summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorNguyen Dat Tho <tho3.nguyen@lge.com>2026-03-30 17:17:19 +0900
committerPaul Barker <paul@pbarker.dev>2026-04-02 13:41:54 +0100
commit7421603502b72418aee17e57184acc6dd9355bdf (patch)
tree80282eeb5ba3ad798fb0b62efeae8d98c0f91a17 /meta/recipes-devtools
parent5c365149ac49147729104c49b3b0054ba80344db (diff)
downloadpoky-7421603502b72418aee17e57184acc6dd9355bdf.tar.gz
python3-cryptography: Fix CVE-2026-26007
CVE-2026-26007 is fixed upstream in version 46.0.5. Our current version (42.0.5, scarthgap) is still reported as vulnerable by NVD. Backport the upstream fix to address this CVE. Upstream commit: https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c CVE report: https://nvd.nist.gov/vuln/detail/CVE-2026-26007 (From OE-Core rev: a363958725430237160b0a83a6a6acbe8380fba3) Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch149
-rw-r--r--meta/recipes-devtools/python/python3-cryptography_42.0.5.bb1
2 files changed, 150 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
new file mode 100644
index 0000000000..fb76bbfca3
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
@@ -0,0 +1,149 @@
1From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
2From: Paul Kehrer <paul.l.kehrer@gmail.com>
3Date: Wed, 18 Mar 2026 16:01:03 +0900
4Subject: [PATCH] EC check key on cofactor > 1
5
6An attacker could create a malicious public key that reveals portions of
7your private key when using certain uncommon elliptic curves (binary
8curves). This version now includes additional security checks to
9prevent this attack. This issue only affects binary elliptic curves,
10which are rarely used in real-world applications. Credit to **XlabAI
11Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
12Engine** for reporting the issue. **CVE-2026-26007**
13
14This is a partial backport of upstream commit
150eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
16relevant for CVE-2026-26007.
17
18CVE: CVE-2026-26007
19
20Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
21Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
22
23Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
24Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
25Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
26
27Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]
28---
29 src/rust/src/backend/ec.rs | 39 ++++++++++++++++++++----------
30 tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
31 2 files changed, 63 insertions(+), 13 deletions(-)
32
33diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
34index 6a224b49f..27fced086 100644
35--- a/src/rust/src/backend/ec.rs
36+++ b/src/rust/src/backend/ec.rs
37@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
38 ) -> CryptographyResult<ECPublicKey> {
39 let ec = pkey.ec_key()?;
40 let curve = py_curve_from_curve(py, ec.group())?;
41- check_key_infinity(&ec)?;
42- Ok(ECPublicKey {
43- pkey: pkey.to_owned(),
44- curve: curve.into(),
45- })
46+ ECPublicKey::new(pkey.to_owned(), curve.into())
47 }
48+
49 #[pyo3::prelude::pyfunction]
50 fn generate_private_key(
51 py: pyo3::Python<'_>,
52@@ -215,10 +212,7 @@ fn from_public_bytes(
53 let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
54 let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
55
56- Ok(ECPublicKey {
57- pkey,
58- curve: py_curve.into(),
59- })
60+ ECPublicKey::new(pkey, py_curve.into())
61 }
62
63 #[pyo3::prelude::pymethods]
64@@ -357,6 +351,28 @@ impl ECPrivateKey {
65 }
66 }
67
68+impl ECPublicKey {
69+ fn new(
70+ pkey: openssl::pkey::PKey<openssl::pkey::Public>,
71+ curve: pyo3::Py<pyo3::PyAny>,
72+ ) -> CryptographyResult<ECPublicKey> {
73+ let ec = pkey.ec_key()?;
74+ check_key_infinity(&ec)?;
75+ let mut bn_ctx = openssl::bn::BigNumContext::new()?;
76+ let mut cofactor = openssl::bn::BigNum::new()?;
77+ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
78+ let one = openssl::bn::BigNum::from_u32(1)?;
79+ if cofactor != one {
80+ ec.check_key().map_err(|_| {
81+ pyo3::exceptions::PyValueError::new_err(
82+ "Invalid EC key (key out of range, infinity, etc.)",
83+ )
84+ })?;
85+ }
86+
87+ Ok(ECPublicKey { pkey, curve })
88+ }
89+}
90 #[pyo3::prelude::pymethods]
91 impl ECPublicKey {
92 #[getter]
93@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
94
95 let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
96
97- Ok(ECPublicKey {
98- pkey,
99- curve: self.curve.clone_ref(py),
100- })
101+ ECPublicKey::new(pkey, self.curve.clone_ref(py))
102 }
103
104 fn __eq__(
105diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
106index 334e76dcc..f7f2242f6 100644
107--- a/tests/hazmat/primitives/test_ec.py
108+++ b/tests/hazmat/primitives/test_ec.py
109@@ -1340,3 +1340,40 @@ class TestECDH:
110
111 with pytest.raises(ValueError):
112 key.exchange(ec.ECDH(), public_key)
113+
114+
115+def test_invalid_sect_public_keys(backend):
116+ _skip_curve_unsupported(backend, ec.SECT571K1())
117+ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
118+ with pytest.raises(ValueError):
119+ public_numbers.public_key()
120+
121+ point = binascii.unhexlify(
122+ b"0400000000000000000000000000000000000000000000000000000000000000000"
123+ b"0000000000000000000000000000000000000000000000000000000000000000000"
124+ b"0000000000010000000000000000000000000000000000000000000000000000000"
125+ b"0000000000000000000000000000000000000000000000000000000000000000000"
126+ b"0000000000000000000001"
127+ )
128+ with pytest.raises(ValueError):
129+ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
130+
131+ der = binascii.unhexlify(
132+ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
133+ b"0000000000000000000000000000000000000000000000000000000000000000000"
134+ b"0000000000000000000000000000000000000000000000000000000000000100000"
135+ b"0000000000000000000000000000000000000000000000000000000000000000000"
136+ b"0000000000000000000000000000000000000000000000000000000000000000000"
137+ b"00001"
138+ )
139+ with pytest.raises(ValueError):
140+ serialization.load_der_public_key(der)
141+
142+ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
143+ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
144+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
145+ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
146+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
147+ -----END PUBLIC KEY-----""").encode()
148+ with pytest.raises(ValueError):
149+ serialization.load_pem_public_key(pem)
diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
index 732f925d92..c4573fa689 100644
--- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
@@ -11,6 +11,7 @@ LDSHARED += "-pthread"
11SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1" 11SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
12 12
13SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \ 13SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
14 file://CVE-2026-26007.patch \
14 file://check-memfree.py \ 15 file://check-memfree.py \
15 file://run-ptest \ 16 file://run-ptest \
16 " 17 "