import python3.11-cryptography-37.0.2-5.el8

2023-03-28 12:45:11 +00:00 · 2023-03-28 12:45:11 +00:00 · a3b97470c6
commit a3b97470c6
5 changed files with 317 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+SOURCES/cryptography-37.0.2-vendor.tar.bz2
+SOURCES/cryptography-37.0.2.tar.gz
--- a/.python3.11-cryptography.metadata
+++ b/.python3.11-cryptography.metadata
@ -0,0 +1,2 @@
+eca566e4bf80dca2c2619c08ff1ae41d2c326e40 SOURCES/cryptography-37.0.2-vendor.tar.bz2
+b0a31457545b06b8baa32162a45399f79aabe58d SOURCES/cryptography-37.0.2.tar.gz
--- a/SOURCES/CVE-2023-23931.patch
+++ b/SOURCES/CVE-2023-23931.patch
@ -0,0 +1,45 @@
+From 3914106b613ad4f5f27a2d1b3fc8fc2efb41dec6 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 31 Jan 2023 08:33:54 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects
+
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 1058de9..17abd3a 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -157,7 +157,7 @@ class _CipherContext:
+         data_processed = 0
+         total_out = 0
+         outlen = self._backend._ffi.new("int *")
+-        baseoutbuf = self._backend._ffi.from_buffer(buf)
+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
+         baseinbuf = self._backend._ffi.from_buffer(data)
+ 
+         while data_processed != total_data_len:
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index 02127dd..bf3b047 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -318,6 +318,14 @@ class TestCipherUpdateInto:
+         with pytest.raises(ValueError):
+             encryptor.update_into(b"testing", buf)
+ 
+    def test_update_into_immutable(self, backend):
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        buf = b"\x00" * 32
+        with pytest.raises((TypeError, BufferError)):
+            encryptor.update_into(b"testing", buf)
+
+     @pytest.mark.supported(
+         only_if=lambda backend: backend.cipher_supported(
+             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
+-- 
+2.39.1
+
--- a/SOURCES/conftest-skipper.py
+++ b/SOURCES/conftest-skipper.py
@ -0,0 +1,22 @@
+
+class Skipper:
+    """Skip iso8601 and pretend tests
+
+    RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
+    all tests that use the excluded modules.
+    """
+
+    def parse_date(self, datestring):
+        pytest.skip(f"iso8601 module is not available.")
+
+    def stub(self, **kwargs):
+        pytest.skip(f"pretend module is not available.")
+
+    def raiser(self, exc):
+        pytest.skip(f"pretend module is not available.")
+
+
+import sys
+
+sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
+
--- a/SPECS/python3.11-cryptography.spec
+++ b/SPECS/python3.11-cryptography.spec
@ -0,0 +1,246 @@
+%global __python3 /usr/bin/python3.11
+%global python3_pkgversion 3.11
+
+# RHEL: Tests disabled due to missing deps
+%bcond_with tests
+
+%global srcname cryptography
+
+Name:           python%{python3_pkgversion}-%{srcname}
+Version:        37.0.2
+Release:        5%{?dist}
+Summary:        PyCA's cryptography library
+
+# We bundle various crates with cryptography which is dual licensed
+# under the ASL 2.0 and BSD-3-Clause, as well as the Python license
+# for the OS random engine derived by CPython.
