_jacobi.py
+${PYSITELIB}/ecdsa/test_keys.py
+${PYSITELIB}/ecdsa/test_malformed_sigs.py
+${PYSITELIB}/ecdsa/test_numbertheory.py
+${PYSITELIB}/ecdsa/test_pyecdsa.py
+${PYSITELIB}/ecdsa/test_rw_lock.py
+${PYSITELIB}/ecdsa/util.py
diff --git a/security/py-ecdsa/distinfo b/security/py-ecdsa/distinfo
index aa491f44855..b744ddc02a6 100644
--- a/security/py-ecdsa/distinfo
+++ b/security/py-ecdsa/distinfo
@@ -1,6 +1,6 @@
 $NetBSD: distinfo,v 1.7 2015/11/04 01:18:03 agc Exp $
 
-SHA1 (python-ecdsa-0.13.tar.gz) = f23d77b03f3e62a9298579ccf897a305c618a6f2
-RMD160 (python-ecdsa-0.13.tar.gz) = 7d7e2bb73649dba507f6389b8f909d251346e1fc
-SHA512 (python-ecdsa-0.13.tar.gz) = 540b85bc11963b369a2b77adcae132fbac8d267c34c865207b434f013c3d82a9ed118e22e7ce73f85c2ddd5a629926a29ec1b92b56f2a350bb155b53cdb60244
-Size (python-ecdsa-0.13.tar.gz) = 58966 bytes
+SHA1 (ecdsa-0.15.tar.gz) = 5ac84f3012d807793bcb98a8e9c86c63b9965596
+RMD160 (ecdsa-0.15.tar.gz) = aaeba796ec51455deb06d4accc01535aeac26302
+SHA512 (ecdsa-0.15.tar.gz) = 7b7491d1abdb5ca43456d943c96525fa5d722635c496bbddd04ef8e1baad9dc0aef3d1752afea7820f7796421b18295ee260657ec1e8faf7564613b316c0d603
+Size (ecdsa-0.15.tar.gz) = 122119 bytes
Prev by Date: Re: pkg/54420
Next by Date: Re: pkg/54420
Previous by Thread: Re: pkg/54420
Next by Thread: Re: pkg/54883: python-ecdsa 0.15 (important security update)
Indexes:
Home | Main Index | Thread Index | Old Index