diff --git a/SOURCES/CVE-2024-26130.patch b/SOURCES/CVE-2024-26130.patch new file mode 100644 index 0000000..3a24f19 --- /dev/null +++ b/SOURCES/CVE-2024-26130.patch @@ -0,0 +1,60 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't + match (#10423) + +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 45888f36168a..6a4aeca7521f 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12( + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + if ( + self._lib.Cryptography_HAS_PKCS12_SET_MAC +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f49c98a4ed3d..cb998c4a4bc0 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported( + b"name", cakey, cacert, [], algorithm + ) + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." diff --git a/SOURCES/CVE-2025-24898.patch b/SOURCES/CVE-2025-24898.patch new file mode 100644 index 0000000..454b5aa --- /dev/null +++ b/SOURCES/CVE-2025-24898.patch @@ -0,0 +1,52 @@ +From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001 +From: Charalampos Stratakis +Date: Thu, 6 Feb 2025 00:16:30 +0100 +Subject: [PATCH 1/2] Use our patched copy of the openssl crate + +--- + src/rust/Cargo.toml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba14..a352548 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -20,6 +20,9 @@ openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" + ++[patch.crates-io] ++openssl = { path= "../../vendor/openssl" } ++ + [build-dependencies] + cc = "1.0.72" + +-- +2.48.1 + + +From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001 +From: Steven Fackler +Date: Sun, 2 Feb 2025 12:19:46 -0500 +Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto + +--- + vendor/openssl/src/ssl/mod.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs +index fb38bb3..6aa6705 100644 +--- a/vendor/openssl/src/ssl/mod.rs ++++ b/vendor/openssl/src/ssl/mod.rs +@@ -696,7 +696,7 @@ cfg_if! { + /// + /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos + #[corresponds(SSL_select_next_proto)] +-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> { ++pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> { + unsafe { + let mut out = ptr::null_mut(); + let mut outlen = 0; +-- +2.48.1 + diff --git a/SPECS/python3.12-cryptography.spec b/SPECS/python3.12-cryptography.spec index 38c29a0..aad4974 100644 --- a/SPECS/python3.12-cryptography.spec +++ b/SPECS/python3.12-cryptography.spec @@ -8,7 +8,7 @@ Name: python%{python3_pkgversion}-%{srcname} Version: 41.0.7 -Release: 1%{?dist} +Release: 2%{?dist}.1 Summary: PyCA's cryptography library # We bundle various crates with cryptography which is dual licensed @@ -83,6 +83,16 @@ Source2: conftest-skipper.py # https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013 Patch1: raise-an-exception-for-CVE-2023-49083.patch +# Security fix for CVE-2025-24898 in the bundled openssl crate +# Resolved upsteam: +# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2 +Patch2: CVE-2025-24898.patch + +# Security fix for CVE-2024-26130 +# Resolved upstream: +# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 +Patch3: CVE-2024-26130.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -177,13 +187,16 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} +%autosetup -p1 -n %{srcname}-%{version} %cargo_prep rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +# We unpack the vendored crates to +# be able to patch them +%autosetup -p1 -n %{srcname}-%{version} -a1 +%cargo_prep -v vendor %endif %if 0%{?fedora} @@ -199,6 +212,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export OPENSSL_NO_VENDOR=1 +export RUSTFLAGS="%build_rustflags" %py3_build %install @@ -238,6 +252,14 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Sep 05 2025 Lumir Balhar - 41.0.7-2.1 +- Security fix for CVE-2024-26130 +Resolves: RHEL-112483 + +* Wed Feb 05 2025 Charalampos Stratakis - 41.0.7-2 +- Security fix for CVE-2025-24898 in the bundled openssl crate +Resolves: RHEL-77735 + * Tue Feb 06 2024 Miro HronĨok - 41.0.7-1 - Update to 41.0.7, fixes CVE-2023-49083