Skip to content

Commit

Permalink
41.0.6 release (#9927)
Browse files Browse the repository at this point in the history
* Fixed crash when loading a PKCS#7 bundle with no certificates (#9926)

* Version bump for 41.0.6

* Temporarily allow a new clippy warning (#9835)

* Temporarily allow a new clippy warning

* Update lib.rs

* Update lib.rs

* Need to accept this to skip test

* It's a word
  • Loading branch information
alex authored Nov 27, 2023
1 parent 5012bed commit f09c261
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 5 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
Changelog
=========

.. _v41-0-6:

41.0.6 - 2023-11-27
~~~~~~~~~~~~~~~~~~~

* Fixed a null-pointer-dereference and segfault that could occur when loading
certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the
issue. **CVE-2023-49083**

.. _v41-0-5:

41.0.5 - 2023-10-24
Expand Down
1 change: 1 addition & 0 deletions docs/spelling_wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ decrypted
decrypting
deprecations
DER
dereference
deserialize
deserialized
Deserialization
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "cryptography"
version = "41.0.5"
version = "41.0.6"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
]
Expand Down
2 changes: 1 addition & 1 deletion src/cryptography/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"__copyright__",
]

__version__ = "41.0.5"
__version__ = "41.0.6"


__author__ = "The Python Cryptographic Authority and individual contributors"
Expand Down
5 changes: 4 additions & 1 deletion src/cryptography/hazmat/backends/openssl/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -1890,9 +1890,12 @@ def _load_pkcs7_certificates(self, p7) -> typing.List[x509.Certificate]:
_Reasons.UNSUPPORTED_SERIALIZATION,
)

certs: list[x509.Certificate] = []
if p7.d.sign == self._ffi.NULL:
return certs

sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
certs = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
Expand Down
2 changes: 2 additions & 0 deletions src/rust/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
// for complete details.

#![deny(rust_2018_idioms)]
// Work-around for https://github.com/PyO3/pyo3/issues/3561
#![allow(unknown_lints, clippy::unnecessary_fallible_conversions)]

mod asn1;
mod backend;
Expand Down
6 changes: 6 additions & 0 deletions tests/hazmat/primitives/test_pkcs7.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend):
mode="rb",
)

def test_load_pkcs7_empty_certificates(self, backend):
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

certificates = pkcs7.load_der_pkcs7_certificates(der)
assert certificates == []


# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
Expand Down
2 changes: 1 addition & 1 deletion vectors/cryptography_vectors/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@
"__version__",
]

__version__ = "41.0.5"
__version__ = "41.0.6"
2 changes: 1 addition & 1 deletion vectors/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "cryptography_vectors"
version = "41.0.5"
version = "41.0.6"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
]
Expand Down

0 comments on commit f09c261

Please sign in to comment.