* [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 @ 2026-03-25 7:23 Vijay Anusuri 2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri 2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal 0 siblings, 2 replies; 4+ messages in thread From: Vijay Anusuri @ 2026-03-25 7:23 UTC (permalink / raw) To: openembedded-core; +Cc: Vijay Anusuri Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++ .../python/python3-pyopenssl_24.0.0.bb | 4 + 2 files changed, 128 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch new file mode 100644 index 0000000000..87f46b4cb0 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch @@ -0,0 +1,124 @@ +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Mon, 16 Feb 2026 21:04:37 -0500 +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks + (#1478) + +When the servername callback raises an exception, call sys.excepthook +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort +the handshake. Previously, exceptions would propagate uncaught through +the CFFI callback boundary. + +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi + +Co-authored-by: Claude <noreply@anthropic.com> + +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0] +CVE: CVE-2026-27448 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + CHANGELOG.rst | 1 + + src/OpenSSL/SSL.py | 7 ++++++- + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 57 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 6e23770..12e60e4 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -18,6 +18,7 @@ Changes: + + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_. ++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. + + 23.3.0 (2023-10-25) + ------------------- +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 4db5240..a6263c4 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1,5 +1,6 @@ + import os + import socket ++import sys + import typing + from errno import errorcode + from functools import partial, wraps +@@ -1567,7 +1568,11 @@ class Context: + + @wraps(callback) + def wrapper(ssl, alert, arg): +- callback(Connection._reverse_mapping[ssl]) ++ try: ++ callback(Connection._reverse_mapping[ssl]) ++ except Exception: ++ sys.excepthook(*sys.exc_info()) ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL + return 0 + + self._tlsext_servername_callback = _ffi.callback( +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index ca5bf83..55489b9 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -1855,6 +1855,56 @@ class TestServerNameCallback: + + assert args == [(server, b"foo1.example.com")] + ++ def test_servername_callback_exception( ++ self, monkeypatch: pytest.MonkeyPatch ++ ) -> None: ++ """ ++ When the callback passed to `Context.set_tlsext_servername_callback` ++ raises an exception, ``sys.excepthook`` is called with the exception ++ and the handshake fails with an ``Error``. ++ """ ++ exc = TypeError("server name callback failed") ++ ++ def servername(conn: Connection) -> None: ++ raise exc ++ ++ excepthook_calls: list[ ++ tuple[type[BaseException], BaseException, object] ++ ] = [] ++ ++ def custom_excepthook( ++ exc_type: type[BaseException], ++ exc_value: BaseException, ++ exc_tb: object, ++ ) -> None: ++ excepthook_calls.append((exc_type, exc_value, exc_tb)) ++ ++ context = Context(SSLv23_METHOD) ++ context.set_tlsext_servername_callback(servername) ++ ++ # Necessary to actually accept the connection ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ context.use_certificate( ++ load_certificate(FILETYPE_PEM, server_cert_pem) ++ ) ++ ++ # Do a little connection to trigger the logic ++ server = Connection(context, None) ++ server.set_accept_state() ++ ++ client = Connection(Context(SSLv23_METHOD), None) ++ client.set_connect_state() ++ client.set_tlsext_host_name(b"foo1.example.com") ++ ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook) ++ with pytest.raises(Error): ++ interact_in_memory(server, client) ++ ++ assert len(excepthook_calls) == 1 ++ assert excepthook_calls[0][0] is TypeError ++ assert excepthook_calls[0][1] is exc ++ assert excepthook_calls[0][2] is not None ++ + + class TestApplicationLayerProtoNegotiation: + """ +-- +2.43.0 + diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb index 