Bug#850003: jessie-pu: package python-cryptography/0.6.1-1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Backport the fix for CVE-2016-9243 which was deemed not severe enough for a
DSA. I've attached a full debdiff, the patch is quite small and self-contained,
although I needed another patch to fix building against the libssl now in
jessie.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.utf8, LC_CTYPE=en_ZA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru python-cryptography-0.6.1/debian/changelog python-cryptography-0.6.1/debian/changelog
--- python-cryptography-0.6.1/debian/changelog 2014-10-16 06:46:31.000000000 +0200
+++ python-cryptography-0.6.1/debian/changelog 2017-01-01 22:19:17.000000000 +0200
@@ -1,3 +1,12 @@
+python-cryptography (0.6.1-1+deb8u1) stable; urgency=high
+
+ * Stable update.
+ * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string
+ for small key sizes).
+ * Fix FTBFS due to SSL2 method detection.
+
+ -- Tristan Seligmann <mithrandi@debian.org> Sun, 01 Jan 2017 22:19:17 +0200
+
python-cryptography (0.6.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru python-cryptography-0.6.1/debian/patches/3215.patch python-cryptography-0.6.1/debian/patches/3215.patch
--- python-cryptography-0.6.1/debian/patches/3215.patch 1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/3215.patch 2017-01-01 22:19:17.000000000 +0200
@@ -0,0 +1,40 @@
+From d945a5213f2b2bbb189bbc2be407aa35e0dab204 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Sat, 5 Nov 2016 21:18:15 -0400
+Subject: [PATCH] Fixes #3211 -- fixed hkdf's output with short length
+
+Index: python-cryptography/cryptography/hazmat/primitives/kdf/hkdf.py
+===================================================================
+--- python-cryptography.orig/cryptography/hazmat/primitives/kdf/hkdf.py 2017-01-01 22:24:27.090828930 +0200
++++ python-cryptography/cryptography/hazmat/primitives/kdf/hkdf.py 2017-01-01 22:24:27.086828861 +0200
+@@ -99,7 +99,7 @@
+ output = [b""]
+ counter = 1
+
+- while (self._algorithm.digest_size // 8) * len(output) < self._length:
++ while self._algorithm.digest_size * (len(output) - 1) < self._length:
+ h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
+ h.update(output[-1])
+ h.update(self._info)
+Index: python-cryptography/tests/hazmat/primitives/test_hkdf.py
+===================================================================
+--- python-cryptography.orig/tests/hazmat/primitives/test_hkdf.py 2017-01-01 22:24:27.090828930 +0200
++++ python-cryptography/tests/hazmat/primitives/test_hkdf.py 2017-01-01 22:24:27.086828861 +0200
+@@ -152,6 +152,17 @@
+
+ hkdf.verify(b"foo", six.u("bar"))
+
++ def test_derive_short_output(self, backend):
++ hkdf = HKDF(
++ hashes.SHA256(),
++ 4,
++ salt=None,
++ info=None,
++ backend=backend
++ )
++
++ assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
++
+
+ @pytest.mark.hmac
+ class TestHKDFExpand(object):
diff -Nru python-cryptography-0.6.1/debian/patches/series python-cryptography-0.6.1/debian/patches/series
--- python-cryptography-0.6.1/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/series 2017-01-01 22:19:17.000000000 +0200
@@ -0,0 +1,2 @@
+ssl2-detection.patch
+3215.patch
diff -Nru python-cryptography-0.6.1/debian/patches/ssl2-detection.patch python-cryptography-0.6.1/debian/patches/ssl2-detection.patch
--- python-cryptography-0.6.1/debian/patches/ssl2-detection.patch 1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/ssl2-detection.patch 2017-01-01 22:19:17.000000000 +0200
@@ -0,0 +1,13 @@
+Index: python-cryptography/cryptography/hazmat/bindings/openssl/ssl.py
+===================================================================
+--- python-cryptography.orig/cryptography/hazmat/bindings/openssl/ssl.py 2017-01-01 22:33:41.640198755 +0200
++++ python-cryptography/cryptography/hazmat/bindings/openssl/ssl.py 2017-01-01 22:34:20.336845122 +0200
+@@ -384,7 +384,7 @@
+ #else
+ static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1;
+ #endif
+-#ifdef OPENSSL_NO_SSL2
++#ifdef OPENSSL_NO_SSL2_METHOD
+ static const long Cryptography_HAS_SSL2 = 0;
+ SSL_METHOD* (*SSLv2_method)(void) = NULL;
+ SSL_METHOD* (*SSLv2_client_method)(void) = NULL;
Reply to: