From e073c8d5b3fb1387f1191105baca3f43c873a134 Mon Sep 17 00:00:00 2001 From: jackeyji Date: Thu, 18 Jan 2024 10:57:19 +0800 Subject: [PATCH] fix CVE-2023-49083 Signed-off-by: jackeyji --- fix-CVE-2023-49083.patch | 45 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 8 ++++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2023-49083.patch diff --git a/fix-CVE-2023-49083.patch b/fix-CVE-2023-49083.patch new file mode 100644 index 0000000..e364429 --- /dev/null +++ b/fix-CVE-2023-49083.patch @@ -0,0 +1,45 @@ +From 66cb448876b1e95b637461d13560b970bae09e08 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Wed, 22 Nov 2023 16:49:56 -0500 +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 7c08862b3070..adfd7aefe5f0 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1111,9 +1111,12 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index ceb84e5fb48e..434a361057f2 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend): + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic diff --git a/python-cryptography.spec b/python-cryptography.spec index 33d2847..87720e3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,13 +6,16 @@ Summary: PyCA's cryptography library Name: python-%{srcname} Version: 41.0.4 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # Fetched from crates.io by executing `cargo vendor` in %%{srcname}-%%{version}/src/rust Source1: cryptography-%{version}-vendor.tar.bz2 +#upstream:https://github.com/pyca/cryptography/pull/9926/commits/66cb448876b1e95b637461d13560b970bae09e08 +Patch0001: fix-CVE-2023-49083.patch + BuildRequires: gcc gnupg2 cargo rust BuildRequires: openssl-devel BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 @@ -82,6 +85,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Jan 18 2024 jackeyji - 41.0.4-2 +- fix CVE-2023-49083 + * Mon Sep 25 2023 Miaojun Dong - 41.0.4-1 - Bump version to 41.0.4 -- Gitee