Improvement for the fix for CVE-2023-49083
Resolves: RHEL-17731
This commit is contained in:
parent
d363bb066b
commit
01ec54f3cf
2
plan.fmf
2
plan.fmf
@ -6,6 +6,7 @@ discover:
|
||||
tests:
|
||||
- name: bundled tests - Prepare part
|
||||
require:
|
||||
- patch
|
||||
- python3.12-pytest
|
||||
- python3.12-cryptography
|
||||
- python3.12-pip
|
||||
@ -47,5 +48,6 @@ discover:
|
||||
- name: unittests-primitives-f-z
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
patch -p1 < $TMT_TREE/raise-an-exception-for-CVE-2023-49083.patch &&
|
||||
PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/hazmat/primitives/test_[f-z]*.py \
|
||||
tests/hazmat/primitives/twofactor
|
||||
|
@ -78,6 +78,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
|
||||
Source1: cryptography-%{version}-vendor.tar.bz2
|
||||
Source2: conftest-skipper.py
|
||||
|
||||
# Improvement for the fix for CVE-2023-49083
|
||||
# Backported from upstream:
|
||||
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
||||
Patch1: raise-an-exception-for-CVE-2023-49083.patch
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: openssl-devel
|
||||
|
66
raise-an-exception-for-CVE-2023-49083.patch
Normal file
66
raise-an-exception-for-CVE-2023-49083.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From bb4172af124eda3e4804272dd452863684a00a00 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Kehrer <paul.l.kehrer@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 14:48:09 +0100
|
||||
Subject: [PATCH] raise an exception instead of returning an empty list for
|
||||
pkcs7 cert loading (#9947)
|
||||
|
||||
* raise an exception instead of returning an empty list
|
||||
|
||||
as davidben points out in #9926 we are calling a specific load
|
||||
certificates function and an empty value doesn't necessarily mean empty
|
||||
because PKCS7 contains multitudes. erroring is more correct.
|
||||
|
||||
* changelog
|
||||
|
||||
* Update CHANGELOG.rst
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
|
||||
---------
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
|
||||
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
|
||||
2 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index f1c79008b..3e8b8aa6b 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -1890,12 +1890,15 @@ class Backend:
|
||||
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||
)
|
||||
|
||||
- certs: list[x509.Certificate] = []
|
||||
if p7.d.sign == self._ffi.NULL:
|
||||
- return certs
|
||||
+ raise ValueError(
|
||||
+ "The provided PKCS7 has no certificate data, but a cert "
|
||||
+ "loading method was called."
|
||||
+ )
|
||||
|
||||
sk_x509 = p7.d.sign.cert
|
||||
num = self._lib.sk_X509_num(sk_x509)
|
||||
+ certs: list[x509.Certificate] = []
|
||||
for i in range(num):
|
||||
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||
self.openssl_assert(x509 != self._ffi.NULL)
|
||||
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||
index f6ad64151..bc006dae3 100644
|
||||
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||
@@ -92,8 +92,8 @@ class TestPKCS7Loading:
|
||||
def test_load_pkcs7_empty_certificates(self, backend):
|
||||
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||
|
||||
- certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||
- assert certificates == []
|
||||
+ with pytest.raises(ValueError):
|
||||
+ pkcs7.load_der_pkcs7_certificates(der)
|
||||
|
||||
|
||||
# We have no public verification API and won't be adding one until we get
|
||||
--
|
||||
2.43.0
|
||||
|
Loading…
Reference in New Issue
Block a user