microsoft · aadhar-agarwal · Dec 8, 2023 · Dec 11, 2023
@@ -0,0 +1,118 @@
+From 87c06ca129dbf3d58a1391ca4ea45514262db72b Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <[email protected]>
+Date: Wed, 22 Nov 2023 16:49:56 -0500
+Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
+ certificates
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45d4a1a..f0317c7 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2664,9 +2664,12 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+
++        certs: list[x509.Certificate] = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 8b93cb6..148a1e1 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -80,6 +80,12 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+
++    def test_load_pkcs7_empty_certificates(self):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+-- 
+2.17.1
+
+
+From ce104165dd90d8f2f8ff9aaa64327daccf27b82b Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <[email protected]>
+Date: Thu, 30 Nov 2023 20:30:34 -0600
+Subject: [PATCH 2/2] raise an exception instead of returning an empty list and
+ update CHANGELOG.rst
+
+---
+ CHANGELOG.rst                                       | 5 +++++
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 4 ++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 4dd7146..ccc6133 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -6,6 +6,11 @@ Changelog
+ 3.3.2 - 2021-02-07
+ ~~~~~~~~~~~~~~~~~~
+
++* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
++  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
++  or
++  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
++  will now raise a ``ValueError`` rather than return an empty list.
+ * **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
+   when symmetrically encrypting very large payloads (>2GB) could result in an
+   integer overflow, leading to buffer overflows. *CVE-2020-36242*
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index f0317c7..b276f9b 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2664,12 +2664,15 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+
+-        certs: list[x509.Certificate] = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
++            raise ValueError(
++                "The provided PKCS7 has no certificate data, but a cert "
++                "loading method was called."
++            )
+
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
++        certs: list[x509.Certificate] = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 148a1e1..34cbb16 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -83,8 +83,8 @@ class TestPKCS7Loading(object):
+     def test_load_pkcs7_empty_certificates(self):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
++        with pytest.raises(ValueError):
++            pkcs7.load_der_pkcs7_certificates(der)
+
+
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.17.1
+
@@ -1,14 +1,15 @@
 Summary:        Python cryptography library
 Name:           python-cryptography
 Version:        3.3.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://pypi.python.org/pypi/cryptography
 Source0:        https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz
 Patch0:         CVE-2023-23931.patch
+Patch1:         CVE-2023-49083.patch
 %if %{with_check}
 BuildRequires:  python3-pip
 %endif
@@ -64,6 +65,9 @@ pip3 install pretend pytest hypothesis iso8601 cryptography_vectors pytz
 %{python3_sitelib}/*
 
 %changelog
+* Fri Dec 08 2023 Aadhar Agarwal <[email protected]> - 3.3.2-6
+- Patch CVE-2023-49083
+
 * Wed Sep 20 2023 Jon Slobodzian <[email protected]> - 3.3.2-5
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)