From 46fbffd52776642576b4d3a1019b20c43b47778f Mon Sep 17 00:00:00 2001 From: jackeyji Date: Thu, 19 Sep 2024 16:11:11 +0800 Subject: [PATCH] fix CVE-2024-26130 Signed-off-by: jackeyji --- fix-CVE-2024-26130.patch | 60 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 8 +++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2024-26130.patch diff --git a/fix-CVE-2024-26130.patch b/fix-CVE-2024-26130.patch new file mode 100644 index 0000000..5856151 --- /dev/null +++ b/fix-CVE-2024-26130.patch @@ -0,0 +1,60 @@ +From 3e5fc0e30f708df624f28170bb8963b180ebf7e6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 19 Feb 2024 11:16:45 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't + match + +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 45888f36168a..6a4aeca7521f 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12( + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + if ( + self._lib.Cryptography_HAS_PKCS12_SET_MAC +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f49c98a4ed3d..cb998c4a4bc0 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported( + b"name", cakey, cacert, [], algorithm + ) + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." diff --git a/python-cryptography.spec b/python-cryptography.spec index 1effa18..f6b4d11 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Summary: PyCA's cryptography library Name: python-%{srcname} Version: 41.0.4 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz @@ -15,6 +15,8 @@ Source1: cryptography-%{version}-vendor.tar.bz2 #upstream:https://github.com/pyca/cryptography/pull/9926/commits/66cb448876b1e95b637461d13560b970bae09e08 Patch0001: fix-CVE-2023-49083.patch +#upstream:https://github.com/pyca/cryptography/pull/10423/commits/3e5fc0e30f708df624f28170bb8963b180ebf7e6 +Patch0002: fix-CVE-2024-26130.patch BuildRequires: gcc gnupg2 cargo rust rust-toolset BuildRequires: openssl-devel @@ -76,6 +78,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Sep 19 2024 jackeyji - 41.0.4-7 +- [Type] security +- [DESC] fix CVE-2024-26130 + * Fri Aug 16 2024 OpenCloudOS Release Engineering - 41.0.4-6 - Rebuilt for loongarch release -- Gitee