CVE-2021-30130

NameCVE-2021-30130
Descriptionphpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3197-1, DLA-3198-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-phpseclib (PTS)buster2.0.14-1vulnerable
buster (security)2.0.30-2~deb10u1fixed
bullseye2.0.30-2fixed
bookworm, sid2.0.39-1fixed
php-phpseclib3 (PTS)bookworm, sid3.0.17-1fixed
phpseclib (PTS)buster1.0.14-1vulnerable
buster (security)1.0.19-3~deb10u1fixed
bullseye1.0.19-3fixed
bookworm, sid1.0.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-phpseclibsourcebuster2.0.30-2~deb10u1DLA-3198-1
php-phpseclibsource(unstable)2.0.30-2
php-phpseclib3source(unstable)3.0.7-1
phpseclibsourcebuster1.0.19-3~deb10u1DLA-3197-1
phpseclibsource(unstable)1.0.19-3

Notes

https://github.com/phpseclib/phpseclib/pull/1635#issuecomment-826994890
Introduced by: https://github.com/phpseclib/phpseclib/commit/cc32cd2e95b18a0c0118bbf1928327675c9e64a9 (v3.0 / RSA::SIGNATURE_RELAXED_PKCS1)
Fixed by: https://github.com/phpseclib/phpseclib/commit/05550b9c490bf342bce66de75d127d2f75c48bdd (1.0.20, 2.0.31, 3.0.7)
Fixed by: https://github.com/phpseclib/phpseclib/commit/42fc46e9a92c2ce5b10d2fbfb00b630417d6dfbe (3.0.7)
According to upstream in #1635, "v2.0 does not have a vulnerability" (only non-security bugs).
However, a lot of identical fixes were applied to all 1.x/2.x/3.x branches upstream.
They were also backported in bullseye/testing in 1.x/2.x (claimed as a CVE-2021-30130 fix).
Given the broad scope of this CVE description, let's assume that those fixes are needed in 1.x/2.x.

Search for package or bug name: Reporting problems