[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1085227: bookworm-pu: package python-cryptography/38.0.4-3+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian Python Team <team+python@tracker.debian.org>, security@debian.org

  * CVE-2023-49083: NULL dereference when loading PKCS7 certificates
    (Closes: #1057108)
  * CVE-2024-26130: NULL dereference when PKCS#12 key and cert don't match
    (Closes: #1064778)

diffstat for python-cryptography-38.0.4 python-cryptography-38.0.4

 changelog                                                               |   10 +
 patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch |   48 +++++++
 patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch |   63 ++++++++++
 patches/series                                                          |    2 
 4 files changed, 123 insertions(+)

diff -Nru python-cryptography-38.0.4/debian/changelog python-cryptography-38.0.4/debian/changelog
--- python-cryptography-38.0.4/debian/changelog	2023-02-28 07:36:13.000000000 +0200
+++ python-cryptography-38.0.4/debian/changelog	2024-10-16 19:53:04.000000000 +0300
@@ -1,3 +1,13 @@
+python-cryptography (38.0.4-3+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-49083: NULL dereference when loading PKCS7 certificates
+    (Closes: #1057108)
+  * CVE-2024-26130: NULL dereference when PKCS#12 key and cert don't match
+    (Closes: #1064778)
+
+ -- Adrian Bunk <bunk@debian.org>  Wed, 16 Oct 2024 19:53:04 +0300
+
 python-cryptography (38.0.4-3) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch
--- python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch	1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch	2024-10-16 19:53:04.000000000 +0300
@@ -0,0 +1,48 @@
+From 8378c1ff784a9601966b88f1c5587d50120038c3 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 27 Nov 2023 14:35:35 -0500
+Subject: Fixed crash when loading a PKCS#7 bundle with no certificates (#9926)
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index f8776b732..45a644cf6 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2454,9 +2454,12 @@ class Backend:
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
++        certs: list[x509.Certificate] = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 138bc0f3b..559e1f274 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -89,6 +89,12 @@ class TestPKCS7Loading:
+                 mode="rb",
+             )
+ 
++    def test_load_pkcs7_empty_certificates(self, backend):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+-- 
+2.30.2
+
diff -Nru python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch
--- python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch	1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch	2024-10-16 19:53:04.000000000 +0300
@@ -0,0 +1,63 @@
+From 5cf016c3ae8b4e60f564e6cac67d43e243034345 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 12:09:10 -0500
+Subject: Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match
+ (#10423) (#10425)
+
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45a644cf6..0ae987bd3 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2378,6 +2378,15 @@ class Backend:
+                     mac_iter,
+                     0,
+                 )
++                if p12 == self._ffi.NULL:
++                    errors = self._consume_errors()
++                    raise ValueError(
++                        (
++                            "Failed to create PKCS12 (does the key match the "
++                            "certificate?)"
++                        ),
++                        errors,
++                    )
+ 
+             if (
+                 self._lib.Cryptography_HAS_PKCS12_SET_MAC
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index c9ef57e66..3de92f82a 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
++++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -682,6 +682,24 @@ class TestPKCS12Creation:
+                 b"name", cakey, cacert, [], algorithm
+             )
+ 
++    @pytest.mark.supported(
++        only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
++        skip_message="Requires OpenSSL with PKCS12_set_mac",
++    )
++    def test_set_mac_key_certificate_mismatch(self, backend):
++        cacert, _ = _load_ca(backend)
++        key = ec.generate_private_key(ec.SECP256R1())
++        encryption = (
++            serialization.PrivateFormat.PKCS12.encryption_builder()
++            .hmac_hash(hashes.SHA256())
++            .build(b"password")
++        )
++
++        with pytest.raises(ValueError):
++            serialize_key_and_certificates(
++                b"name", key, cacert, [], encryption
++            )
++
+ 
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
+-- 
+2.30.2
+
diff -Nru python-cryptography-38.0.4/debian/patches/series python-cryptography-38.0.4/debian/patches/series
--- python-cryptography-38.0.4/debian/patches/series	2023-02-28 07:36:13.000000000 +0200
+++ python-cryptography-38.0.4/debian/patches/series	2024-10-16 19:53:04.000000000 +0300
@@ -6,3 +6,5 @@
 ease-chrono-dependency-from-0.4.22-to-0.4.patch
 drop-cffi-dep.patch
 Don-t-allow-update_into-to-mutate-immutable-objects-.patch
+0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch
+0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch
Reply to: