diff --git a/backport-CVE-2020-36242.patch b/backport-CVE-2020-36242.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbfb2a277a7197559d7b9940702fe5f9e55f96a5 --- /dev/null +++ b/backport-CVE-2020-36242.patch @@ -0,0 +1,46 @@ +From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 7 Feb 2021 11:04:43 -0600 +Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 + +--- + CHANGELOG.rst | 9 +++++++++ + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 3cb53d0..4dd7146 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -1,6 +1,15 @@ + Changelog + ========= + ++.. _v3-3-2: ++ ++3.3.2 - 2021-02-07 ++~~~~~~~~~~~~~~~~~~ ++ ++* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls ++ when symmetrically encrypting very large payloads (>2GB) could result in an ++ integer overflow, leading to buffer overflows. *CVE-2020-36242* ++ + .. _v3-3-1: + + 3.3.1 - 2020-12-09 +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 1e805d2..ad5dad3 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +-- +1.8.3.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 1380854eb50e8f542a1a6edcb4b836ba9f0c3dd6..07ba4223073f1f22d90532b8bb9d0f7c76ed152d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,12 +1,13 @@ %global srcname cryptography Name: python-%{srcname} Version: 3.3.1 -Release: 1 +Release: 2 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: %{pypi_source} +Patch6000: backport-CVE-2020-36242.patch BuildRequires: openssl-devel BuildRequires: gcc @@ -70,6 +71,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %doc README.rst docs %changelog +* Tue Feb 23 2021 shixuantong - 3.3.1-2 +- fix CVE-2020-36242 + * Mon Feb 1 2021 liudabo - 3.3.1-1 - upgrade version to 3.3.1