diff options
author | Narpat Mali <narpat.mali@windriver.com> | 2023-12-06 08:59:00 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-12-12 04:20:34 -1000 |
commit | 31507dd07a36234b888759bab256644446b85ff3 (patch) | |
tree | 4b43042486b56ee33094fb8318272fcdfe79f062 | |
parent | 82e76d21dcf8ca39ce1a0f7d6af9b66e665625a4 (diff) | |
download | poky-31507dd07a36234b888759bab256644446b85ff3.tar.gz |
python3-cryptography: fix CVE-2023-49083
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. Calling `load_pem_pkcs7_certificates`
or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference
and segfault. Exploitation of this vulnerability poses a serious risk of
Denial of Service (DoS) for any application attempting to deserialize a
PKCS7 blob/certificate. The consequences extend to potential disruptions
in system availability and stability. This vulnerability has been patched
in version 41.0.6.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49083
https://security-tracker.debian.org/tracker/CVE-2023-49083
(From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch | 53 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3-cryptography_36.0.2.bb | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch new file mode 100644 index 0000000000..d398eea1d9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Gaynor <alex.gaynor@gmail.com> | ||
3 | Date: Wed, 6 Dec 2023 08:04:53 +0000 | ||
4 | Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates | ||
5 | (#9926) | ||
6 | |||
7 | CVE: CVE-2023-49083 | ||
8 | |||
9 | Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff] | ||
10 | |||
11 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
12 | --- | ||
13 | src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- | ||
14 | tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ | ||
15 | 2 files changed, 10 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py | ||
18 | index 5606fe6..c43fea0 100644 | ||
19 | --- a/src/cryptography/hazmat/backends/openssl/backend.py | ||
20 | +++ b/src/cryptography/hazmat/backends/openssl/backend.py | ||
21 | @@ -2189,9 +2189,12 @@ class Backend(BackendInterface): | ||
22 | _Reasons.UNSUPPORTED_SERIALIZATION, | ||
23 | ) | ||
24 | |||
25 | + certs: list[x509.Certificate] = [] | ||
26 | + if p7.d.sign == self._ffi.NULL: | ||
27 | + return certs | ||
28 | + | ||
29 | sk_x509 = p7.d.sign.cert | ||
30 | num = self._lib.sk_X509_num(sk_x509) | ||
31 | - certs = [] | ||
32 | for i in range(num): | ||
33 | x509 = self._lib.sk_X509_value(sk_x509, i) | ||
34 | self.openssl_assert(x509 != self._ffi.NULL) | ||
35 | diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py | ||
36 | index 91ac842..b98a9f1 100644 | ||
37 | --- a/tests/hazmat/primitives/test_pkcs7.py | ||
38 | +++ b/tests/hazmat/primitives/test_pkcs7.py | ||
39 | @@ -81,6 +81,12 @@ class TestPKCS7Loading(object): | ||
40 | mode="rb", | ||
41 | ) | ||
42 | |||
43 | + def test_load_pkcs7_empty_certificates(self): | ||
44 | + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" | ||
45 | + | ||
46 | + certificates = pkcs7.load_der_pkcs7_certificates(der) | ||
47 | + assert certificates == [] | ||
48 | + | ||
49 | |||
50 | # We have no public verification API and won't be adding one until we get | ||
51 | # some requirements from users so this function exists to give us basic | ||
52 | -- | ||
53 | 2.40.0 | ||
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index c3ae0c1ab9..c429c75e1b 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb | |||
@@ -18,6 +18,7 @@ SRC_URI += " \ | |||
18 | file://0002-Cargo.toml-edition-2018-2021.patch \ | 18 | file://0002-Cargo.toml-edition-2018-2021.patch \ |
19 | file://fix-leak-metric.patch \ | 19 | file://fix-leak-metric.patch \ |
20 | file://CVE-2023-23931.patch \ | 20 | file://CVE-2023-23931.patch \ |
21 | file://CVE-2023-49083.patch \ | ||
21 | " | 22 | " |
22 | 23 | ||
23 | inherit pypi python_setuptools3_rust | 24 | inherit pypi python_setuptools3_rust |