python3-ecdsa: fix CVE-2026-33936

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2026-04-11 23:14:46 +1200
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15 14:12:18 +0530
commit: 8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b (patch)
tree: e58bee7aa2e38a373b954cf3a947d0a2b010e22c /meta-python
parent: 8e106a9b12bb8dbb24a63ef058bc12fc0c218b4b (diff)
download: meta-openembedded-8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch
new file mode 100644
index 0000000000..f2d3743825
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch
@@ -0,0 +1,56 @@
+From 41e6b7be293284ef8b1f102587f0da6eae1b753f Mon Sep 17 00:00:00 2001
+From: 0xmrma <moabdelaal442004@gmail.com>
+Date: Sun, 1 Mar 2026 09:18:21 +0200
+Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed
+CVE: CVE-2026-33936
+Upstream-Status: Backport [https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ecdsa/der.py      |  4 ++++
+ src/ecdsa/test_der.py | 13 +++++++++++++
+ 2 files changed, 17 insertions(+)
+diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py
+index b291485..5bbfaa3 100644
+--- a/src/ecdsa/der.py
+++ b/src/ecdsa/der.py
+@@ -137,6 +137,8 @@ def remove_constructed(string):
+         )
+     tag = s0 & 0x1F
+     length, llen = read_length(string[1:])
+    if length > len(string) - 1 - llen:
+        raise UnexpectedDER("Length longer than the provided buffer")
+     body = string[1 + llen : 1 + llen + length]
+     rest = string[1 + llen + length :]
+     return tag, body, rest
+@@ -160,6 +162,8 @@ def remove_octet_string(string):
+         n = str_idx_as_int(string, 0)
+         raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
+     length, llen = read_length(string[1:])
+    if length > len(string) - 1 - llen:
+        raise UnexpectedDER("Length longer than the provided buffer")
+     body = string[1 + llen : 1 + llen + length]
+     rest = string[1 + llen + length :]
+     return body, rest
+diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py
+index 0c2dc4d..28d231e 100644
+--- a/src/ecdsa/test_der.py
+++ b/src/ecdsa/test_der.py
+@@ -476,3 +476,16 @@ def test_oids(ids):
+     decoded_oid, rest = remove_object(encoded_oid)
+     assert rest == b""
+     assert decoded_oid == ids
+
+def test_remove_octet_string_rejects_truncated_length():
+    # OCTET STRING: declared length 4096, but only 3 bytes present
+    bad = b"\x04\x82\x10\x00" + b"ABC"
+    with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
+        remove_octet_string(bad)
+
+def test_remove_constructed_rejects_truncated_length():
+    # Constructed tag: 0xA0 (context-specific constructed, tag=0)
+    # declared length 4096, but only 3 bytes present
+    bad = b"\xA0\x82\x10\x00" + b"ABC"
+    with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
+        remove_constructed(bad)
diff --git a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb
index 8e967f9259..0ae93fe3d9 100644
--- a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb
+++ b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb
@@ -10,6 +10,7 @@ inherit pypi setuptools3 python3native ptest
 SRC_URI += " \
        file://run-ptest \
+        file://CVE-2026-33936.patch \
 "
 RDEPENDS:${PN}-ptest += " \
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2026-04-11 23:14:46 +1200
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-04-15 14:12:18 +0530
commit	8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b (patch)
tree	e58bee7aa2e38a373b954cf3a947d0a2b010e22c /meta-python
parent	8e106a9b12bb8dbb24a63ef058bc12fc0c218b4b (diff)
download	meta-openembedded-8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch new file mode 100644 index 0000000000..f2d3743825 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch
@@ -0,0 +1,56 @@
		1	From 41e6b7be293284ef8b1f102587f0da6eae1b753f Mon Sep 17 00:00:00 2001
		2	From: 0xmrma <moabdelaal442004@gmail.com>
		3	Date: Sun, 1 Mar 2026 09:18:21 +0200
		4	Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed
		5
		6	CVE: CVE-2026-33936
		7	Upstream-Status: Backport [https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3]
		8	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		9	---
		10	src/ecdsa/der.py \| 4 ++++
		11	src/ecdsa/test_der.py \| 13 +++++++++++++
		12	2 files changed, 17 insertions(+)
		13
		14	diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py
		15	index b291485..5bbfaa3 100644
		16	--- a/src/ecdsa/der.py
		17	+++ b/src/ecdsa/der.py
		18	@@ -137,6 +137,8 @@ def remove_constructed(string):
		19	)
		20	tag = s0 & 0x1F
		21	length, llen = read_length(string[1:])
		22	+ if length > len(string) - 1 - llen:
		23	+ raise UnexpectedDER("Length longer than the provided buffer")
		24	body = string[1 + llen : 1 + llen + length]
		25	rest = string[1 + llen + length :]
		26	return tag, body, rest
		27	@@ -160,6 +162,8 @@ def remove_octet_string(string):
		28	n = str_idx_as_int(string, 0)
		29	raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
		30	length, llen = read_length(string[1:])
		31	+ if length > len(string) - 1 - llen:
		32	+ raise UnexpectedDER("Length longer than the provided buffer")
		33	body = string[1 + llen : 1 + llen + length]
		34	rest = string[1 + llen + length :]
		35	return body, rest
		36	diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py
		37	index 0c2dc4d..28d231e 100644
		38	--- a/src/ecdsa/test_der.py
		39	+++ b/src/ecdsa/test_der.py
		40	@@ -476,3 +476,16 @@ def test_oids(ids):
		41	decoded_oid, rest = remove_object(encoded_oid)
		42	assert rest == b""
		43	assert decoded_oid == ids
		44	+
		45	+def test_remove_octet_string_rejects_truncated_length():
		46	+ # OCTET STRING: declared length 4096, but only 3 bytes present
		47	+ bad = b"\x04\x82\x10\x00" + b"ABC"
		48	+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
		49	+ remove_octet_string(bad)
		50	+
		51	+def test_remove_constructed_rejects_truncated_length():
		52	+ # Constructed tag: 0xA0 (context-specific constructed, tag=0)
		53	+ # declared length 4096, but only 3 bytes present
		54	+ bad = b"\xA0\x82\x10\x00" + b"ABC"
		55	+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
		56	+ remove_constructed(bad)


diff --git a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb index 8e967f9259..0ae93fe3d9 100644 --- a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb +++ b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb
@@ -10,6 +10,7 @@ inherit pypi setuptools3 python3native ptest
10		10
11	SRC_URI += " \	11	SRC_URI += " \
12	file://run-ptest \	12	file://run-ptest \
		13	file://CVE-2026-33936.patch \
13	"	14	"
14		15
15	RDEPENDS:${PN}-ptest += " \	16	RDEPENDS:${PN}-ptest += " \