diff --git a/plan.fmf b/plan.fmf index 98e1550..729c46e 100644 --- a/plan.fmf +++ b/plan.fmf @@ -6,6 +6,7 @@ discover: tests: - name: bundled tests - Prepare part require: + - patch - python3.12-pytest - python3.12-cryptography - python3.12-pip @@ -47,5 +48,6 @@ discover: - name: unittests-primitives-f-z test: | cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) && + patch -p1 < $TMT_TREE/raise-an-exception-for-CVE-2023-49083.patch && PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/hazmat/primitives/test_[f-z]*.py \ tests/hazmat/primitives/twofactor diff --git a/python3.12-cryptography.spec b/python3.12-cryptography.spec index 7f67a7a..38c29a0 100644 --- a/python3.12-cryptography.spec +++ b/python3.12-cryptography.spec @@ -78,6 +78,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# Improvement for the fix for CVE-2023-49083 +# Backported from upstream: +# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013 +Patch1: raise-an-exception-for-CVE-2023-49083.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/raise-an-exception-for-CVE-2023-49083.patch b/raise-an-exception-for-CVE-2023-49083.patch new file mode 100644 index 0000000..a9ddd84 --- /dev/null +++ b/raise-an-exception-for-CVE-2023-49083.patch @@ -0,0 +1,66 @@ +From bb4172af124eda3e4804272dd452863684a00a00 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 7 Feb 2024 14:48:09 +0100 +Subject: [PATCH] raise an exception instead of returning an empty list for + pkcs7 cert loading (#9947) + +* raise an exception instead of returning an empty list + +as davidben points out in #9926 we are calling a specific load +certificates function and an empty value doesn't necessarily mean empty +because PKCS7 contains multitudes. erroring is more correct. + +* changelog + +* Update CHANGELOG.rst + +Co-authored-by: Alex Gaynor + +--------- + +Co-authored-by: Alex Gaynor +--- + src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- + tests/hazmat/primitives/test_pkcs7.py | 4 ++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index f1c79008b..3e8b8aa6b 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1890,12 +1890,15 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + +- certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: +- return certs ++ raise ValueError( ++ "The provided PKCS7 has no certificate data, but a cert " ++ "loading method was called." ++ ) + + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) ++ certs: list[x509.Certificate] = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index f6ad64151..bc006dae3 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -92,8 +92,8 @@ class TestPKCS7Loading: + def test_load_pkcs7_empty_certificates(self, backend): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + +- certificates = pkcs7.load_der_pkcs7_certificates(der) +- assert certificates == [] ++ with pytest.raises(ValueError): ++ pkcs7.load_der_pkcs7_certificates(der) + + + # We have no public verification API and won't be adding one until we get +-- +2.43.0 +