Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a patch to fix CVE-2023-49083 #6955

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 118 additions & 0 deletions SPECS/python-cryptography/CVE-2023-49083.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
From 87c06ca129dbf3d58a1391ca4ea45514262db72b Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 22 Nov 2023 16:49:56 -0500
Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
certificates

---
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 45d4a1a..f0317c7 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2664,9 +2664,12 @@ class Backend(object):
_Reasons.UNSUPPORTED_SERIALIZATION,
)

+ certs: list[x509.Certificate] = []
+ if p7.d.sign == self._ffi.NULL:
+ return certs
+
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
- certs = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 8b93cb6..148a1e1 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -80,6 +80,12 @@ class TestPKCS7Loading(object):
mode="rb",
)

+ def test_load_pkcs7_empty_certificates(self):
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
+ assert certificates == []
+

# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
--
2.17.1


From ce104165dd90d8f2f8ff9aaa64327daccf27b82b Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 30 Nov 2023 20:30:34 -0600
Subject: [PATCH 2/2] raise an exception instead of returning an empty list and
update CHANGELOG.rst

---
CHANGELOG.rst | 5 +++++
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 4dd7146..ccc6133 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,11 @@ Changelog
3.3.2 - 2021-02-07
~~~~~~~~~~~~~~~~~~

+* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
+ or
+ :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
+ will now raise a ``ValueError`` rather than return an empty list.
* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
when symmetrically encrypting very large payloads (>2GB) could result in an
integer overflow, leading to buffer overflows. *CVE-2020-36242*
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index f0317c7..b276f9b 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2664,12 +2664,15 @@ class Backend(object):
_Reasons.UNSUPPORTED_SERIALIZATION,
)

- certs: list[x509.Certificate] = []
if p7.d.sign == self._ffi.NULL:
- return certs
+ raise ValueError(
+ "The provided PKCS7 has no certificate data, but a cert "
+ "loading method was called."
+ )

sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
+ certs: list[x509.Certificate] = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 148a1e1..34cbb16 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -83,8 +83,8 @@ class TestPKCS7Loading(object):
def test_load_pkcs7_empty_certificates(self):
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

- certificates = pkcs7.load_der_pkcs7_certificates(der)
- assert certificates == []
+ with pytest.raises(ValueError):
+ pkcs7.load_der_pkcs7_certificates(der)


# We have no public verification API and won't be adding one until we get
--
2.17.1

6 changes: 5 additions & 1 deletion SPECS/python-cryptography/python-cryptography.spec
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: Python cryptography library
Name: python-cryptography
Version: 3.3.2
Release: 5%{?dist}
Release: 6%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Languages/Python
URL: https://pypi.python.org/pypi/cryptography
Source0: https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz
Patch0: CVE-2023-23931.patch
Patch1: CVE-2023-49083.patch
%if %{with_check}
BuildRequires: python3-pip
%endif
Expand Down Expand Up @@ -64,6 +65,9 @@ pip3 install pretend pytest hypothesis iso8601 cryptography_vectors pytz
%{python3_sitelib}/*

%changelog
* Fri Dec 08 2023 Aadhar Agarwal <aadagarwal@microsoft.com> - 3.3.2-6
- Patch CVE-2023-49083

* Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 3.3.2-5
- Recompile with stack-protection fixed gcc version (CVE-2023-4039)

Expand Down
Loading