116f214bfa..bc0b568a46 100644 --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33 PYPI_PACKAGE = "pyOpenSSL" inherit pypi setuptools3 +SRC_URI += " \ + file://CVE-2026-27448.patch \ +" + PACKAGES =+ "${PN}-tests" FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test" -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri @ 2026-03-25 7:23 ` Vijay Anusuri 2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal 1 sibling, 0 replies; 4+ messages in thread From: Vijay Anusuri @ 2026-03-25 7:23 UTC (permalink / raw) To: openembedded-core; +Cc: Vijay Anusuri Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../python3-pyopenssl/CVE-2026-27459.patch | 109 ++++++++++++++++++ .../python/python3-pyopenssl_24.0.0.bb | 1 + 2 files changed, 110 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch new file mode 100644 index 0000000000..f75540f96e --- /dev/null +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch @@ -0,0 +1,109 @@ +From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Wed, 18 Feb 2026 07:46:15 -0500 +Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback + (#1479) + +The cookie generate callback copied user-returned bytes into a +fixed-size native buffer without enforcing a maximum length. A +callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow +the OpenSSL-provided buffer, corrupting adjacent memory. + +Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> + +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408] +CVE: CVE-2026-27459 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + CHANGELOG.rst | 1 + + src/OpenSSL/SSL.py | 7 +++++++ + tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 12e60e4..6041fdc 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -16,6 +16,7 @@ Deprecations: + Changes: + ^^^^^^^^ + ++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow. + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_. + - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index a6263c4..2e4da78 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper): + def __init__(self, callback): + _CallbackExceptionHelper.__init__(self) + ++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255) ++ + @wraps(callback) + def wrapper(ssl, out, outlen): + try: + conn = Connection._reverse_mapping[ssl] + cookie = callback(conn) ++ if len(cookie) > max_cookie_len: ++ raise ValueError( ++ f"Cookie too long (got {len(cookie)} bytes, " ++ f"max {max_cookie_len})" ++ ) + out[0 : len(cookie)] = cookie + outlen[0] = len(cookie) + return 1 +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 55489b9..683e368 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -4560,6 +4560,44 @@ class TestDTLS: + def test_it_works_with_srtp(self): + self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80") + ++ def test_cookie_generate_too_long(self) -> None: ++ s_ctx = Context(DTLS_METHOD) ++ ++ def generate_cookie(ssl: Connection) -> bytes: ++ return b"\x00" * 256 ++ ++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool: ++ return True ++ ++ s_ctx.set_cookie_generate_callback(generate_cookie) ++ s_ctx.set_cookie_verify_callback(verify_cookie) ++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) ++ s_ctx.set_options(OP_NO_QUERY_MTU) ++ s = Connection(s_ctx) ++ s.set_accept_state() ++ ++ c_ctx = Context(DTLS_METHOD) ++ c_ctx.set_options(OP_NO_QUERY_MTU) ++ c = Connection(c_ctx) ++ c.set_connect_state() ++ ++ c.set_ciphertext_mtu(1500) ++ s.set_ciphertext_mtu(1500) ++ ++ # Client sends ClientHello ++ try: ++ c.do_handshake() ++ except SSL.WantReadError: ++ pass ++ chunk = c.bio_read(self.LARGE_BUFFER) ++ s.bio_write(chunk) ++ ++ # Server tries DTLSv1_listen, which triggers cookie generation. ++ # The oversized cookie should raise ValueError. ++ with pytest.raises(ValueError, match="Cookie too long"): ++ s.DTLSv1_listen() ++ + def test_timeout(self, monkeypatch): + c_ctx = Context(DTLS_METHOD) + c = Connection(c_ctx) +-- +2.43.0 + diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb index bc0b568a46..94a70aa17d 100644 --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb @@ -12,6 +12,7 @@ inherit pypi setuptools3 SRC_URI += " \ file://CVE-2026-27448.patch \ + file://CVE-2026-27459.patch \ " PACKAGES =+ "${PN}-tests" -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri 2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri @ 2026-03-27 23:22 ` Yoann Congal 2026-03-28 2:11 ` Vijay Anusuri 1 sibling, 1 reply; 4+ messages in thread From: Yoann Congal @ 2026-03-27 23:22 UTC (permalink / raw) To: vanusuri, openembedded-core On Wed Mar 25, 2026 at 8:23 AM CET, Vijay Anusuri via lists.openembedded.org wrote: > Pick patch mentioned in NVD > > [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 > [2] https://ubuntu.com/security/CVE-2026-27448 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- Hello, As far as I can tell, this CVE also applies to whinlatter. You need to send the fix there before I can take it for scarthgap and kirkstone. That also applies to the 2/2 patch. Regards, > .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++ > .../python/python3-pyopenssl_24.0.0.bb | 4 + > 2 files changed, 128 insertions(+) > create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > > diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > new file mode 100644 > index 0000000000..87f46b4cb0 > --- /dev/null > +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > @@ -0,0 +1,124 @@ > +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001 > +From: Alex Gaynor <alex.gaynor@gmail.com> > +Date: Mon, 16 Feb 2026 21:04:37 -0500 > +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks > + (#1478) > + > +When the servername callback raises an exception, call sys.excepthook > +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort > +the handshake. Previously, exceptions would propagate uncaught through > +the CFFI callback boundary. > + > +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi > + > +Co-authored-by: Claude <noreply@anthropic.com> > + > +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0] > +CVE: CVE-2026-27448 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + CHANGELOG.rst | 1 + > + src/OpenSSL/SSL.py | 7 ++++++- > + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++ > + 3 files changed, 57 insertions(+), 1 deletion(-) > + > +diff --git a/CHANGELOG.rst b/CHANGELOG.rst > +index 6e23770..12e60e4 100644 > +--- a/CHANGELOG.rst > ++++ b/CHANGELOG.rst > +@@ -18,6 +18,7 @@ Changes: > + > + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated. > + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_. > ++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. > + > + 23.3.0 (2023-10-25) > + ------------------- > +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py > +index 4db5240..a6263c4 100644 > +--- a/src/OpenSSL/SSL.py > ++++ b/src/OpenSSL/SSL.py > +@@ -1,5 +1,6 @@ > + import os > + import socket > ++import sys > + import typing > + from errno import errorcode > + from functools import partial, wraps > +@@ -1567,7 +1568,11 @@ class Context: > + > + @wraps(callback) > + def wrapper(ssl, alert, arg): > +- callback(Connection._reverse_mapping[ssl]) > ++ try: > ++ callback(Connection._reverse_mapping[ssl]) > ++ except Exception: > ++ sys.excepthook(*sys.exc_info()) > ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL > + return 0 > + > + self._tlsext_servername_callback = _ffi.callback( > +diff --git a/tests/test_ssl.py b/tests/test_ssl.py > +index ca5bf83..55489b9 100644 > +--- a/tests/test_ssl.py > ++++ b/tests/test_ssl.py > +@@ -1855,6 +1855,56 @@ class TestServerNameCallback: > + > + assert args == [(server, b"foo1.example.com")] > + > ++ def test_servername_callback_exception( > ++ self, monkeypatch: pytest.MonkeyPatch > ++ ) -> None: > ++ """ > ++ When the callback passed to `Context.set_tlsext_servername_callback` > ++ raises an exception, ``sys.excepthook`` is called with the exception > ++ and the handshake fails with an ``Error``. > ++ """ > ++ exc = TypeError("server name callback failed") > ++ > ++ def servername(conn: Connection) -> None: > ++ raise exc > ++ > ++ excepthook_calls: list[ > ++ tuple[type[BaseException], BaseException, object] > ++ ] = [] > ++ > ++ def custom_excepthook( > ++ exc_type: type[BaseException], > ++ exc_value: BaseException, > ++ exc_tb: object, > ++ ) -> None: > ++ excepthook_calls.append((exc_type, exc_value, exc_tb)) > ++ > ++ context = Context(SSLv23_METHOD) > ++ context.set_tlsext_servername_callback(servername) > ++ > ++ # Necessary to actually accept the connection > ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) > ++ context.use_certificate( > ++ load_certificate(FILETYPE_PEM, server_cert_pem) > ++ ) > ++ > ++ # Do a little connection to trigger the logic > ++ server = Connection(context, None) > ++ server.set_accept_state() > ++ > ++ client = Connection(Context(SSLv23_METHOD), None) > ++ client.set_connect_state() > ++ client.set_tlsext_host_name(b"foo1.example.com") > ++ > ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook) > ++ with pytest.raises(Error): > ++ interact_in_memory(server, client) > ++ > ++ assert len(excepthook_calls) == 1 > ++ assert excepthook_calls[0][0] is TypeError > ++ assert excepthook_calls[0][1] is exc > ++ assert excepthook_calls[0][2] is not None > ++ > + > + class TestApplicationLayerProtoNegotiation: > + """ > +-- > +2.43.0 > + > diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > index 116f214bfa..bc0b568a46 100644 > --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33 > PYPI_PACKAGE = "pyOpenSSL" > inherit pypi setuptools3 > > +SRC_URI += " \ > + file://CVE-2026-27448.patch \ > +" > + > PACKAGES =+ "${PN}-tests" > FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test" > -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal @ 2026-03-28 2:11 ` Vijay Anusuri 0 siblings, 0 replies; 4+ messages in thread From: Vijay Anusuri @ 2026-03-28 2:11 UTC (permalink / raw) To: Yoann Congal; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 7372 bytes --] Hi Yoann, As kirkstone LTS going to end this month, I've sent patches for both kirkstone and scarthgap first. I will send patches for whinlatter soon. Thanks for reminding me. Thanks & Regards, Vijay On Sat, 28 Mar, 2026, 4:53 am Yoann Congal, <yoann.congal@smile.fr> wrote: > On Wed Mar 25, 2026 at 8:23 AM CET, Vijay Anusuri via > lists.openembedded.org wrote: > > Pick patch mentioned in NVD > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 > > [2] https://ubuntu.com/security/CVE-2026-27448 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > Hello, > > As far as I can tell, this CVE also applies to whinlatter. You need to > send the fix there before I can take it for scarthgap and kirkstone. > > That also applies to the 2/2 patch. > > Regards, > > > > .../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++ > > .../python/python3-pyopenssl_24.0.0.bb | 4 + > > 2 files changed, 128 insertions(+) > > create mode 100644 > meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > > > > diff --git > a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > > new file mode 100644 > > index 0000000000..87f46b4cb0 > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch > > @@ -0,0 +1,124 @@ > > +From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001 > > +From: Alex Gaynor <alex.gaynor@gmail.com> > > +Date: Mon, 16 Feb 2026 21:04:37 -0500 > > +Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback > callbacks > > + (#1478) > > + > > +When the servername callback raises an exception, call sys.excepthook > > +with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort > > +the handshake. Previously, exceptions would propagate uncaught through > > +the CFFI callback boundary. > > + > > +https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi > > + > > +Co-authored-by: Claude <noreply@anthropic.com> > > + > > +Upstream-Status: Backport [ > https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 > ] > > +CVE: CVE-2026-27448 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + CHANGELOG.rst | 1 + > > + src/OpenSSL/SSL.py | 7 ++++++- > > + tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++ > > + 3 files changed, 57 insertions(+), 1 deletion(-) > > + > > +diff --git a/CHANGELOG.rst b/CHANGELOG.rst > > +index 6e23770..12e60e4 100644 > > +--- a/CHANGELOG.rst > > ++++ b/CHANGELOG.rst > > +@@ -18,6 +18,7 @@ Changes: > > + > > + - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to > determine which SRTP profile was negotiated. > > + `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_. > > ++- ``Context.set_tlsext_servername_callback`` now handles exceptions > raised in the callback by calling ``sys.excepthook`` and returning a fatal > TLS alert. Previously, exceptions were silently swallowed and the handshake > would proceed as if the callback had succeeded. > > + > > + 23.3.0 (2023-10-25) > > + ------------------- > > +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py > > +index 4db5240..a6263c4 100644 > > +--- a/src/OpenSSL/SSL.py > > ++++ b/src/OpenSSL/SSL.py > > +@@ -1,5 +1,6 @@ > > + import os > > + import socket > > ++import sys > > + import typing > > + from errno import errorcode > > + from functools import partial, wraps > > +@@ -1567,7 +1568,11 @@ class Context: > > + > > + @wraps(callback) > > + def wrapper(ssl, alert, arg): > > +- callback(Connection._reverse_mapping[ssl]) > > ++ try: > > ++ callback(Connection._reverse_mapping[ssl]) > > ++ except Exception: > > ++ sys.excepthook(*sys.exc_info()) > > ++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL > > + return 0 > > + > > + self._tlsext_servername_callback = _ffi.callback( > > +diff --git a/tests/test_ssl.py b/tests/test_ssl.py > > +index ca5bf83..55489b9 100644 > > +--- a/tests/test_ssl.py > > ++++ b/tests/test_ssl.py > > +@@ -1855,6 +1855,56 @@ class TestServerNameCallback: > > + > > + assert args == [(server, b"foo1.example.com")] > > + > > ++ def test_servername_callback_exception( > > ++ self, monkeypatch: pytest.MonkeyPatch > > ++ ) -> None: > > ++ """ > > ++ When the callback passed to > `Context.set_tlsext_servername_callback` > > ++ raises an exception, ``sys.excepthook`` is called with the > exception > > ++ and the handshake fails with an ``Error``. > > ++ """ > > ++ exc = TypeError("server name callback failed") > > ++ > > ++ def servername(conn: Connection) -> None: > > ++ raise exc > > ++ > > ++ excepthook_calls: list[ > > ++ tuple[type[BaseException], BaseException, object] > > ++ ] = [] > > ++ > > ++ def custom_excepthook( > > ++ exc_type: type[BaseException], > > ++ exc_value: BaseException, > > ++ exc_tb: object, > > ++ ) -> None: > > ++ excepthook_calls.append((exc_type, exc_value, exc_tb)) > > ++ > > ++ context = Context(SSLv23_METHOD) > > ++ context.set_tlsext_servername_callback(servername) > > ++ > > ++ # Necessary to actually accept the connection > > ++ context.use_privatekey(load_privatekey(FILETYPE_PEM, > server_key_pem)) > > ++ context.use_certificate( > > ++ load_certificate(FILETYPE_PEM, server_cert_pem) > > ++ ) > > ++ > > ++ # Do a little connection to trigger the logic > > ++ server = Connection(context, None) > > ++ server.set_accept_state() > > ++ > > ++ client = Connection(Context(SSLv23_METHOD), None) > > ++ client.set_connect_state() > > ++ client.set_tlsext_host_name(b"foo1.example.com") > > ++ > > ++ monkeypatch.setattr(sys, "excepthook", custom_excepthook) > > ++ with pytest.raises(Error): > > ++ interact_in_memory(server, client) > > ++ > > ++ assert len(excepthook_calls) == 1 > > ++ assert excepthook_calls[0][0] is TypeError > > ++ assert excepthook_calls[0][1] is exc > > ++ assert excepthook_calls[0][2] is not None > > ++ > > + > > + class TestApplicationLayerProtoNegotiation: > > + """ > > +-- > > +2.43.0 > > + > > diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > > index 116f214bfa..bc0b568a46 100644 > > --- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > > +++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb > > @@ -10,6 +10,10 @@ SRC_URI[sha256sum] = > "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33 > > PYPI_PACKAGE = "pyOpenSSL" > > inherit pypi setuptools3 > > > > +SRC_URI += " \ > > + file://CVE-2026-27448.patch \ > > +" > > + > > PACKAGES =+ "${PN}-tests" > > FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test" > > > > > -- > Yoann Congal > Smile ECS > > [-- Attachment #2: Type: text/html, Size: 10671 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-28 2:12 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-25 7:23 [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Vijay Anusuri 2026-03-25 7:23 ` [OE-core][scarthgap][patch 2/2] python3-pyopenssl: Fix CVE-2026-27459 Vijay Anusuri 2026-03-27 23:22 ` [OE-core][scarthgap][patch 1/2] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal 2026-03-28 2:11 ` Vijay Anusuri
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox