From 1947d4467fb9260ba42fa1b7aa0523a04d3e8662 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Sep 2023 13:58:50 +0000 Subject: [PATCH] import CS python-cryptography-3.2.1-6.el8 --- SOURCES/0006-CVE-2023-23931.patch | 42 +++++++++++++++++++++++++++++++ SPECS/python-cryptography.spec | 13 +++++++--- 2 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 SOURCES/0006-CVE-2023-23931.patch diff --git a/SOURCES/0006-CVE-2023-23931.patch b/SOURCES/0006-CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/SOURCES/0006-CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/SPECS/python-cryptography.spec b/SPECS/python-cryptography.spec index 7132873..5344f58 100644 --- a/SPECS/python-cryptography.spec +++ b/SPECS/python-cryptography.spec @@ -1,10 +1,12 @@ %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography +# rhbz#2172416: from_buffer(..., require_writable=True) +%global cffi_version 1.11.5-6 Name: python-%{srcname} Version: 3.2.1 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -17,6 +19,8 @@ Patch0002: 0002-Support-pytest-3.4.2.patch Patch0003: 0003-Skip-iso8601-test-cases.patch Patch0004: 0004-Revert-remove-NPN-bindings.patch Patch0005: 0005-CVE-2020-36242.patch +# https://github.com/pyca/cryptography/pull/8230 +Patch0006: 0006-CVE-2023-23931.patch BuildRequires: openssl-devel BuildRequires: gcc @@ -29,7 +33,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} BuildRequires: python%{python3_pkgversion}-pytz BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= %{cffi_version} %description cryptography is a package designed to expose cryptographic primitives and @@ -42,7 +46,7 @@ Summary: PyCA's cryptography library Requires: openssl-libs Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 +Requires: python%{python3_pkgversion}-cffi >= %{cffi_version} Conflicts: python%{python3_pkgversion}-cryptography-vectors < %{version} Conflicts: python%{python3_pkgversion}-cryptography-vectors > %{version} @@ -82,6 +86,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest %changelog +* Wed Feb 22 2023 Christian Heimes - 3.2.1-6 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404 + * Tue Jun 08 2021 Christian Heimes - 3.2.1-5 - Rebuild for RHEL 8.5 - Resolves: rhbz#1933071