False positive for CVE-2018-10903 : cryptography == 2.3

[shtratos]

I run safety via pipenv check:

36351: cryptography >=1.9.0 resolved (2.3 installed)!
python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

As you can see I got version cryptography 2.3 installed, but the check still fails.

[benhowes]

I'm seeing this also. I've checked the cache file from pyup.io (via pipenv) and the following appears in the cache.json:

         "cryptography":[
            "<1.5.3",
            "<0.9.1",
            "<1.0.2",
            ">=1.9.0",
            "<2.3"
         ],

This matches all versions of cryptography!

[shtratos]

I guess this should be:

         "cryptography":[
            "<1.5.3",
            "<0.9.1",
            "<1.0.2",
            ">=1.9.0,<2.3"
         ],

[shtratos]

This is fixed now:

safety-db/data/insecure_full.json

Lines 1050 to 1056 in a2d448c

	"advisory": "python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.",
	"cve": "CVE-2018-10903",
	"id": "pyup.io-36351",
	"specs": [
	"<=2.2.2"
	],
	"v": "<=2.2.2"

[donovan]

Hi, it looks like this fix results in false positives for cryptography versions <1.9.0.

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ cryptography               │ 1.8.2     │ <=2.2.2                  │ 36351    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag  │
│ length for finalize_with_tag API. If a user did not validate the input lengt │
│ h prior to passing it to finalize_with_tag an attacker could craft an invali │
│ d payload with a shortened tag (e.g. 1 byte) such that they would have a 1 i │
│ n 256 chance of passing the MAC check. GCM tag forgeries can cause key leaka │
│ ge.                                                                          │
╘══════════════════════════════════════════════════════════════════════════════╛

1.8.2 is not vulnerable as per the full report yet it is triggering a failed check.

Do you want me to open a new issue?

[GreenGremlin]

I'm getting the same false positive for version 1.8.2.