diff --git a/sdk_container/src/third_party/portage-stable/dev-python/rsa/Manifest b/sdk_container/src/third_party/portage-stable/dev-python/rsa/Manifest deleted file mode 100644 index 3f6c663ece..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-python/rsa/Manifest +++ /dev/null @@ -1,2 +0,0 @@ -DIST rsa-3.2.3.tar.gz 35628 SHA256 14db288cc40d6339dedf60d7a47053ab004b4a8976a5c59402a211d8fc5bf21f SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2 WHIRLPOOL 5814f912849bed4f98f8bef20dcf2fb9b28af70b970f324cadab90f0c67ff42c32792f7a6306edf1884d4cf6fe35d27f47c833358c2d03c582faba60fba1490d -DIST rsa-3.4.2.tar.gz 40956 SHA256 25df4e10c263fb88b5ace923dd84bf9aa7f5019687b5e55382ffcdb8bede9db5 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267 WHIRLPOOL d8d51f7ffc47af5fbc48199860171c38fe6f08b5a510bfed20513c22df8a614565703c9d89939ff1092a7c6392fbdef8bacf41cc839a9943b120b1fa4cf8d496 diff --git a/sdk_container/src/third_party/portage-stable/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/sdk_container/src/third_party/portage-stable/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch deleted file mode 100644 index bfcfc33ed0..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch +++ /dev/null @@ -1,104 +0,0 @@ -# HG changeset patch -# User Filippo Valsorda -# Date 1450226563 0 -# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2 -# Parent 2baab06c8b867b01ec82b02118d4872a931a0437 -Fix BB'06 attack in verify() by switching from parsing to comparison - -diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py ---- a/rsa/pkcs1.py -+++ b/rsa/pkcs1.py -@@ -22,10 +22,10 @@ - At least 8 bytes of random padding is used when encrypting a message. This makes - these methods much more secure than the ones in the ``rsa`` module. - --WARNING: this module leaks information when decryption or verification fails. --The exceptions that are raised contain the Python traceback information, which --can be used to deduce where in the process the failure occurred. DO NOT PASS --SUCH INFORMATION to your users. -+WARNING: this module leaks information when decryption fails. The exceptions -+that are raised contain the Python traceback information, which can be used to -+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION -+to your users. - ''' - - import hashlib -@@ -288,37 +288,23 @@ - :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message. - :raise VerificationError: when the signature doesn't match the message. - -- .. warning:: -- -- Never display the stack trace of a -- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in -- the code the exception occurred, and thus leaks information about the -- key. It's only a tiny bit of information, but every bit makes cracking -- the keys easier. -- - ''' - -- blocksize = common.byte_size(pub_key.n) -+ keylength = common.byte_size(pub_key.n) - encrypted = transform.bytes2int(signature) - decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) -- clearsig = transform.int2bytes(decrypted, blocksize) -- -- # If we can't find the signature marker, verification failed. -- if clearsig[0:2] != b('\x00\x01'): -- raise VerificationError('Verification failed') -+ clearsig = transform.int2bytes(decrypted, keylength) - -- # Find the 00 separator between the padding and the payload -- try: -- sep_idx = clearsig.index(b('\x00'), 2) -- except ValueError: -- raise VerificationError('Verification failed') -- -- # Get the hash and the hash method -- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) -+ # Get the hash method -+ method_name = _find_method_hash(clearsig) - message_hash = _hash(message, method_name) - -- # Compare the real hash to the hash in the signature -- if message_hash != signature_hash: -+ # Reconstruct the expected padded hash -+ cleartext = HASH_ASN1[method_name] + message_hash -+ expected = _pad_for_signing(cleartext, keylength) -+ -+ # Compare with the signed one -+ if expected != clearsig: - raise VerificationError('Verification failed') - - return True -@@ -351,24 +337,20 @@ - return hasher.digest() - - --def _find_method_hash(method_hash): -- '''Finds the hash method and the hash itself. -+def _find_method_hash(clearsig): -+ '''Finds the hash method. - -- :param method_hash: ASN1 code for the hash method concatenated with the -- hash itself. -+ :param clearsig: full padded ASN1 and hash. - -- :return: tuple (method, hash) where ``method`` is the used hash method, and -- ``hash`` is the hash itself. -+ :return: the used hash method. - - :raise VerificationFailed: when the hash method cannot be found - - ''' - - for (hashname, asn1code) in HASH_ASN1.items(): -- if not method_hash.startswith(asn1code): -- continue -- -- return (hashname, method_hash[len(asn1code):]) -+ if asn1code in clearsig: -+ return hashname - - raise VerificationError('Verification failed') - diff --git a/sdk_container/src/third_party/portage-stable/dev-python/rsa/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-python/rsa/metadata.xml deleted file mode 100644 index 35bbfa2397..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-python/rsa/metadata.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - - python@gentoo.org - Python - - - rsa - - diff --git a/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.2.3-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.2.3-r1.ebuild deleted file mode 100644 index 132b888c45..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.2.3-r1.ebuild +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) - -inherit distutils-r1 - -DESCRIPTION="Pure-Python RSA implementation" -HOMEPAGE="http://stuvel.eu/rsa https://pypi.python.org/pypi/rsa" -SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="amd64 arm x86" -IUSE="test" - -RDEPEND=" - >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}] - dev-python/traceback2[${PYTHON_USEDEP}] - " -DEPEND="${RDEPEND} - >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}] - test? ( - dev-python/nose[${PYTHON_USEDEP}] - dev-python/unittest2[${PYTHON_USEDEP}] - ) - " - -PATCHES=( - "${FILESDIR}"/${P}-CVE-2016-1494.patch -) - -python_test() { - nosetests --verbose || die -} diff --git a/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.4.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.4.2.ebuild deleted file mode 100644 index 437b656e10..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-python/rsa/rsa-3.4.2.ebuild +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) - -inherit distutils-r1 - -DESCRIPTION="Pure-Python RSA implementation" -HOMEPAGE="http://stuvel.eu/rsa https://pypi.python.org/pypi/rsa" -SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~x86" -IUSE="test" - -RDEPEND=" - >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}] - dev-python/traceback2[${PYTHON_USEDEP}] - " -DEPEND="${RDEPEND} - >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}] - test? ( - dev-python/nose[${PYTHON_USEDEP}] - dev-python/unittest2[${PYTHON_USEDEP}] - ) - " - -python_test() { - nosetests --verbose || die -}