packages/python-jwcrypto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:574f36271615c86878ca76ac362287fbce4807fa
Branches Tags
packages:main
..
compare: packages:11c8241110708561db721e02f411a6b4015081b2
Branches Tags
packages:main

No commits in common. "574f36271615c86878ca76ac362287fbce4807fa" and "11c8241110708561db721e02f411a6b4015081b2" have entirely different histories.
574f362716 ... 11c8241110

5 changed files with 22 additions and 163 deletions
Show Stats Expand all files Collapse all files

67
CVE-2023-6681.patch
View File

@ -1,67 +0,0 @@
From d2655d370586cb830e49acfb450f87598da60be8 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 7 Dec 2023 12:49:07 -0500
Subject: [PATCH] Fix potential DoS issue with p2c header
Unbounded p2c headers may be used to cause an application that accept
PBES algorithms to spend alot of resources running PBKDF2 with a very
high number of iterations.
Clamp the default maximum to 16384 (double the default of 8192).
An application that wants to use more iterations will have to chenge the
jwa default max.
Fixes CVE-2023-6681
Signed-off-by: Simo Sorce <simo@redhat.com>
---
jwcrypto/jwa.py | 5 +++++
jwcrypto/tests.py | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/jwcrypto/jwa.py b/jwcrypto/jwa.py
index de7a79f..ca4568e 100644
--- a/jwcrypto/jwa.py
+++ b/jwcrypto/jwa.py
@@ -28,6 +28,8 @@
# Implements RFC 7518 - JSON Web Algorithms (JWA)
+default_max_pbkdf2_iterations = 16384
+
class JWAAlgorithm(metaclass=ABCMeta):
@@ -588,6 +590,9 @@ def __init__(self):
self.aeskwmap = {128: _A128KW, 192: _A192KW, 256: _A256KW}
def _get_key(self, alg, key, p2s, p2c):
+ if p2c > default_max_pbkdf2_iterations:
+ raise ValueError('Invalid p2c value, too large')
+
if not isinstance(key, JWK):
# backwards compatibility for old interface
if isinstance(key, bytes):
diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
index 6069fab..bb2ff10 100644
--- a/jwcrypto/tests.py
+++ b/jwcrypto/tests.py
@@ -2099,6 +2099,18 @@ def test_pbes2_hs256_aeskw_custom_params(self):
key = jwk.JWK.from_password('password')
self.assertRaises(ValueError, enc.add_recipient, key)
+ # Test p2c iteration checks
+ maxiter = jwa.default_max_pbkdf2_iterations
+ p2cenc = jwe.JWE(plaintext='plain',
+ protected={"alg": "PBES2-HS256+A128KW",
+ "enc": "A256CBC-HS512",
+ "p2c": maxiter + 1,
+ "p2s": base64url_encode("A" * 16)})
+ with self.assertRaisesRegex(ValueError, 'too large'):
+ p2cenc.add_recipient(key)
+ jwa.default_max_pbkdf2_iterations += 2
+ p2cenc.add_recipient(key)
+
class JWATests(unittest.TestCase):
def test_jwa_create(self):

75
CVE-2024-28102.patch
View File

@ -1,75 +0,0 @@
From 90477a3b6e73da69740e00b8161f53fea19b831f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 5 Mar 2024 16:57:17 -0500
Subject: [PATCH] Address potential DoS with high compression ratio
Fixes CVE-2024-28102
Signed-off-by: Simo Sorce <simo@redhat.com>
---
jwcrypto/jwe.py | 7 +++++++
jwcrypto/tests.py | 26 ++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/jwcrypto/jwe.py b/jwcrypto/jwe.py
index 9412881..5df500b 100644
--- a/jwcrypto/jwe.py
+++ b/jwcrypto/jwe.py
@@ -10,6 +10,9 @@
from jwcrypto.jwa import JWA
from jwcrypto.jwk import JWKSet
+# Limit the amount of data we are willing to decompress by default.
+default_max_compressed_size = 256 * 1024
+
# RFC 7516 - 4.1
# name: (description, supported?)
@@ -422,6 +425,10 @@ def _decrypt(self, key, ppe):
compress = jh.get('zip', None)
if compress == 'DEF':
+ if len(data) > default_max_compressed_size:
+ raise InvalidJWEData(
+ 'Compressed data exceeds maximum allowed'
+ 'size' + f' ({default_max_compressed_size})')
self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
elif compress is None:
self.plaintext = data
diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
index bb2ff10..59049f8 100644
--- a/jwcrypto/tests.py
+++ b/jwcrypto/tests.py
@@ -2111,6 +2111,32 @@ def test_pbes2_hs256_aeskw_custom_params(self):
jwa.default_max_pbkdf2_iterations += 2
p2cenc.add_recipient(key)
+ def test_jwe_decompression_max(self):
+ key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
+ payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
+ + "u" * 400000000 + '"}'
+ protected_header = {
+ "alg": "A128KW",
+ "enc": "A128GCM",
+ "typ": "JWE",
+ "zip": "DEF",
+ }
+ enc = jwe.JWE(payload.encode('utf-8'),
+ recipient=key,
+ protected=protected_header).serialize(compact=True)
+ with self.assertRaises(jwe.InvalidJWEData):
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+
+ defmax = jwe.default_max_compressed_size
+ jwe.default_max_compressed_size = 1000000000
+ # ensure we can eraise the limit and decrypt
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+ jwe.default_max_compressed_size = defmax
+
class JWATests(unittest.TestCase):
def test_jwa_create(self):

BIN
jwcrypto-0.5.0.tar.gz Normal file
View File

Binary file not shown.

