rpms/python3.12-cryptography
13
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python3.12-cryptography-41.0.7-2.el9_6.1

Browse Source
This commit is contained in:
eabdullin 2025-09-10 14:32:54 +00:00
parent 3460772472
commit 35d0c2edbc
3 changed files with 137 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
SOURCES/CVE-2024-26130.patch Normal file
View File

@ -0,0 +1,60 @@
From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 19 Feb 2024 11:50:28 -0500
Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
match (#10423)
---
.../hazmat/backends/openssl/backend.py | 9 +++++++++
tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 45888f36168a..6a4aeca7521f 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
mac_iter,
0,
)
+ if p12 == self._ffi.NULL:
+ errors = self._consume_errors()
+ raise ValueError(
+ (
+ "Failed to create PKCS12 (does the key match the "
+ "certificate?)"
+ ),
+ errors,
+ )
if (
self._lib.Cryptography_HAS_PKCS12_SET_MAC
diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
index f49c98a4ed3d..cb998c4a4bc0 100644
--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
b"name", cakey, cacert, [], algorithm
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
+ )
+ def test_set_mac_key_certificate_mismatch(self, backend):
+ cacert, _ = _load_ca(backend)
+ key = ec.generate_private_key(ec.SECP256R1())
+ encryption = (
+ serialization.PrivateFormat.PKCS12.encryption_builder()
+ .hmac_hash(hashes.SHA256())
+ .build(b"password")
+ )
+
+ with pytest.raises(ValueError):
+ serialize_key_and_certificates(
+ b"name", key, cacert, [], encryption
+ )
+
@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."

52
SOURCES/CVE-2025-24898.patch Normal file
View File

@ -0,0 +1,52 @@
From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 6 Feb 2025 00:16:30 +0100
Subject: [PATCH 1/2] Use our patched copy of the openssl crate
---
src/rust/Cargo.toml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
index 01fba14..a352548 100644
--- a/src/rust/Cargo.toml
+++ b/src/rust/Cargo.toml
@@ -20,6 +20,9 @@ openssl = "0.10.54"
openssl-sys = "0.9.88"
foreign-types-shared = "0.1"
+[patch.crates-io]
+openssl = { path= "../../vendor/openssl" }
+
[build-dependencies]
cc = "1.0.72"
--
2.48.1
From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 2 Feb 2025 12:19:46 -0500
Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
---
vendor/openssl/src/ssl/mod.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
index fb38bb3..6aa6705 100644
--- a/vendor/openssl/src/ssl/mod.rs
+++ b/vendor/openssl/src/ssl/mod.rs
@@ -696,7 +696,7 @@ cfg_if! {
///
/// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
#[corresponds(SSL_select_next_proto)]
-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
+pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
unsafe {
let mut out = ptr::null_mut();
let mut outlen = 0;
--
2.48.1

28
SPECS/python3.12-cryptography.spec
View File

@ -8,7 +8,7 @@
Name: python%{python3_pkgversion}-%{srcname}
Version: 41.0.7
Release: 1%{?dist}
Release: 2%{?dist}.1
Summary: PyCA's cryptography library
# We bundle various crates with cryptography which is dual licensed
@ -83,6 +83,16 @@ Source2: conftest-skipper.py
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
Patch1: raise-an-exception-for-CVE-2023-49083.patch
# Security fix for CVE-2025-24898 in the bundled openssl crate
# Resolved upsteam:
# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
Patch2: CVE-2025-24898.patch
# Security fix for CVE-2024-26130
# Resolved upstream:
# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Patch3: CVE-2024-26130.patch
ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel
@ -177,13 +187,16 @@ cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%if 0%{?fedora}
%autosetup -p1 -n %{srcname}-%{version}
%cargo_prep
rm src/rust/Cargo.lock
%else
# RHEL: use vendored Rust crates
%cargo_prep -V 1
# We unpack the vendored crates to
# be able to patch them
%autosetup -p1 -n %{srcname}-%{version} -a1
%cargo_prep -v vendor
%endif
%if 0%{?fedora}
@ -199,6 +212,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml
%build
export OPENSSL_NO_VENDOR=1
export RUSTFLAGS="%build_rustflags"
%py3_build
%install
@ -238,6 +252,14 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog
* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-2.1
- Security fix for CVE-2024-26130
Resolves: RHEL-112483
* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
- Security fix for CVE-2025-24898 in the bundled openssl crate
Resolves: RHEL-77735
* Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
- Update to 41.0.7, fixes CVE-2023-49083