Fix CVE-2020-13757: detect cyphertext modifications by prepending zero bytes

Reject cyphertexts that have been modified by prepending zero bytes, by checking the cyphertext length against the expected size (given the decryption key). This resolves CVE-2020-13757. The same approach is used when verifying a signature. Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
author: Sybren A. Stüvel <sybren@stuvel.eu> 2020-06-03 14:39:23 +0200
committer: Sybren A. Stüvel <sybren@stuvel.eu> 2020-06-03 14:57:17 +0200
commit: 93af6f2f89a9bf28361e67716c4240e691520f30 (patch)
tree: 5ecc5885aed6da135fed8e6cb4ddc591c3eb6531 /CHANGELOG.md
parent: ae1a906952557f616706f79c66030fd812e48cdf (diff)
download: rsa-git-93af6f2f89a9bf28361e67716c4240e691520f30.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1aae86d..8acc44d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,9 @@
   is natively supported by Python 3.6+ and supported via a third-party
   library on Python 3.5.
 - Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
+- Reject cyphertexts (when decrypting) and signatures (when verifying) that have
+  been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks
+  Carnil for pointing this out.
 
 
 ## Version 4.0 - released 2018-09-16
author	Sybren A. Stüvel <sybren@stuvel.eu>	2020-06-03 14:39:23 +0200
committer	Sybren A. Stüvel <sybren@stuvel.eu>	2020-06-03 14:57:17 +0200
commit	93af6f2f89a9bf28361e67716c4240e691520f30 (patch)
tree	5ecc5885aed6da135fed8e6cb4ddc591c3eb6531 /CHANGELOG.md
parent	ae1a906952557f616706f79c66030fd812e48cdf (diff)
download	rsa-git-93af6f2f89a9bf28361e67716c4240e691520f30.tar.gz