diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7cf9df57c0e1..857a32f67384 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +.. _v41-0-6: + +41.0.6 - 2023-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed a null-pointer-dereference and segfault that could occur when loading + certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the + issue. **CVE-2023-49083** + .. _v41-0-5: 41.0.5 - 2023-10-24 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 62a62fb96e34..74642f324e67 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -38,6 +38,7 @@ decrypted decrypting deprecations DER +dereference deserialize deserialized Deserialization diff --git a/pyproject.toml b/pyproject.toml index d48ddef02211..900fbb502904 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "41.0.5" +version = "41.0.6" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 550ee4508d16..d267dc785605 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "41.0.5" +__version__ = "41.0.6" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 02d51094cfe5..f1c79008b689 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1890,9 +1890,12 @@ def _load_pkcs7_certificates(self, p7) -> typing.List[x509.Certificate]: _Reasons.UNSUPPORTED_SERIALIZATION, ) + certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: + return certs + sk_x509 = p7.d.sign.cert num = self._lib.sk_X509_num(sk_x509) - certs = [] for i in range(num): x509 = self._lib.sk_X509_value(sk_x509, i) self.openssl_assert(x509 != self._ffi.NULL) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 4d88e2813b50..b58fa316ea00 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,6 +3,8 @@ // for complete details. #![deny(rust_2018_idioms)] +// Work-around for https://github.com/PyO3/pyo3/issues/3561 +#![allow(unknown_lints, clippy::unnecessary_fallible_conversions)] mod asn1; mod backend; diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 172cf40bd6e4..f6ad64151cb3 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend): mode="rb", ) + def test_load_pkcs7_empty_certificates(self, backend): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + + certificates = pkcs7.load_der_pkcs7_certificates(der) + assert certificates == [] + # We have no public verification API and won't be adding one until we get # some requirements from users so this function exists to give us basic diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 56336c326d11..98da9267aa4c 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "41.0.5" +__version__ = "41.0.6" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 8d1e750be43e..a37e2da94326 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography_vectors" -version = "41.0.5" +version = "41.0.6" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]