diff --git a/CVE-2020-36242.patch b/CVE-2020-36242.patch new file mode 100644 index 0000000..1f2f9c5 --- /dev/null +++ b/CVE-2020-36242.patch @@ -0,0 +1,18 @@ +From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 7 Feb 2021 11:04:43 -0600 +Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b10681b31..0f96795fdc 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -16,7 +16,7 @@ + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/python-cryptography.spec b/python-cryptography.spec index 4d748d5..43775a4 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 3.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -33,6 +33,8 @@ Source1: %{pypi_source}.asc # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +Patch0001: CVE-2020-36242.patch + BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 @@ -170,6 +172,12 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Feb 08 2021 Christian Heimes - 3.2.1-2 +- CVE-2020-36242: Fixed a bug where certain sequences of update() calls + when symmetrically encrypting very large payloads (>2GB) could result + in an integer overflow, leading to buffer overflows. +- Resolves: rhbz#1926227 + * Wed Oct 28 2020 Christian Heimes - 3.2.1-1 - Update to 3.2.1 (#1892153)