From 8c79979ad2765606d417e3157fae0dcff95cf64c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 7 Sep 2020 08:57:53 +0200
Subject: [PATCH 1/4] Update to 3.1 (#1872978)

---
 .gitignore               | 2 ++
 python-cryptography.spec | 7 +++++--
 sources                  | 4 ++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index b35eadf..31354d0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,5 @@
 /cryptography-2.9.tar.gz.asc
 /cryptography-3.0.tar.gz
 /cryptography-3.0.tar.gz.asc
+/cryptography-3.1.tar.gz
+/cryptography-3.1.tar.gz.asc
diff --git a/python-cryptography.spec b/python-cryptography.spec
index c81c700..820b880 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -19,8 +19,8 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        3.0
-Release:        2%{?dist}
+Version:        3.1
+Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
 License:        ASL 2.0 or BSD
@@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
+- Update to 3.1 (#1872978)
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
diff --git a/sources b/sources
index aa13c06..9db3a37 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15
-SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8
+SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e
+SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e

From 9bd39f6d6a28bdec8d2f458084f3b351d7090f5a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 26 Oct 2020 09:13:36 +0100
Subject: [PATCH 2/4] Update to 3.2 (#1891378)

---
 .gitignore               | 2 ++
 python-cryptography.spec | 5 ++++-
 sources                  | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 31354d0..cda710e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,5 @@
 /cryptography-3.0.tar.gz.asc
 /cryptography-3.1.tar.gz
 /cryptography-3.1.tar.gz.asc
+/cryptography-3.2.tar.gz
+/cryptography-3.2.tar.gz.asc
diff --git a/python-cryptography.spec b/python-cryptography.spec
index 820b880..89ff850 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -19,7 +19,7 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        3.1
+Version:        3.2
 Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
@@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
+- Update to 3.2 (#1891378)
+
 * Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
 - Update to 3.1 (#1872978)
 
diff --git a/sources b/sources
index 9db3a37..e6e0771 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e
-SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e
+SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e
+SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2

From 0839b656a67084efd5a0f040b77838d49e2a0d3e Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 28 Oct 2020 07:28:58 +0100
Subject: [PATCH 3/4] Update to 3.2.1 (#1892153)

---
 .gitignore               | 2 ++
 python-cryptography.spec | 5 ++++-
 sources                  | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index cda710e..607872b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,5 @@
 /cryptography-3.1.tar.gz.asc
 /cryptography-3.2.tar.gz
 /cryptography-3.2.tar.gz.asc
+/cryptography-3.2.1.tar.gz
+/cryptography-3.2.1.tar.gz.asc
diff --git a/python-cryptography.spec b/python-cryptography.spec
index 89ff850..4d748d5 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -19,7 +19,7 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        3.2
+Version:        3.2.1
 Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
@@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
+- Update to 3.2.1 (#1892153)
+
 * Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
 - Update to 3.2 (#1891378)
 
diff --git a/sources b/sources
index e6e0771..b2f4b8f 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e
-SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2
+SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175
+SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b

From b0108c0719662886f013762492bed2e943a97d8e Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 8 Feb 2021 15:30:51 +0100
Subject: [PATCH 4/4] CVE-2020-36242

Fixed a bug where certain sequences of update() calls when symmetrically
encrypting very large payloads (>2GB) could result in an integer overflow,
leading to buffer overflows.

Resolves: rhbz#1926227
---
 CVE-2020-36242.patch     | 18 ++++++++++++++++++
 python-cryptography.spec | 10 +++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-36242.patch

diff --git a/CVE-2020-36242.patch b/CVE-2020-36242.patch
new file mode 100644
index 0000000..1f2f9c5
--- /dev/null
+++ b/CVE-2020-36242.patch
@@ -0,0 +1,18 @@
+From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 7 Feb 2021 11:04:43 -0600
+Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 2b10681b31..0f96795fdc 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -16,7 +16,7 @@
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+-    _MAX_CHUNK_SIZE = 2 ** 31 - 1
++    _MAX_CHUNK_SIZE = 2 ** 30 - 1
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend
diff --git a/python-cryptography.spec b/python-cryptography.spec
index 4d748d5..43775a4 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -20,7 +20,7 @@
 
 Name:           python-%{srcname}
 Version:        3.2.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        PyCA's cryptography library
 
 License:        ASL 2.0 or BSD
@@ -33,6 +33,8 @@ Source1:        %{pypi_source}.asc
 # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 
+Patch0001:      CVE-2020-36242.patch
+
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
@@ -170,6 +172,12 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
+- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
+  when symmetrically encrypting very large payloads (>2GB) could result
+  in an integer overflow, leading to buffer overflows.
+- Resolves: rhbz#1926227
+
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Update to 3.2.1 (#1892153)