diff --git a/SOURCES/CVE-2023-49083.patch b/SOURCES/CVE-2023-49083.patch new file mode 100644 index 0000000..2312e26 --- /dev/null +++ b/SOURCES/CVE-2023-49083.patch @@ -0,0 +1,116 @@ +From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 27 Nov 2023 13:08:17 -0500 +Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no + certificates (#9926) + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index bf34946..c7e95e5 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2356,9 +2356,12 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 138bc0f..b2d9757 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -89,6 +89,12 @@ class TestPKCS7Loading: + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.43.0 + + +From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Fri, 1 Dec 2023 13:26:38 -0600 +Subject: [PATCH 2/2] raise an exception instead of returning an empty list for + pkcs7 cert loading (#9947) + +* raise an exception instead of returning an empty list + +as davidben points out in #9926 we are calling a specific load +certificates function and an empty value doesn't necessarily mean empty +because PKCS7 contains multitudes. erroring is more correct. + +* changelog + +* Update CHANGELOG.rst + +Co-authored-by: Alex Gaynor + +--------- + +Co-authored-by: Alex Gaynor +--- + src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- + tests/hazmat/primitives/test_pkcs7.py | 4 ++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index c7e95e5..f8a2f5a 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2356,12 +2356,15 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + +- certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: +- return certs ++ raise ValueError( ++ "The provided PKCS7 has no certificate data, but a cert " ++ "loading method was called." ++ ) + + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) ++ certs: list[x509.Certificate] = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index b2d9757..7b092b7 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -92,8 +92,8 @@ class TestPKCS7Loading: + def test_load_pkcs7_empty_certificates(self): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + +- certificates = pkcs7.load_der_pkcs7_certificates(der) +- assert certificates == [] ++ with pytest.raises(ValueError): ++ pkcs7.load_der_pkcs7_certificates(der) + + + # We have no public verification API and won't be adding one until we get +-- +2.43.0 + diff --git a/SPECS/python3.11-cryptography.spec b/SPECS/python3.11-cryptography.spec index afbd195..ea947a8 100644 --- a/SPECS/python3.11-cryptography.spec +++ b/SPECS/python3.11-cryptography.spec @@ -8,7 +8,7 @@ Name: python%{python3_pkgversion}-%{srcname} Version: 37.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library # We bundle various crates with cryptography which is dual licensed @@ -68,6 +68,13 @@ Source2: conftest-skipper.py # Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3 Patch0: CVE-2023-23931.patch +# Security fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates +# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2255331 +# Resolved upstream: +# https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff +# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013 +Patch1: CVE-2023-49083.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -170,7 +177,7 @@ cd ../.. %endif %build -export RUSTFLAGS="%__global_rustflags" +export RUSTFLAGS="%build_rustflags" %py3_build %install @@ -210,6 +217,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 26 2024 Charalampos Stratakis - 37.0.2-6 +- Security fix for CVE-2023-49083 +- Resolves: RHEL-19832 + * Thu Feb 23 2023 Charalampos Stratakis - 37.0.2-5 - Bump release for rebuild