diff --git a/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab85d709890a5e792596d1729865d3fe93b9f79f --- /dev/null +++ b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch @@ -0,0 +1,60 @@ +From 741d8f3abfbe6dd2043cfa637b962a5b2b5203ba Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Wed, 2 Jul 2025 14:45:50 +0800 +Subject: [PATCH] disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +--- + src/cryptography/hazmat/backends/openssl/rsa.py | 2 ++ + tests/hazmat/primitives/test_rsa.py | 16 +++++++++------- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py +index 9bef49d..0d35357 100644 +--- a/src/cryptography/hazmat/backends/openssl/rsa.py ++++ b/src/cryptography/hazmat/backends/openssl/rsa.py +@@ -94,6 +94,8 @@ def _enc_dec_rsa_pkey_ctx( + padding_enum: int, + padding: AsymmetricPadding, + ) -> bytes: ++ if isinstance(padding, PKCS1v15): ++ raise ValueError("RSA PKCS#1v1.5 has security problems and it has been banned.") + if isinstance(key, _RSAPublicKey): + init = backend._lib.EVP_PKEY_encrypt_init + crypt = backend._lib.EVP_PKEY_encrypt +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 4fb205d..94114cf 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1542,8 +1542,9 @@ class TestRSADecryption(object): + ).private_key(backend) + ciphertext = binascii.unhexlify(example["encryption"]) + assert len(ciphertext) == (skey.key_size + 7) // 8 +- message = skey.decrypt(ciphertext, padding.PKCS1v15()) +- assert message == binascii.unhexlify(example["message"]) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ message = skey.decrypt(ciphertext, padding.PKCS1v15()) ++ assert message == binascii.unhexlify(example["message"]) + + def test_unsupported_padding(self, backend): + private_key = RSA_KEY_2048.private_key(backend) +@@ -1879,11 +1880,12 @@ class TestRSAEncryption(object): + _check_fips_key_length(backend, private_key) + pt = b"encrypt me!" + public_key = private_key.public_key() +- ct = public_key.encrypt(pt, pad) +- assert ct != pt +- assert len(ct) == (public_key.key_size + 7) // 8 +- recovered_pt = private_key.decrypt(ct, pad) +- assert recovered_pt == pt ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ ct = public_key.encrypt(pt, pad) ++ assert ct != pt ++ assert len(ct) == (public_key.key_size + 7) // 8 ++ recovered_pt = private_key.decrypt(ct, pad) ++ assert recovered_pt == pt + + @pytest.mark.parametrize( + ("key_data", "pad"), +-- +2.27.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index bd67ca9e62cf12e5d4f1fe8db158a753a070f404..ed4be91de29207054a4443b870ce4a19298967da 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,7 +1,7 @@ %global srcname cryptography Name: python-%{srcname} Version: 36.0.1 -Release: 6 +Release: 7 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ @@ -13,6 +13,8 @@ Patch6003: backport-CVE-2023-23931.patch Patch6004: backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch Patch6005: backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch +Patch9000: disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch + BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -85,6 +87,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %doc README.rst docs %changelog +* Wed Jul 02 shixuantong - 36.0.1-7 +- disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + * Sat Dec 23 shixuantong - 36.0.1-6 - update author info for Patch6002