BIN
jwcrypto-1.4.2.tar.gz
View File

Binary file not shown.

43
python-jwcrypto.spec
View File

@ -1,26 +1,29 @@
Name: python-jwcrypto Name: python-jwcrypto
Version: 1.4.2 Version: 0.5.0
Release: 3 Release: 4
Summary: Implements JWK, JWS, JWE specifications with python-cryptography Summary: Implements JWK, JWS, JWE specifications with python-cryptography
License: LGPLv3+ License: LGPLv3+
URL: https://github.com/latchset/jwcrypto URL: https://github.com/latchset/jwcrypto
Source0: https://github.com/latchset/jwcrypto/releases/download/v%{version}/jwcrypto-%{version}.tar.gz Source0: https://github.com/latchset/jwcrypto/releases/download/v%{version}/jwcrypto-%{version}.tar.gz
# https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8
Patch0: CVE-2023-6681.patch
# https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
Patch1: CVE-2024-28102.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python2-devel python2-setuptools python2-cryptography >= 1.5 python2-pytest
BuildRequires: python%{python3_pkgversion}-devel python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-devel python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-cryptography >= 2.3 python%{python3_pkgversion}-pytest BuildRequires: python%{python3_pkgversion}-cryptography >= 1.5 python%{python3_pkgversion}-pytest
BuildRequires: python%{python3_pkgversion}-deprecated
%description %description
Implements JWK, JWS, JWE specifications with python-cryptography Implements JWK, JWS, JWE specifications with python-cryptography
%package -n python2-jwcrypto
Summary: Implements JWK,JWS,JWE specifications with python-cryptography
Requires: python2-cryptography >= 1.5
%{?python_provide:%python_provide python2-jwcrypto}
%description -n python2-jwcrypto
Implements JWK, JWS, JWE specifications using python-cryptography
%package -n python%{python3_pkgversion}-jwcrypto %package -n python%{python3_pkgversion}-jwcrypto
Summary: Implements JWK, JWS, JWE specifications with python-cryptography Summary: Implements JWK, JWS, JWE specifications with python-cryptography
Requires: python%{python3_pkgversion}-cryptography >= 2.3 Requires: python%{python3_pkgversion}-cryptography >= 1.5
%{?python_provide:%python_provide python%{python3_pkgversion}-jwcrypto} %{?python_provide:%python_provide python%{python3_pkgversion}-jwcrypto}
%description -n python%{python3_pkgversion}-jwcrypto %description -n python%{python3_pkgversion}-jwcrypto
Implements JWK, JWS, JWE specifications using python-cryptography Implements JWK, JWS, JWE specifications using python-cryptography
@ -29,14 +32,24 @@ Implements JWK, JWS, JWE specifications using python-cryptography
%autosetup -n jwcrypto-%{version} -p1 %autosetup -n jwcrypto-%{version} -p1
%build %build
%py2_build
%py3_build %py3_build
%check %check
%{__python2} -bb -m pytest jwcrypto/test*.py
%{__python3} -bb -m pytest jwcrypto/test*.py %{__python3} -bb -m pytest jwcrypto/test*.py
%install %install
%py2_install
%py3_install %py3_install
%files -n python2-jwcrypto
%doc README.md LICENSE
%exclude %{_docdir}/jwcrypto
%exclude %{python2_sitelib}/jwcrypto/tests{,-cookbook}.py*
%{python2_sitelib}/jwcrypto
%{python2_sitelib}/jwcrypto-%{version}-py%{python2_version}.egg-info
%files -n python%{python3_pkgversion}-jwcrypto %files -n python%{python3_pkgversion}-jwcrypto
%doc README.md LICENSE %doc README.md LICENSE
%exclude %{_docdir}/jwcrypto %exclude %{_docdir}/jwcrypto
@ -46,17 +59,5 @@ Implements JWK, JWS, JWE specifications using python-cryptography
%{python3_sitelib}/jwcrypto-%{version}-py%{python3_version}.egg-info %{python3_sitelib}/jwcrypto-%{version}-py%{python3_version}.egg-info
%changelog %changelog
* Fri Mar 08 2024 yaoxin <yao_xin001@hoperun.com> - 1.4.2-3
- Fix CVE-2024-28102
* Fri Dec 29 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.2-2
- Fix CVE-2023-6681
* Wed Dec 20 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.2-1
- Upgrade to 1.4.2 for fix CVE-2022-3102
* Tue Jul 05 2022 SimpleUpdate Robot <tc@openeuler.org> - 0.9.1-1
- Upgrade to version 0.9.1
* Fri Apr 17 2020 lizhenhua <lizhenhua21@huawei.com> - 0.5.0-4 * Fri Apr 17 2020 lizhenhua <lizhenhua21@huawei.com> - 0.5.0-4
- Package init - Package init