diff --git a/CVE-2024-33664.patch b/CVE-2024-33664.patch new file mode 100644 index 0000000000000000000000000000000000000000..d41a7ea04f914c620f5bb75e412654593dc2250d --- /dev/null +++ b/CVE-2024-33664.patch @@ -0,0 +1,14 @@ +diff -Naur python-jose-3.3.0/jose/jwe.py python-jose-3.3.0_cve/jose/jwe.py +--- python-jose-3.3.0/jose/jwe.py 2021-06-05 00:11:22.000000000 +0800 ++++ python-jose-3.3.0_cve/jose/jwe.py 2024-04-26 17:33:01.319314391 +0800 +@@ -76,6 +76,10 @@ + >>> jwe.decrypt(jwe_string, 'asecret128bitkey') + 'Hello, World!' + """ ++ # limit the token size to 250 KB ++ if len(jwe_str) > 250 * 1024: ++ raise JWEError("JWE string exceeds 250 KB") ++ + header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str) + + # Verify that the implementation understands and can process all diff --git a/python-jose.spec b/python-jose.spec index 2de8af34367f817d69c3e8473e1b70fc9d07e948..d3a8d7a00b9c28db99aebf596a55349ca2c7a1e7 100644 --- a/python-jose.spec +++ b/python-jose.spec @@ -1,13 +1,14 @@ %global _empty_manifest_terminate_build 0 Name: python-jose Version: 3.3.0 -Release: 1 +Release: 2 Summary: An implementation of the JOSE draft License: MIT License (MIT) URL: https://github.com/Demonware/jose Source0: https://files.pythonhosted.org/packages/e4/19/b2c86504116dc5f0635d29f802da858404d77d930a25633d2e86a64a35b3/python-jose-3.3.0.tar.gz BuildArch: noarch +Patch0001: CVE-2024-33664.patch %description JOSE is a framework intended to provide a method to securely transfer @@ -61,7 +62,7 @@ This library implements JWS and JWEs along with a subset of the encryption / authentication algorithms recommended by the JOSE framework. %prep -%autosetup -n %{name}-%{version} +%autosetup -n %{name}-%{version} -p1 %build %py3_build @@ -101,6 +102,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Fri Apr 26 2024 yueyaoqiang - 3.3.0-2 +- fix CVE-2024-33664 + * Tue Jul 12 2022 wangqiang - 3.3.0-1 - Type: update - ID: NA