From 0dc8813b04592c15866201e48e7647d606fdf788 Mon Sep 17 00:00:00 2001 From: jackeyji Date: Wed, 28 Feb 2024 17:50:07 +0800 Subject: [PATCH] upgrade to 42.0.3 to fix CVE-2023-50782 Signed-off-by: jackeyji --- fix-CVE-2023-49083.patch | 45 ---------------------------------------- python-cryptography.spec | 27 ++++++++++++------------ sources | 4 ++-- 3 files changed, 15 insertions(+), 61 deletions(-) delete mode 100644 fix-CVE-2023-49083.patch diff --git a/fix-CVE-2023-49083.patch b/fix-CVE-2023-49083.patch deleted file mode 100644 index e364429..0000000 --- a/fix-CVE-2023-49083.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 66cb448876b1e95b637461d13560b970bae09e08 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Wed, 22 Nov 2023 16:49:56 -0500 -Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates - ---- - src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- - tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 7c08862b3070..adfd7aefe5f0 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -1111,9 +1111,12 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]: - _Reasons.UNSUPPORTED_SERIALIZATION, - ) - -+ certs: list[x509.Certificate] = [] -+ if p7.d.sign == self._ffi.NULL: -+ return certs -+ - sk_x509 = p7.d.sign.cert - num = self._lib.sk_X509_num(sk_x509) -- certs = [] - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) -diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py -index ceb84e5fb48e..434a361057f2 100644 ---- a/tests/hazmat/primitives/test_pkcs7.py -+++ b/tests/hazmat/primitives/test_pkcs7.py -@@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend): - mode="rb", - ) - -+ def test_load_pkcs7_empty_certificates(self): -+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" -+ -+ certificates = pkcs7.load_der_pkcs7_certificates(der) -+ assert certificates == [] -+ - - # We have no public verification API and won't be adding one until we get - # some requirements from users so this function exists to give us basic diff --git a/python-cryptography.spec b/python-cryptography.spec index 87720e3..c00eb80 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,24 +5,18 @@ Summary: PyCA's cryptography library Name: python-%{srcname} -Version: 41.0.4 -Release: 2%{?dist} +Version: 42.0.3 +Release: 1%{?dist} License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # Fetched from crates.io by executing `cargo vendor` in %%{srcname}-%%{version}/src/rust Source1: cryptography-%{version}-vendor.tar.bz2 -#upstream:https://github.com/pyca/cryptography/pull/9926/commits/66cb448876b1e95b637461d13560b970bae09e08 -Patch0001: fix-CVE-2023-49083.patch - BuildRequires: gcc gnupg2 cargo rust BuildRequires: openssl-devel -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 %if %{with tests} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 @@ -43,8 +37,7 @@ and key derivation functions. %package -n python%{python3_pkgversion}-%{srcname} Summary: PyCA's cryptography library Requires: openssl-libs -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 +Requires: python%{python3_pkgversion}-cffi >= 1.12 %description -n python%{python3_pkgversion}-%{srcname} cryptography includes both high level recipes and low level interfaces to @@ -65,12 +58,15 @@ directory = "vendor" EOF +%generate_buildrequires +%pyproject_buildrequires -t + %build -%py3_build +%pyproject_wheel %install find . -name .keep -print -delete -%py3_install +%pyproject_install %check %if %{with tests} @@ -82,9 +78,12 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %license LICENSE LICENSE.APACHE LICENSE.BSD %doc README.rst docs %{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info +%{python3_sitearch}/%{srcname}-%{version}.dist-info %changelog +* Wed Feb 28 2024 jackeyji - 42.0.3-1 +- upgrade to 42.0.3 to fix CVE-2023-50782 + * Thu Jan 18 2024 jackeyji - 41.0.4-2 - fix CVE-2023-49083 diff --git a/sources b/sources index 7a5593e..d7e8220 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.4.tar.gz) = 1de9a37f5d279c1c0a7fb9b37add507105c4879fd95acf2080460b06c2b976066230f34ea06ca93c25f221ce133cfe35514ffd265e20c4db8e13d42b522009ab -SHA512 (cryptography-41.0.4-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-42.0.3.tar.gz) = 8b28d69b149efeb54519e2d2628d45951fd2c00420ba8dbfff3e8c13fe7439ac2992e76740a8327b518df64895d960ebc7872ca9e357396b577d94191f12a07e +SHA512 (cryptography-42.0.3-vendor.tar.bz2) = 3a8657edbbf2e206fce28dcdfcb6dd0e666ac39724617a56352235e372b2d4af29172f274a79c83315ae3b0bcc65aee7d3af16e06d2c28ab2438f994d8a964be -- Gitee