Security fix for CVE-2024-26130

Resolves: RHEL-112485
2025-09-05 15:16:24 +02:00 · 2025-09-05 15:16:24 +02:00 · aeae89e63f
commit aeae89e63f
parent 781eb41a35
2 changed files with 71 additions and 1 deletions
--- a/CVE-2024-26130.patch
+++ b/CVE-2024-26130.patch
@ -0,0 +1,60 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45888f36168a..6a4aeca7521f 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
+                     mac_iter,
+                     0,
+                 )
+                if p12 == self._ffi.NULL:
+                    errors = self._consume_errors()
+                    raise ValueError(
+                        (
+                            "Failed to create PKCS12 (does the key match the "
+                            "certificate?)"
+                        ),
+                        errors,
+                    )
+ 
+             if (
+                 self._lib.Cryptography_HAS_PKCS12_SET_MAC
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index f49c98a4ed3d..cb998c4a4bc0 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
+                 b"name", cakey, cacert, [], algorithm
+             )
+ 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+        skip_message="Requires OpenSSL with PKCS12_set_mac",
+    )
+    def test_set_mac_key_certificate_mismatch(self, backend):
+        cacert, _ = _load_ca(backend)
+        key = ec.generate_private_key(ec.SECP256R1())
+        encryption = (
+            serialization.PrivateFormat.PKCS12.encryption_builder()
+            .hmac_hash(hashes.SHA256())
+            .build(b"password")
+        )
+
+        with pytest.raises(ValueError):
+            serialize_key_and_certificates(
+                b"name", key, cacert, [], encryption
+            )
+
+ 
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
--- a/python3.12-cryptography.spec
+++ b/python3.12-cryptography.spec
@ -8,7 +8,7 @@

 Name:           python%{python3_pkgversion}-%{srcname}
 Version:        41.0.7
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        PyCA's cryptography library

 # We bundle various crates with cryptography which is dual licensed
@ -87,6 +87,12 @@ Patch1:         raise-an-exception-for-CVE-2023-49083.patch
 # Resolved upsteam:
 # https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
 Patch2:         CVE-2025-24898.patch
+
+# Security fix for CVE-2024-26130
+# Resolved upstream:
+# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
+Patch3:         CVE-2024-26130.patch
+
 ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
@ -246,6 +252,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info

 %changelog
+* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-3
+- Security fix for CVE-2024-26130
+Resolves: RHEL-112485
+
 * Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
 - Security fix for CVE-2025-24898 in the bundled openssl crate
 Resolves: RHEL-77735