+
+# Inflector: BSD
+# aliasable: MIT
+# asn1: BSD
+# asn1_derive: BSD
+# autocfg: MIT or ASL 2.0
+# base64: MIT or ASL 2.0
+# cfg-if: MIT or ASL 2.0
+# chrono: MIT or ASL 2.0
+# indoc: MIT or ASL 2.0
+# indoc-impl: MIT or ASL 2.0
+# instant: BSD
+# lazy_static: MIT or ASL 2.0
+# libc: MIT or ASL 2.0
+# lock_api: MIT or ASL 2.0
+# num-integer: MIT or ASL 2.0
+# num-traits: MIT or ASL 2.0
+# once_cell: MIT or ASL 2.0
+# ouroboros: MIT or ASL 2.0
+# ouroboros_macro: MIT or ASL 2.0
+# parking_lot: MIT or ASL 2.0
+# parking_lot_core: MIT or ASL 2.0
+# paste: MIT or ASL 2.0
+# paste-impl: MIT or ASL 2.0
+# pem: MIT
+# proc-macro-error: MIT or ASL 2.0
+# proc-macro-error-attr: MIT or ASL 2.0
+# proc-macro-hack: MIT or ASL 2.0
+# proc-macro2: MIT or ASL 2.0
+# pyo3: ASL 2.0
+# pyo3-build-config: ASL 2.0
+# pyo3-macros: ASL 2.0
+# pyo3-macros-backend: ASL 2.0
+# quote: MIT or ASL 2.0
+# scopeguard: MIT or ASL 2.0
+# smallvec: MIT or ASL 2.0
+# stable_deref_trait: MIT or ASL 2.0
+# syn: MIT or ASL 2.0
+# unicode-xid: MIT or ASL 2.0
+# unindent: MIT or ASL 2.0
+# version_check: MIT or ASL 2.0
+
+License:        (ASL 2.0 or BSD) and Python and BSD and MIT and (MIT or ASL 2.0) and ASL 2.0
+URL:            https://cryptography.io/en/latest/
+Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
+                # created by ./vendor_rust.py helper script
+Source1:        cryptography-%{version}-vendor.tar.bz2
+Source2:        conftest-skipper.py
+
+# Security fix for CVE-2023-23931: memory corruption via immutable objects
+# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2171817
+# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
+Patch0:         CVE-2023-23931.patch
+
+ExclusiveArch:  %{rust_arches}
+
+BuildRequires:  openssl-devel
+BuildRequires:  gcc
+BuildRequires:  gnupg2
+%if 0%{?fedora}
+BuildRequires:  rust-packaging
+%else
+BuildRequires:  rust-toolset
+%endif
+
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python%{python3_pkgversion}-rpm-macros
+BuildRequires:  python%{python3_pkgversion}-setuptools
+BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.3
+# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1
+#BuildRequires:  rust-asn1-devel >= 0.6.4
+
+%if %{with tests}
+%if 0%{?fedora}
+BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
+BuildRequires:  python%{python3_pkgversion}-iso8601
+BuildRequires:  python%{python3_pkgversion}-pretend
+BuildRequires:  python%{python3_pkgversion}-pytest-xdist
+%endif
+BuildRequires:  python%{python3_pkgversion}-pytest >= 6.0
+BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
+BuildRequires:  python%{python3_pkgversion}-pytest-subtests >= 0.3.2
+BuildRequires:  python%{python3_pkgversion}-pytz
+%endif
+
+Requires:       openssl-libs
+Requires:       python%{python3_pkgversion}-cffi >= 1.7
+
+# Provides for the bundled crates
+
+Provides: bundled(crate(Inflector)) = 0.11.4
+Provides: bundled(crate(aliasable)) = 0.1.3
+Provides: bundled(crate(asn1)) = 0.8.7
+Provides: bundled(crate(asn1_derive)) = 0.8.7
+Provides: bundled(crate(autocfg)) = 1.1.0
+Provides: bundled(crate(base64)) = 0.13.0
+Provides: bundled(crate(cfg-if)) = 1.0.0
+Provides: bundled(crate(chrono)) = 0.4.19
+Provides: bundled(crate(indoc)) = 0.3.6
+Provides: bundled(crate(indoc-impl)) = 0.3.6
+Provides: bundled(crate(instant)) = 0.1.12
+Provides: bundled(crate(lazy_static)) = 1.4.0
+Provides: bundled(crate(libc)) = 0.2.124
+Provides: bundled(crate(lock_api)) = 0.4.7
+Provides: bundled(crate(num-integer)) = 0.1.44
+Provides: bundled(crate(num-traits)) = 0.2.14
+Provides: bundled(crate(once_cell)) = 1.10.0
+Provides: bundled(crate(ouroboros)) = 0.15.0
+Provides: bundled(crate(ouroboros_macro)) = 0.15.0
+Provides: bundled(crate(parking_lot)) = 0.11.2
+Provides: bundled(crate(parking_lot_core)) = 0.8.5
+Provides: bundled(crate(paste)) = 0.1.18
+Provides: bundled(crate(paste-impl)) = 0.1.18
+Provides: bundled(crate(pem)) = 1.0.2
+Provides: bundled(crate(proc-macro-error)) = 1.0.4
+Provides: bundled(crate(proc-macro-error-attr)) = 1.0.4
+Provides: bundled(crate(proc-macro-hack)) = 0.5.19
+Provides: bundled(crate(proc-macro2)) = 1.0.37
+Provides: bundled(crate(pyo3)) = 0.15.2
+Provides: bundled(crate(pyo3-build-config)) = 0.15.2
+Provides: bundled(crate(pyo3-macros)) = 0.15.2
+Provides: bundled(crate(pyo3-macros-backend)) = 0.15.2
+Provides: bundled(crate(quote)) = 1.0.18
+Provides: bundled(crate(scopeguard)) = 1.1.0
+Provides: bundled(crate(smallvec)) = 1.8.0
+Provides: bundled(crate(stable_deref_trait)) = 1.2.0
+Provides: bundled(crate(syn)) = 1.0.91
+Provides: bundled(crate(unicode-xid)) = 0.2.2
+Provides: bundled(crate(unindent)) = 0.1.8
+Provides: bundled(crate(version_check)) = 0.9.4
+
+# Cryptography crate
+Provides: crate(cryptography-rust) = 0.1.0
+
+%description
+cryptography is a package designed to expose cryptographic primitives and
+recipes to Python developers.
