rpms/python-jwcrypto
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2026-39373: Memory exhaustion via crafted compressed JWE tokens

Browse Source 
Backport upstream commit 25db861d to fix CVE-2026-39373.
This introduces a maximum plaintext size limit (defaulting to 100MB)
during JWE decryption to mitigate memory exhaustion and decompression
bomb attacks when processing highly compressed malicious JWE payloads.

Resolves: RHEL-166011
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman 2026-04-15 23:53:15 -03:00
parent fd67d32759
commit 4c6c2f53c0
2 changed files with 131 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
0001-Limit-max-plaintext-size-for-JWE-decompression.patch Normal file
View File

@ -0,0 +1,129 @@
--- a/jwcrypto/jwe.py 2024-03-06 16:44:22.000000000 -0300
+++ b/jwcrypto/jwe.py 2026-04-15 23:39:19.769727604 -0300
@@ -12,7 +12,8 @@
# Limit the amount of data we are willing to decompress by default.
default_max_compressed_size = 256 * 1024
-
+# Limit the maximum plaintext size to 100MB by default.
+default_max_plaintext_size = 100 * 1024 * 1024
# RFC 7516 - 4.1
# name: (description, supported?)
@@ -371,7 +372,7 @@
return data
# FIXME: allow to specify which algorithms to accept as valid
- def _decrypt(self, key, ppe):
+ def _decrypt(self, key, ppe, max_plaintext=default_max_plaintext_size):
jh = self._get_jose_header(ppe.get('header', None))
@@ -429,19 +430,29 @@
raise InvalidJWEData(
'Compressed data exceeds maximum allowed'
'size' + f' ({default_max_compressed_size})')
- self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
+ do = zlib.decompressobj(wbits=-zlib.MAX_WBITS)
+ self.plaintext = do.decompress(data, max_plaintext)
+ if do.unconsumed_tail or not do.eof:
+ self.plaintext = None
+ raise InvalidJWEData(
+ 'Compressed data exceeds maximum allowed'
+ 'output size' + f' ({max_plaintext})')
elif compress is None:
self.plaintext = data
else:
raise ValueError('Unknown compression')
- def decrypt(self, key):
+ def decrypt(self, key, max_plaintext=0):
"""Decrypt a JWE token.
:param key: The (:class:`jwcrypto.jwk.JWK`) decryption key.
:param key: A (:class:`jwcrypto.jwk.JWK`) decryption key,
or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed
by the 'kid' header or (deprecated) a string containing a password.
+ :param max_plaintext: Maximum plaintext size allowed, 0 means
+ the library default applies. Application writers are recommended
+ to set a limit here if they know what is the max plaintext size
+ for their application.
:raises InvalidJWEOperation: if the key is not a JWK object.
:raises InvalidJWEData: if the ciphertext can't be decrypted or
@@ -449,6 +460,10 @@
:raises JWKeyNotFound: if key is a JWKSet and the key is not found.
"""
+ self.plaintext = None
+ if max_plaintext == 0:
+ max_plaintext = default_max_plaintext_size
+
if 'ciphertext' not in self.objects:
raise InvalidJWEOperation("No available ciphertext")
self.decryptlog = []
@@ -457,14 +472,14 @@
if 'recipients' in self.objects:
for rec in self.objects['recipients']:
try:
- self._decrypt(key, rec)
+ self._decrypt(key, rec, max_plaintext=max_plaintext)
except Exception as e: # pylint: disable=broad-except
if isinstance(e, JWKeyNotFound):
missingkey = True
self.decryptlog.append('Failed: [%s]' % repr(e))
else:
try:
- self._decrypt(key, self.objects)
+ self._decrypt(key, self.objects, max_plaintext=max_plaintext)
except Exception as e: # pylint: disable=broad-except
if isinstance(e, JWKeyNotFound):
missingkey = True
--- a/jwcrypto/tests.py 2024-03-06 16:44:22.000000000 -0300
+++ b/jwcrypto/tests.py 2026-04-15 23:39:19.770346328 -0300
@@ -2124,18 +2124,36 @@
enc = jwe.JWE(payload.encode('utf-8'),
recipient=key,
protected=protected_header).serialize(compact=True)
+ check = jwe.JWE()
+ check.deserialize(enc)
with self.assertRaises(jwe.InvalidJWEData):
- check = jwe.JWE()
- check.deserialize(enc)
check.decrypt(key)
- defmax = jwe.default_max_compressed_size
- jwe.default_max_compressed_size = 1000000000
- # ensure we can eraise the limit and decrypt
- check = jwe.JWE()
- check.deserialize(enc)
+ # raise the limit on compressed token size so we can decrypt
+ defcmax = jwe.default_max_compressed_size
+ jwe.default_max_compressed_size = 10 * 1024 * 1024
+
+ # this passes if we explicitly allow larger plaintext via API
+ check.decrypt(key, max_plaintext=1000000000)
+
+ # this will still fail because the max plaintext length clamps this
+ with self.assertRaises(jwe.InvalidJWEData):
+ check.decrypt(key)
+
+ # ensure that now this can work with changed defaults
+ defpmax = jwe.default_max_plaintext_size
+ jwe.default_max_plaintext_size = 1000000000
check.decrypt(key)
- jwe.default_max_compressed_size = defmax
+
+ # restore limits
+ jwe.default_max_compressed_size = defcmax
+
+ # check that this fails the max compressed header limits
+ with self.assertRaises(jwe.InvalidJWEData):
+ check.decrypt(key)
+
+ # restore plaintext limits
+ jwe.default_max_plaintext_size = defpmax
class JWATests(unittest.TestCase):

2
python-jwcrypto.spec
View File

@ -8,6 +8,7 @@ Summary: Implements JWK, JWS, JWE specifications using python-cryptograph
License: LGPL-3.0-or-later
URL: https://github.com/latchset/%{srcname}
Source0: https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz
Patch0: 0001-Limit-max-plaintext-size-for-JWE-decompression.patch
BuildArch: noarch
BuildRequires: python%{python3_pkgversion}-devel
@ -37,6 +38,7 @@ Implements JWK, JWS, JWE specifications using python-cryptography
%prep
%setup -q -n %{srcname}-%{version}
%patch -P 0 -p1
%if %{defined rhel}
# avoid python-deprecated dependency
sed -i -e '/deprecated/d' setup.py %{srcname}.egg-info/requires.txt