Improvement for the fix for CVE-2023-49083

Resolves: RHEL-17730
2024-02-07 15:07:09 +01:00 · 2024-02-07 15:07:09 +01:00 · fcc871dac2
commit fcc871dac2
parent f0d6be6722
3 changed files with 73 additions and 0 deletions
--- a/plan.fmf
+++ b/plan.fmf
@ -6,6 +6,7 @@ discover:
  tests:
  - name: bundled tests - Prepare part
    require:
+    - patch
    - python3.12-pytest
    - python3.12-cryptography
    - python3.12-pip
@ -47,5 +48,6 @@ discover:
  - name: unittests-primitives-f-z
    test: |
      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      patch -p1 < $TMT_TREE/raise-an-exception-for-CVE-2023-49083.patch &&
      PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/hazmat/primitives/test_[f-z]*.py \
            tests/hazmat/primitives/twofactor
--- a/python3.12-cryptography.spec
+++ b/python3.12-cryptography.spec
@ -78,6 +78,11 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py

+# Improvement for the fix for CVE-2023-49083
+# Backported from upstream:
+# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
+Patch1:         raise-an-exception-for-CVE-2023-49083.patch
+
 ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
--- a/raise-an-exception-for-CVE-2023-49083.patch
+++ b/raise-an-exception-for-CVE-2023-49083.patch
@ -0,0 +1,66 @@
+From bb4172af124eda3e4804272dd452863684a00a00 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 7 Feb 2024 14:48:09 +0100
+Subject: [PATCH] raise an exception instead of returning an empty list for 
+ pkcs7 cert loading (#9947)
+
+* raise an exception instead of returning an empty list
+
+as davidben points out in #9926 we are calling a specific load
+certificates function and an empty value doesn't necessarily mean empty
+because PKCS7 contains multitudes. erroring is more correct.
+
+* changelog
+
+* Update CHANGELOG.rst
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+---------
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 4 ++--
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index f1c79008b..3e8b8aa6b 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -1890,12 +1890,15 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+-        certs: list[x509.Certificate] = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
+            raise ValueError(
+                "The provided PKCS7 has no certificate data, but a cert "
+                "loading method was called."
+            )
+ 
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+        certs: list[x509.Certificate] = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index f6ad64151..bc006dae3 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -92,8 +92,8 @@ class TestPKCS7Loading:
+     def test_load_pkcs7_empty_certificates(self, backend):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+ 
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
+        with pytest.raises(ValueError):
+            pkcs7.load_der_pkcs7_certificates(der)
+ 
+ 
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.43.0
+