+
+%prep
+%autosetup -p1 -n %{srcname}-%{version}
+
+
+%if 0%{?fedora}
+# Fedora: use cargo macros to make use of RPMified crates
+%cargo_prep
+cd src/rust
+rm -f Cargo.lock
+%cargo_generate_buildrequires
+cd ../..
+%else
+# RHEL: use vendored Rust crates
+%cargo_prep -V 1
+%endif
+
+%build
+export RUSTFLAGS="%__global_rustflags"
+%py3_build
+
+%install
+# Actually other *.c and *.h are appropriate
+# see https://github.com/pyca/cryptography/issues/1463
+find . -name .keep -print -delete
+%py3_install
+
+%check
+%if %{with tests}
+%if 0%{?rhel}
+# skip hypothesis tests on RHEL
+rm -rf tests/hypothesis
+# append skipper to skip iso8601 and pretend tests
+cat < %{SOURCE2} >> tests/conftest.py
+%endif
+
+%if 0%{?eln}
+# enable SHA-1 signatures for RSA tests
+# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
+export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
+%endif
+
+# see https://github.com/pyca/cryptography/issues/4885 and
+# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
+# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
+# not much sense for downstream testing.
+PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
+    %{__python3} -m pytest \
+    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)"
+%endif
+
+%files -n python%{python3_pkgversion}-%{srcname}
+%doc README.rst docs
+%license LICENSE LICENSE.APACHE LICENSE.BSD
+%{python3_sitearch}/%{srcname}
+%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
+
+%changelog
+* Thu Feb 23 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-5
+- Bump release for rebuild
+
+* Mon Feb 20 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-4
+- Security fix for CVE-2023-23931
+
+* Tue Feb 14 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-3
+- Rebuild for gating
+
+* Mon Feb 13 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-2
+- Add explicit dependency on python3.11-rpm-macros
+
+* Thu Dec 01 2022 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-1
+- Initial package
+- Fedora contributions by:
+      Alfredo Moralejo <amoralej@redhat.com>
+      Charalampos Stratakis <cstratak@redhat.com>
+      Christian Heimes <christian@python.org>
+      Colin Walters <walters@verbum.org>
+      Dennis Gilmore <dennis@ausil.us>
+      Fabio Valentini <decathorpe@gmail.com>
+      Felix Schwarz <felix.schwarz@oss.schwarz.eu>
+      Haikel Guemar <hguemar@fedoraproject.org>
+      Igor Gnatenko <ignatenkobrain@fedoraproject.org>
+      Iryna Shcherbina <shcherbina.iryna@gmail.com>
+      Lumir Balhar <lbalhar@redhat.com>
+      Matěj Cepl <mcepl@cepl.eu>
+      Miro Hrončok <miro@hroncok.cz>
+      Nathaniel McCallum <npmccallum@redhat.com>
+      Randy Barlow <randy@electronsweatshop.com>
+      Robert Kuska <rkuska@redhat.com>
+      Sahana Prasad <sahana@redhat.com>
+      Stephen Gallagher <sgallagh@redhat.com>
+      Troy Dawson <tdawson@redhat.com>