diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index 7faf137..b2184b2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -17,6 +17,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# https://github.com/pyca/cryptography/pull/8230 +Patch1: CVE-2023-23931.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -108,9 +111,10 @@ cat < %{SOURCE2} >> tests/conftest.py # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes # not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -120,6 +124,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 22 2023 Christian Heimes - 37.0.2-5 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Wed Aug 17 2022 Miro HronĨok - 37.0.2-5 +- Drop unused requirement of python3-six + * Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild