Patch CVE-2023-49083 in python-cryptography (#7104)

2023-12-21 09:00:27 -08:00 · 2023-12-21 09:00:27 -08:00 · e2a91dbf9d
parent 32572206ca
commit e2a91dbf9d
3 changed files with 128 additions and 2 deletions
--- a/SPECS/python-cryptography/CVE-2023-49083.patch
+++ b/SPECS/python-cryptography/CVE-2023-49083.patch
@ -0,0 +1,117 @@
+From 87c06ca129dbf3d58a1391ca4ea45514262db72b Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 22 Nov 2023 16:49:56 -0500
+Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
+ certificates
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45d4a1a..f0317c7 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2664,9 +2664,12 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+        certs: list[x509.Certificate] = []
+        if p7.d.sign == self._ffi.NULL:
+            return certs
+
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 8b93cb6..148a1e1 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -80,6 +80,12 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+ 
+    def test_load_pkcs7_empty_certificates(self):
+        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+        certificates = pkcs7.load_der_pkcs7_certificates(der)
+        assert certificates == []
+
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+-- 
+2.17.1
+
+
+From ce104165dd90d8f2f8ff9aaa64327daccf27b82b Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Thu, 30 Nov 2023 20:30:34 -0600
+Subject: [PATCH 2/2] raise an exception instead of returning an empty list and
+ update CHANGELOG.rst
+
+---
+ CHANGELOG.rst                                       | 5 +++++
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 4 ++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 4dd7146..ccc6133 100644
+--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
+@@ -6,6 +6,11 @@ Changelog
+ 3.3.2 - 2021-02-07
+ ~~~~~~~~~~~~~~~~~~
+ 
+* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
+  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
+  or
+  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
+  will now raise a ``ValueError`` rather than return an empty list.
+ * **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
+   when symmetrically encrypting very large payloads (>2GB) could result in an
+   integer overflow, leading to buffer overflows. *CVE-2020-36242*
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index f0317c7..b276f9b 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2664,12 +2664,15 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+-        certs: list[x509.Certificate] = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
+            raise ValueError(
+                "The provided PKCS7 has no certificate data, but a cert "
+                "loading method was called."
+            )
+ 
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+        certs: list[x509.Certificate] = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 148a1e1..34cbb16 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -83,8 +83,8 @@ class TestPKCS7Loading(object):
+     def test_load_pkcs7_empty_certificates(self):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+ 
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
+        with pytest.raises(ValueError):
+            pkcs7.load_der_pkcs7_certificates(der)
+ 
+ 
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.17.1
--- a/SPECS/python-cryptography/python-cryptography.spec
+++ b/SPECS/python-cryptography/python-cryptography.spec
@ -1,7 +1,7 @@
 Summary:        Python cryptography library
 Name:           python-cryptography
 Version:        3.3.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -9,6 +9,7 @@ Group:          Development/Languages/Python
 URL:            https://pypi.python.org/pypi/cryptography
 Source0:        https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz
 Patch0:         CVE-2023-23931.patch
+Patch1:         CVE-2023-49083.patch
 %if %{with_check}
 BuildRequires:  python3-pip
 %endif
@ -64,6 +65,9 @@ pip3 install pretend pytest hypothesis iso8601 cryptography_vectors pytz
 %{python3_sitelib}/*

 %changelog
+* Mon Dec 18 2023 Mandeep Plaha <mandeepplaha@microsoft.com> - 3.3.2-6
+- Patch CVE-2023-49083
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 3.3.2-5
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)

--- a/SPECS/pytorch/pytorch.spec
+++ b/SPECS/pytorch/pytorch.spec
@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.0.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -58,6 +58,8 @@ You can reuse your favorite Python packages such as NumPy, SciPy and Cython to e
 %autosetup -a 1 -n %{name}-v%{version}

 %build
+# Use MAX_JOBS=8 to prevent build failure in ADO pipelines
+export MAX_JOBS=8
 export USE_CUDA=0
 export BUILD_CAFFE2=0
 %py3_build
@ -80,6 +82,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*

 %changelog
+* Mon Dec 18 2023 Mandeep Plaha <mandeepplaha@microsoft.com> - 2.0.0-3
+- Set MAX_JOBS=8 to prevent build failure in ADO pipelines
+
 * Thu Apr 06 2023 Riken Maharjan <rmaharjan@microsoft.com> - 2.0.0-2
 - Add missing runtine for 2.0.0