CVE-2020-36242

Fixed a bug where certain sequences of update() calls when symmetrically
encrypting very large payloads (>2GB) could result in an integer overflow,
leading to buffer overflows.

Resolves: rhbz#1926227

.gitignore

@@ -17,3 +17,9 @@
 /cryptography-2.9.tar.gz.asc
 /cryptography-3.0.tar.gz
 /cryptography-3.0.tar.gz.asc
+/cryptography-3.1.tar.gz
+/cryptography-3.1.tar.gz.asc
+/cryptography-3.2.tar.gz
+/cryptography-3.2.tar.gz.asc
+/cryptography-3.2.1.tar.gz
+/cryptography-3.2.1.tar.gz.asc

CVE-2020-36242.patch

@@ -0,0 +1,18 @@
+From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 7 Feb 2021 11:04:43 -0600
+Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 2b10681b31..0f96795fdc 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -16,7 +16,7 @@
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+-    _MAX_CHUNK_SIZE = 2 ** 31 - 1
++    _MAX_CHUNK_SIZE = 2 ** 30 - 1
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend

python-cryptography.spec

@@ -19,7 +19,7 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        3.0
+Version:        3.2.1
 Release:        2%{?dist}
 Summary:        PyCA's cryptography library
 
@@ -33,6 +33,8 @@ Source1:        %{pypi_source}.asc
 # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
 
+Patch0001:      CVE-2020-36242.patch
+
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
@@ -170,6 +172,21 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 
 
 %changelog
+* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
+- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
+  when symmetrically encrypting very large payloads (>2GB) could result
+  in an integer overflow, leading to buffer overflows.
+- Resolves: rhbz#1926227
+
+* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
+- Update to 3.2.1 (#1892153)
+
+* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
+- Update to 3.2 (#1891378)
+
+* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
+- Update to 3.1 (#1872978)
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15
-SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8
+SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175
+SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b