rpms
/
python3.11-cryptography
7
0
Fork 0
Code Issues Pull Requests Releases Activity
python3.11-cryptography/SOURCES/CVE-2023-49083.patch

117 lines
4.2 KiB
Diff
Raw Permalink Blame History

From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 27 Nov 2023 13:08:17 -0500
Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
certificates (#9926)
---
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index bf34946..c7e95e5 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2356,9 +2356,12 @@ class Backend:
_Reasons.UNSUPPORTED_SERIALIZATION,
)
+ certs: list[x509.Certificate] = []
+ if p7.d.sign == self._ffi.NULL:
+ return certs
+
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
- certs = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 138bc0f..b2d9757 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
mode="rb",
)
+ def test_load_pkcs7_empty_certificates(self):
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
+ assert certificates == []
+
# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
--
2.43.0
From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Fri, 1 Dec 2023 13:26:38 -0600
Subject: [PATCH 2/2] raise an exception instead of returning an empty list for
pkcs7 cert loading (#9947)
* raise an exception instead of returning an empty list
as davidben points out in #9926 we are calling a specific load
certificates function and an empty value doesn't necessarily mean empty
because PKCS7 contains multitudes. erroring is more correct.
* changelog
* Update CHANGELOG.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index c7e95e5..f8a2f5a 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2356,12 +2356,15 @@ class Backend:
_Reasons.UNSUPPORTED_SERIALIZATION,
)
- certs: list[x509.Certificate] = []
if p7.d.sign == self._ffi.NULL:
- return certs
+ raise ValueError(
+ "The provided PKCS7 has no certificate data, but a cert "
+ "loading method was called."
+ )
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
+ certs: list[x509.Certificate] = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index b2d9757..7b092b7 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -92,8 +92,8 @@ class TestPKCS7Loading:
def test_load_pkcs7_empty_certificates(self):
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
- certificates = pkcs7.load_der_pkcs7_certificates(der)
- assert certificates == []
+ with pytest.raises(ValueError):
+ pkcs7.load_der_pkcs7_certificates(der)
# We have no public verification API and won't be adding one until we get
--
2.43.0
Reference in New Issue View Git Blame Copy Permalink