rpms/python3.12-cryptography
13
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c9-beta
Branches Tags
rpms:c8-beta
rpms:c9-beta
rpms:c9s
rpms:c10s
rpms:c8s
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-3.el9_7
rpms:imports/c9/python3.12-cryptography-41.0.7-2.el9_6.1
rpms:imports/c9/python3.12-cryptography-41.0.7-2.el9
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-2.el9
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-1.el9
rpms:imports/c8-beta/python3.12-cryptography-41.0.7-1.el8
rpms:imports/c10s/python3.12-cryptography-41.0.7-1.el10
..
compare: rpms:c8-beta
Branches Tags
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c10s
rpms:c8s
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-3.el9_7
rpms:imports/c9/python3.12-cryptography-41.0.7-2.el9_6.1
rpms:imports/c9/python3.12-cryptography-41.0.7-2.el9
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-2.el9
rpms:imports/c9-beta/python3.12-cryptography-41.0.7-1.el9
rpms:imports/c8-beta/python3.12-cryptography-41.0.7-1.el8
rpms:imports/c10s/python3.12-cryptography-41.0.7-1.el10

No commits in common. "c9-beta" and "c8-beta" have entirely different histories.
c9-beta ... c8-beta

3 changed files with 3 additions and 137 deletions
Show Stats Expand all files Collapse all files

60
SOURCES/CVE-2024-26130.patch
View File

@ -1,60 +0,0 @@
From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 19 Feb 2024 11:50:28 -0500
Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
match (#10423)
---
.../hazmat/backends/openssl/backend.py | 9 +++++++++
tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 45888f36168a..6a4aeca7521f 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
mac_iter,
0,
)
+ if p12 == self._ffi.NULL:
+ errors = self._consume_errors()
+ raise ValueError(
+ (
+ "Failed to create PKCS12 (does the key match the "
+ "certificate?)"
+ ),
+ errors,
+ )
if (
self._lib.Cryptography_HAS_PKCS12_SET_MAC
diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
index f49c98a4ed3d..cb998c4a4bc0 100644
--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
b"name", cakey, cacert, [], algorithm
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
+ )
+ def test_set_mac_key_certificate_mismatch(self, backend):
+ cacert, _ = _load_ca(backend)
+ key = ec.generate_private_key(ec.SECP256R1())
+ encryption = (
+ serialization.PrivateFormat.PKCS12.encryption_builder()
+ .hmac_hash(hashes.SHA256())
+ .build(b"password")
+ )
+
+ with pytest.raises(ValueError):
+ serialize_key_and_certificates(
+ b"name", key, cacert, [], encryption
+ )
+
@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."

52
SOURCES/CVE-2025-24898.patch
View File

@ -1,52 +0,0 @@
From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Thu, 6 Feb 2025 00:16:30 +0100
Subject: [PATCH 1/2] Use our patched copy of the openssl crate
---
src/rust/Cargo.toml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
index 01fba14..a352548 100644
--- a/src/rust/Cargo.toml
+++ b/src/rust/Cargo.toml
@@ -20,6 +20,9 @@ openssl = "0.10.54"
openssl-sys = "0.9.88"
foreign-types-shared = "0.1"
+[patch.crates-io]
+openssl = { path= "../../vendor/openssl" }
+
[build-dependencies]
cc = "1.0.72"
--
2.48.1
From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
From: Steven Fackler <sfackler@gmail.com>
Date: Sun, 2 Feb 2025 12:19:46 -0500
Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
---
vendor/openssl/src/ssl/mod.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
index fb38bb3..6aa6705 100644
--- a/vendor/openssl/src/ssl/mod.rs
+++ b/vendor/openssl/src/ssl/mod.rs
@@ -696,7 +696,7 @@ cfg_if! {
///
/// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
#[corresponds(SSL_select_next_proto)]
-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
+pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
unsafe {
let mut out = ptr::null_mut();
let mut outlen = 0;
--
2.48.1

28
SPECS/python3.12-cryptography.spec
View File

@ -8,7 +8,7 @@
Name: python%{python3_pkgversion}-%{srcname} Name: python%{python3_pkgversion}-%{srcname}
Version: 41.0.7 Version: 41.0.7
Release: 3%{?dist} Release: 1%{?dist}
Summary: PyCA's cryptography library Summary: PyCA's cryptography library
# We bundle various crates with cryptography which is dual licensed # We bundle various crates with cryptography which is dual licensed
@ -83,16 +83,6 @@ Source2: conftest-skipper.py
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013 # https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
Patch1: raise-an-exception-for-CVE-2023-49083.patch Patch1: raise-an-exception-for-CVE-2023-49083.patch
# Security fix for CVE-2025-24898 in the bundled openssl crate
# Resolved upsteam:
# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
Patch2: CVE-2025-24898.patch
# Security fix for CVE-2024-26130
# Resolved upstream:
# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Patch3: CVE-2024-26130.patch
ExclusiveArch: %{rust_arches} ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -187,16 +177,13 @@ cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers. recipes to Python developers.
%prep %prep
%if 0%{?fedora}
%autosetup -p1 -n %{srcname}-%{version} %autosetup -p1 -n %{srcname}-%{version}
%if 0%{?fedora}
%cargo_prep %cargo_prep
rm src/rust/Cargo.lock rm src/rust/Cargo.lock
%else %else
# RHEL: use vendored Rust crates # RHEL: use vendored Rust crates
# We unpack the vendored crates to %cargo_prep -V 1
# be able to patch them
%autosetup -p1 -n %{srcname}-%{version} -a1
%cargo_prep -v vendor
%endif %endif
%if 0%{?fedora} %if 0%{?fedora}
@ -212,7 +199,6 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml
%build %build
export OPENSSL_NO_VENDOR=1 export OPENSSL_NO_VENDOR=1
export RUSTFLAGS="%build_rustflags"
%py3_build %py3_build
%install %install
@ -252,14 +238,6 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog %changelog
* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-3
- Security fix for CVE-2024-26130
Resolves: RHEL-112485
* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
- Security fix for CVE-2025-24898 in the bundled openssl crate
Resolves: RHEL-77735
* Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1 * Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
- Update to 41.0.7, fixes CVE-2023-49083 - Update to 41.0.7, fixes CVE-2023-49083