python3-cryptography: fix CVE-2023-49083

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49083 https://security-tracker.debian.org/tracker/CVE-2023-49083 (From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-12-06 08:59:00 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-12-12 04:20:34 -1000
commit: 31507dd07a36234b888759bab256644446b85ff3 (patch)
tree: 4b43042486b56ee33094fb8318272fcdfe79f062
parent: 82e76d21dcf8ca39ce1a0f7d6af9b66e665625a4 (diff)
download: poky-31507dd07a36234b888759bab256644446b85ff3.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
new file mode 100644
index 0000000000..d398eea1d9
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
@@ -0,0 +1,53 @@
+From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 6 Dec 2023 08:04:53 +0000
+Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
+ (#9926)
+CVE: CVE-2023-49083
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 5606fe6..c43fea0 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+        certs: list[x509.Certificate] = []
+        if p7.d.sign == self._ffi.NULL:
+            return certs
+
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 91ac842..b98a9f1 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+    def test_load_pkcs7_empty_certificates(self):
+        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+        certificates = pkcs7.load_der_pkcs7_certificates(der)
+        assert certificates == []
+
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index c3ae0c1ab9..c429c75e1b 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -18,6 +18,7 @@ SRC_URI += " \
    file://0002-Cargo.toml-edition-2018-2021.patch \
    file://fix-leak-metric.patch \
    file://CVE-2023-23931.patch \
+    file://CVE-2023-49083.patch \
 "
 inherit pypi python_setuptools3_rust
author	Narpat Mali <narpat.mali@windriver.com>	2023-12-06 08:59:00 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-12-12 04:20:34 -1000
commit	31507dd07a36234b888759bab256644446b85ff3 (patch)
tree	4b43042486b56ee33094fb8318272fcdfe79f062
parent	82e76d21dcf8ca39ce1a0f7d6af9b66e665625a4 (diff)
download	poky-31507dd07a36234b888759bab256644446b85ff3.tar.gz

diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch new file mode 100644 index 0000000000..d398eea1d9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch
@@ -0,0 +1,53 @@
		1	From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001
		2	From: Alex Gaynor <alex.gaynor@gmail.com>
		3	Date: Wed, 6 Dec 2023 08:04:53 +0000
		4	Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
		5	(#9926)
		6
		7	CVE: CVE-2023-49083
		8
		9	Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff]
		10
		11	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		12	---
		13	src/cryptography/hazmat/backends/openssl/backend.py \| 5 ++++-
		14	tests/hazmat/primitives/test_pkcs7.py \| 6 ++++++
		15	2 files changed, 10 insertions(+), 1 deletion(-)
		16
		17	diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
		18	index 5606fe6..c43fea0 100644
		19	--- a/src/cryptography/hazmat/backends/openssl/backend.py
		20	+++ b/src/cryptography/hazmat/backends/openssl/backend.py
		21	@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
		22	_Reasons.UNSUPPORTED_SERIALIZATION,
		23	)
		24
		25	+ certs: list[x509.Certificate] = []
		26	+ if p7.d.sign == self._ffi.NULL:
		27	+ return certs
		28	+
		29	sk_x509 = p7.d.sign.cert
		30	num = self._lib.sk_X509_num(sk_x509)
		31	- certs = []
		32	for i in range(num):
		33	x509 = self._lib.sk_X509_value(sk_x509, i)
		34	self.openssl_assert(x509 != self._ffi.NULL)
		35	diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
		36	index 91ac842..b98a9f1 100644
		37	--- a/tests/hazmat/primitives/test_pkcs7.py
		38	+++ b/tests/hazmat/primitives/test_pkcs7.py
		39	@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
		40	mode="rb",
		41	)
		42
		43	+ def test_load_pkcs7_empty_certificates(self):
		44	+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
		45	+
		46	+ certificates = pkcs7.load_der_pkcs7_certificates(der)
		47	+ assert certificates == []
		48	+
		49
		50	# We have no public verification API and won't be adding one until we get
		51	# some requirements from users so this function exists to give us basic
		52	--
		53	2.40.0


diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index c3ae0c1ab9..c429c75e1b 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -18,6 +18,7 @@ SRC_URI += " \
18	file://0002-Cargo.toml-edition-2018-2021.patch \	18	file://0002-Cargo.toml-edition-2018-2021.patch \
19	file://fix-leak-metric.patch \	19	file://fix-leak-metric.patch \
20	file://CVE-2023-23931.patch \	20	file://CVE-2023-23931.patch \
		21	file://CVE-2023-49083.patch \
21	"	22	"
22		23
23	inherit pypi python_setuptools3_rust	24	inherit pypi python_setuptools3_rust