packages/python-cryptography
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-23931

Browse Source
This commit is contained in:
zhuofeng 2023-02-14 17:03:09 +08:00
parent 272001420e
commit 9f5f05d307
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-CVE-2023-23931.patch Normal file
View File

@ -0,0 +1,45 @@
From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 7 Feb 2023 11:34:18 -0500
Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
---
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
tests/hazmat/primitives/test_ciphers.py | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index d5b6010..a5737dc 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -155,7 +155,7 @@ class _CipherContext(object):
data_processed = 0
total_out = 0
outlen = self._backend._ffi.new("int *")
- baseoutbuf = self._backend._ffi.from_buffer(buf)
+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
baseinbuf = self._backend._ffi.from_buffer(data)
while data_processed != total_data_len:
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index ef57790..977f148 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -306,6 +306,14 @@ class TestCipherUpdateInto(object):
with pytest.raises(ValueError):
encryptor.update_into(b"testing", buf)
+ def test_update_into_immutable(self, backend):
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ buf = b"\x00" * 32
+ with pytest.raises((TypeError, BufferError)):
+ encryptor.update_into(b"testing", buf)
+
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
--
2.33.0

9
python-cryptography.spec
View File

@ -1,13 +1,14 @@
%global srcname cryptography %global srcname cryptography
Name: python-%{srcname} Name: python-%{srcname}
Version: 36.0.1 Version: 36.0.1
Release: 1 Release: 2
Summary: PyCA's cryptography library Summary: PyCA's cryptography library
License: ASL 2.0 or BSD License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/ URL: https://cryptography.io/en/latest/
Source0: %{srcname}-%{version}.tar.gz Source0: %{srcname}-%{version}.tar.gz
Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch
Patch6003: backport-CVE-2023-23931.patch
BuildRequires: openssl-devel cargo BuildRequires: openssl-devel cargo
BuildRequires: gcc BuildRequires: gcc
@ -81,6 +82,12 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
%doc README.rst docs %doc README.rst docs
%changelog %changelog
* Tue Feb 14 2023 zhuofeng<zhuofeng2@huawei.com> - 36.0.1-2
- Type:CVE
- CVE:CVE-2023-23931
- SUG:NA
- DESC:fix CVE-2023-23931
* Feb Nov 01 2022 Ge Wang <wangge20@h-partners.com> 36.0.1-1 * Feb Nov 01 2022 Ge Wang <wangge20@h-partners.com> 36.0.1-1
- Update to version 36.0.1 - Update to version 36.0.1