import UBI python3.11-cryptography-37.0.2-6.el8
This commit is contained in:
parent
5f072ed00f
commit
ba19fd361c
116
SOURCES/CVE-2023-49083.patch
Normal file
116
SOURCES/CVE-2023-49083.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||||
|
Date: Mon, 27 Nov 2023 13:08:17 -0500
|
||||||
|
Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
|
||||||
|
certificates (#9926)
|
||||||
|
|
||||||
|
---
|
||||||
|
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
|
||||||
|
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
|
||||||
|
2 files changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
index bf34946..c7e95e5 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
@@ -2356,9 +2356,12 @@ class Backend:
|
||||||
|
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||||
|
)
|
||||||
|
|
||||||
|
+ certs: list[x509.Certificate] = []
|
||||||
|
+ if p7.d.sign == self._ffi.NULL:
|
||||||
|
+ return certs
|
||||||
|
+
|
||||||
|
sk_x509 = p7.d.sign.cert
|
||||||
|
num = self._lib.sk_X509_num(sk_x509)
|
||||||
|
- certs = []
|
||||||
|
for i in range(num):
|
||||||
|
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||||
|
self.openssl_assert(x509 != self._ffi.NULL)
|
||||||
|
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
index 138bc0f..b2d9757 100644
|
||||||
|
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
|
||||||
|
mode="rb",
|
||||||
|
)
|
||||||
|
|
||||||
|
+ def test_load_pkcs7_empty_certificates(self):
|
||||||
|
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||||
|
+
|
||||||
|
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||||
|
+ assert certificates == []
|
||||||
|
+
|
||||||
|
|
||||||
|
# We have no public verification API and won't be adding one until we get
|
||||||
|
# some requirements from users so this function exists to give us basic
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
|
|
||||||
|
From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paul Kehrer <paul.l.kehrer@gmail.com>
|
||||||
|
Date: Fri, 1 Dec 2023 13:26:38 -0600
|
||||||
|
Subject: [PATCH 2/2] raise an exception instead of returning an empty list for
|
||||||
|
pkcs7 cert loading (#9947)
|
||||||
|
|
||||||
|
* raise an exception instead of returning an empty list
|
||||||
|
|
||||||
|
as davidben points out in #9926 we are calling a specific load
|
||||||
|
certificates function and an empty value doesn't necessarily mean empty
|
||||||
|
because PKCS7 contains multitudes. erroring is more correct.
|
||||||
|
|
||||||
|
* changelog
|
||||||
|
|
||||||
|
* Update CHANGELOG.rst
|
||||||
|
|
||||||
|
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||||
|
---
|
||||||
|
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
|
||||||
|
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
|
||||||
|
2 files changed, 7 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
index c7e95e5..f8a2f5a 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||||
|
@@ -2356,12 +2356,15 @@ class Backend:
|
||||||
|
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||||
|
)
|
||||||
|
|
||||||
|
- certs: list[x509.Certificate] = []
|
||||||
|
if p7.d.sign == self._ffi.NULL:
|
||||||
|
- return certs
|
||||||
|
+ raise ValueError(
|
||||||
|
+ "The provided PKCS7 has no certificate data, but a cert "
|
||||||
|
+ "loading method was called."
|
||||||
|
+ )
|
||||||
|
|
||||||
|
sk_x509 = p7.d.sign.cert
|
||||||
|
num = self._lib.sk_X509_num(sk_x509)
|
||||||
|
+ certs: list[x509.Certificate] = []
|
||||||
|
for i in range(num):
|
||||||
|
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||||
|
self.openssl_assert(x509 != self._ffi.NULL)
|
||||||
|
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
index b2d9757..7b092b7 100644
|
||||||
|
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||||
|
@@ -92,8 +92,8 @@ class TestPKCS7Loading:
|
||||||
|
def test_load_pkcs7_empty_certificates(self):
|
||||||
|
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||||
|
|
||||||
|
- certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||||
|
- assert certificates == []
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ pkcs7.load_der_pkcs7_certificates(der)
|
||||||
|
|
||||||
|
|
||||||
|
# We have no public verification API and won't be adding one until we get
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: python%{python3_pkgversion}-%{srcname}
|
Name: python%{python3_pkgversion}-%{srcname}
|
||||||
Version: 37.0.2
|
Version: 37.0.2
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: PyCA's cryptography library
|
Summary: PyCA's cryptography library
|
||||||
|
|
||||||
# We bundle various crates with cryptography which is dual licensed
|
# We bundle various crates with cryptography which is dual licensed
|
||||||
@ -68,6 +68,13 @@ Source2: conftest-skipper.py
|
|||||||
# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
|
# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
|
||||||
Patch0: CVE-2023-23931.patch
|
Patch0: CVE-2023-23931.patch
|
||||||
|
|
||||||
|
# Security fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates
|
||||||
|
# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2255331
|
||||||
|
# Resolved upstream:
|
||||||
|
# https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff
|
||||||
|
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
||||||
|
Patch1: CVE-2023-49083.patch
|
||||||
|
|
||||||
ExclusiveArch: %{rust_arches}
|
ExclusiveArch: %{rust_arches}
|
||||||
|
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
@ -170,7 +177,7 @@ cd ../..
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export RUSTFLAGS="%__global_rustflags"
|
export RUSTFLAGS="%build_rustflags"
|
||||||
%py3_build
|
%py3_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -210,6 +217,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
|
|||||||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 26 2024 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-6
|
||||||
|
- Security fix for CVE-2023-49083
|
||||||
|
- Resolves: RHEL-19831
|
||||||
|
|
||||||
* Thu Feb 23 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-5
|
* Thu Feb 23 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-5
|
||||||
- Bump release for rebuild
|
- Bump release for rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user