diff --git a/SPECS/python-cryptography/CVE-2023-49083.patch b/SPECS/python-cryptography/CVE-2023-49083.patch new file mode 100644 index 00000000000..906feb79559 --- /dev/null +++ b/SPECS/python-cryptography/CVE-2023-49083.patch @@ -0,0 +1,118 @@ +From 87c06ca129dbf3d58a1391ca4ea45514262db72b Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Wed, 22 Nov 2023 16:49:56 -0500 +Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no + certificates + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 45d4a1a..f0317c7 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2664,9 +2664,12 @@ class Backend(object): + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 8b93cb6..148a1e1 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -80,6 +80,12 @@ class TestPKCS7Loading(object): + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.17.1 + + +From ce104165dd90d8f2f8ff9aaa64327daccf27b82b Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 30 Nov 2023 20:30:34 -0600 +Subject: [PATCH 2/2] raise an exception instead of returning an empty list and + update CHANGELOG.rst + +--- + CHANGELOG.rst | 5 +++++ + src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- + tests/hazmat/primitives/test_pkcs7.py | 4 ++-- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 4dd7146..ccc6133 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -6,6 +6,11 @@ Changelog + 3.3.2 - 2021-02-07 + ~~~~~~~~~~~~~~~~~~ + ++* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using ++ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` ++ or ++ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` ++ will now raise a ``ValueError`` rather than return an empty list. + * **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls + when symmetrically encrypting very large payloads (>2GB) could result in an + integer overflow, leading to buffer overflows. *CVE-2020-36242* +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index f0317c7..b276f9b 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2664,12 +2664,15 @@ class Backend(object): + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + +- certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: +- return certs ++ raise ValueError( ++ "The provided PKCS7 has no certificate data, but a cert " ++ "loading method was called." ++ ) + + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) ++ certs: list[x509.Certificate] = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 148a1e1..34cbb16 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -83,8 +83,8 @@ class TestPKCS7Loading(object): + def test_load_pkcs7_empty_certificates(self): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + +- certificates = pkcs7.load_der_pkcs7_certificates(der) +- assert certificates == [] ++ with pytest.raises(ValueError): ++ pkcs7.load_der_pkcs7_certificates(der) + + + # We have no public verification API and won't be adding one until we get +-- +2.17.1 + diff --git a/SPECS/python-cryptography/python-cryptography.spec b/SPECS/python-cryptography/python-cryptography.spec index b7910fb05a2..7bb33aa6055 100644 --- a/SPECS/python-cryptography/python-cryptography.spec +++ b/SPECS/python-cryptography/python-cryptography.spec @@ -1,7 +1,7 @@ Summary: Python cryptography library Name: python-cryptography Version: 3.3.2 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: https://pypi.python.org/pypi/cryptography Source0: https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz Patch0: CVE-2023-23931.patch +Patch1: CVE-2023-49083.patch %if %{with_check} BuildRequires: python3-pip %endif @@ -64,6 +65,9 @@ pip3 install pretend pytest hypothesis iso8601 cryptography_vectors pytz %{python3_sitelib}/* %changelog +* Fri Dec 08 2023 Aadhar Agarwal - 3.3.2-6 +- Patch CVE-2023-49083 + * Wed Sep 20 2023 Jon Slobodzian - 3.3.2-5 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)