From 542249a1619f44577fc4940ef17df498720f4b74 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 9 Aug 2023 14:07:18 +0200 Subject: [PATCH 1/8] Update to 41.0.3 - Update to upstream version 41.0.3 - Use pyo3 0.19 Resolves: rhbz#2211237 --- .gitignore | 2 ++ pyo3-0.19.patch | 52 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 14 ++++++++--- sources | 4 ++-- 4 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 pyo3-0.19.patch diff --git a/.gitignore b/.gitignore index 77cad2f..e69e967 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ /cryptography-40.0.1-vendor.tar.bz2 /cryptography-40.0.2.tar.gz /cryptography-40.0.2-vendor.tar.bz2 +/cryptography-41.0.3.tar.gz +/cryptography-41.0.3-vendor.tar.bz2 diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0323ca3..0365a9a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 40.0.2 -Release: 5%{?dist} +Version: 41.0.3 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +Patch1: pyo3-0.19.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -69,8 +71,10 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} +# patch pyo3 depedency +%autopatch -p1 1 %cargo_prep rm src/rust/Cargo.lock %else @@ -131,6 +135,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + * Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index 3532c84..f529925 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e -SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d +SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd +SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From bd9ff8df3f204e6446d9da75e676012f13db620d Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Fri, 1 Dec 2023 21:21:31 +0100 Subject: [PATCH 2/8] Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 0365a9a..04b2b58 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -135,6 +135,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 01 2023 Fabio Valentini - 41.0.3-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + * Wed Aug 09 2023 Christian Heimes - 41.0.3-1 - Update to 41.0.3, resolves rhbz#2211237 - Use pyo3 0.19 From f238d212533cfba27fff030e57329abce935fd34 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 14 Aug 2023 07:24:10 +0200 Subject: [PATCH 3/8] Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 --- ouroboros-0.17.patch | 13 +++++++++++++ python-cryptography.spec | 4 +++- 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 ouroboros-0.17.patch diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/python-cryptography.spec b/python-cryptography.spec index 04b2b58..343b351 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -73,8 +74,9 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} -# patch pyo3 depedency +# patch pyo3 and ouroboros depedency %autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else From 1c9519053604eb9bea303b3322ea2e8773e39a87 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 26 Oct 2023 17:20:09 +0200 Subject: [PATCH 4/8] Update to 41.0.5, resolves RHBZ#2239707 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e69e967..51aeae3 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,5 @@ /cryptography-40.0.2-vendor.tar.bz2 /cryptography-41.0.3.tar.gz /cryptography-41.0.3-vendor.tar.bz2 +/cryptography-41.0.5-vendor.tar.bz2 +/cryptography-41.0.5.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 343b351..c21ff98 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.3 -Release: 2%{?dist} +Version: 41.0.5 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + * Fri Dec 01 2023 Fabio Valentini - 41.0.3-2 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) diff --git a/sources b/sources index f529925..7c4beae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd -SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 +SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From 6ba28cbde7364cdaec96a39b4dcc8f894a7b3bd4 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Thu, 1 Feb 2024 10:48:14 -0500 Subject: [PATCH 5/8] Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 51aeae3..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ /cryptography-41.0.3-vendor.tar.bz2 /cryptography-41.0.5-vendor.tar.bz2 /cryptography-41.0.5.tar.gz +/cryptography-41.0.7.tar.gz +/cryptography-41.0.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index c21ff98..961288c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.5 +Version: 41.0.7 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + * Thu Oct 26 2023 Christian Heimes - 41.0.5-1 - Update to 41.0.5, resolves RHBZ#2239707 diff --git a/sources b/sources index 7c4beae..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 -SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e From a637ff79d86d13c9fc78e2159e24b79fdc192ebe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Sun, 4 Feb 2024 16:56:24 +0100 Subject: [PATCH 6/8] Fixup the %changelog dates --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 961288c..5bb0154 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -140,7 +140,7 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 -* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +* Thu Feb 01 2024 Christian Heimes - 41.0.5-1 - Update to 41.0.5, resolves RHBZ#2239707 * Fri Dec 01 2023 Fabio Valentini - 41.0.3-2 From 1df274c401447d67dac595b6f6d9b05cfa760abb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Jan 2024 12:09:52 +0100 Subject: [PATCH 7/8] Update to 42.0.5 resolves: rhbz#2251816 resolves: rhbz#2269618, CVE-2024-26130 Signed-off-by: Christian Heimes --- .gitignore | 2 + ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 39 ++++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 101 insertions(+), 84 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..578df22 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 5bb0154..8626ac1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 +Version: 42.0.5 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,8 +19,7 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} @@ -29,8 +28,6 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +45,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +71,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +80,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,13 +132,18 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog +* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 +- Update to 42.0.5, resolves RHBZ#2251816 +- fixes rhbz#2269618, CVE-2024-26130 +- Modernize spec file to use pyproject RPM macros + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..0e97b72 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 +SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From df910351fd7ccda7f6f6e9c346fbb7b0014d5f53 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 21 Mar 2024 11:43:03 +0100 Subject: [PATCH 8/8] Revert "Update to 42.0.5" This reverts commit 1df274c401447d67dac595b6f6d9b05cfa760abb. Fedora 39 is missing recent versions of python-setuptools-rust, rust-pem, and rust-openssl. --- .gitignore | 2 - ouroboros-0.17.patch | 13 ++++++ pyo3-0.19.patch | 52 +++++++++++++++++++++++ python-cryptography.spec | 39 ++++++++---------- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 84 insertions(+), 101 deletions(-) create mode 100644 ouroboros-0.17.patch create mode 100644 pyo3-0.19.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 578df22..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -61,5 +61,3 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 -/cryptography-42.0.5.tar.gz -/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 8626ac1..5bb0154 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.5 +Version: 41.0.7 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,7 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -28,6 +29,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -45,7 +48,6 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -71,8 +73,10 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 %if 0%{?fedora} +# patch pyo3 and ouroboros depedency +%autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -80,33 +84,27 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml - - -%generate_buildrequires -%pyproject_buildrequires -t %if 0%{?fedora} +%generate_buildrequires # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%pyproject_wheel - +%py3_build %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%pyproject_install -%pyproject_save_files %{srcname} - +%py3_install %check %if %{with tests} @@ -132,18 +130,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif - -%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} +%files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD - +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog -* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 -- Update to 42.0.5, resolves RHBZ#2251816 -- fixes rhbz#2269618, CVE-2024-26130 -- Modernize spec file to use pyproject RPM macros - * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 0e97b72..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 -SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e diff --git a/vendor_rust.py b/vendor_rust.py index eb53abd..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile(r"Version:\s*(.*)") +RE_VERSION = re.compile("Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument(