import CS python3.11-cryptography-37.0.2-6.el8

SOURCES/CVE-2023-49083.patch

@@ -0,0 +1,116 @@
+From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 27 Nov 2023 13:08:17 -0500
+Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
+ certificates (#9926)
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index bf34946..c7e95e5 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2356,9 +2356,12 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
++        certs: list[x509.Certificate] = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 138bc0f..b2d9757 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -89,6 +89,12 @@ class TestPKCS7Loading:
+                 mode="rb",
+             )
+ 
++    def test_load_pkcs7_empty_certificates(self):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+-- 
+2.43.0
+
+
+From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Fri, 1 Dec 2023 13:26:38 -0600
+Subject: [PATCH 2/2] raise an exception instead of returning an empty list for
+ pkcs7 cert loading (#9947)
+
+* raise an exception instead of returning an empty list
+
+as davidben points out in #9926 we are calling a specific load
+certificates function and an empty value doesn't necessarily mean empty
+because PKCS7 contains multitudes. erroring is more correct.
+
+* changelog
+
+* Update CHANGELOG.rst
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+---------
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 4 ++--
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index c7e95e5..f8a2f5a 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2356,12 +2356,15 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+-        certs: list[x509.Certificate] = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
++            raise ValueError(
++                "The provided PKCS7 has no certificate data, but a cert "
++                "loading method was called."
++            )
+ 
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
++        certs: list[x509.Certificate] = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index b2d9757..7b092b7 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -92,8 +92,8 @@ class TestPKCS7Loading:
+     def test_load_pkcs7_empty_certificates(self):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+ 
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
++        with pytest.raises(ValueError):
++            pkcs7.load_der_pkcs7_certificates(der)
+ 
+ 
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.43.0
+

SPECS/python3.11-cryptography.spec

@@ -8,7 +8,7 @@
 
 Name:           python%{python3_pkgversion}-%{srcname}
 Version:        37.0.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        PyCA's cryptography library
 
 # We bundle various crates with cryptography which is dual licensed
@@ -68,6 +68,13 @@ Source2:        conftest-skipper.py
 # Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
 Patch0:         CVE-2023-23931.patch
 
+# Security fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates
+# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2255331
+# Resolved upstream:
+# https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff
+# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
+Patch1:         CVE-2023-49083.patch
+
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  openssl-devel
@@ -170,7 +177,7 @@ cd ../..
 %endif
 
 %build
-export RUSTFLAGS="%__global_rustflags"
+export RUSTFLAGS="%build_rustflags"
 %py3_build
 
 %install
@@ -210,6 +217,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Fri Jan 26 2024 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-6
+- Security fix for CVE-2023-49083
+- Resolves: RHEL-19831
+
 * Thu Feb 23 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-5
 - Bump release for rebuild