From: "Mittal, