From 9f5f05d307d6cfcd10e27d0072011a522c364e7c Mon Sep 17 00:00:00 2001 From: zhuofeng Date: Tue, 14 Feb 2023 17:03:09 +0800 Subject: [PATCH] fix CVE-2023-23931 --- backport-CVE-2023-23931.patch | 45 +++++++++++++++++++++++++++++++++++ python-cryptography.spec | 9 ++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-23931.patch diff --git a/backport-CVE-2023-23931.patch b/backport-CVE-2023-23931.patch new file mode 100644 index 0000000..d1661de --- /dev/null +++ b/backport-CVE-2023-23931.patch @@ -0,0 +1,45 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index d5b6010..a5737dc 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -155,7 +155,7 @@ class _CipherContext(object): + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index ef57790..977f148 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -306,6 +306,14 @@ class TestCipherUpdateInto(object): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) +-- +2.33.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 083a8bc..9f7503e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,13 +1,14 @@ %global srcname cryptography Name: python-%{srcname} Version: 36.0.1 -Release: 1 +Release: 2 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: %{srcname}-%{version}.tar.gz Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch +Patch6003: backport-CVE-2023-23931.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -81,6 +82,12 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %doc README.rst docs %changelog +* Tue Feb 14 2023 zhuofeng - 36.0.1-2 +- Type:CVE +- CVE:CVE-2023-23931 +- SUG:NA +- DESC:fix CVE-2023-23931 + * Feb Nov 01 2022 Ge Wang 36.0.1-1 - Update to version 36.0.1 -- Gitee