rpms/python3.11-cryptography
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2023-23931

Browse Source 
Resolves: rhbz#2157705
This commit is contained in:
Charalampos Stratakis 2023-02-20 19:25:02 +01:00
parent 9f5f27800b
commit b8a96b9d42
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
CVE-2023-23931.patch Normal file
View File

@ -0,0 +1,45 @@
From 3914106b613ad4f5f27a2d1b3fc8fc2efb41dec6 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 31 Jan 2023 08:33:54 -0500
Subject: [PATCH] Don't allow update_into to mutate immutable objects
---
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
tests/hazmat/primitives/test_ciphers.py | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 1058de9..17abd3a 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -157,7 +157,7 @@ class _CipherContext:
data_processed = 0
total_out = 0
outlen = self._backend._ffi.new("int *")
- baseoutbuf = self._backend._ffi.from_buffer(buf)
+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
baseinbuf = self._backend._ffi.from_buffer(data)
while data_processed != total_data_len:
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index 02127dd..bf3b047 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ class TestCipherUpdateInto:
with pytest.raises(ValueError):
encryptor.update_into(b"testing", buf)
+ def test_update_into_immutable(self, backend):
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ buf = b"\x00" * 32
+ with pytest.raises((TypeError, BufferError)):
+ encryptor.update_into(b"testing", buf)
+
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
--
2.39.1

10
python3.11-cryptography.spec
View File

@ -8,7 +8,7 @@
Name: python%{python3_pkgversion}-%{srcname} Name: python%{python3_pkgversion}-%{srcname}
Version: 37.0.2 Version: 37.0.2
Release: 3%{?dist} Release: 4%{?dist}
Summary: PyCA's cryptography library Summary: PyCA's cryptography library
# We bundle various crates with cryptography which is dual licensed # We bundle various crates with cryptography which is dual licensed
@ -63,6 +63,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
Source1: cryptography-%{version}-vendor.tar.bz2 Source1: cryptography-%{version}-vendor.tar.bz2
Source2: conftest-skipper.py Source2: conftest-skipper.py
# Security fix for CVE-2023-23931: memory corruption via immutable objects
# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2171817
# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
Patch0: CVE-2023-23931.patch
ExclusiveArch: %{rust_arches} ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -205,6 +210,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog %changelog
* Mon Feb 20 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-4
- Security fix for CVE-2023-23931
* Tue Feb 14 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-3 * Tue Feb 14 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-3
- Rebuild for gating - Rebuild for gating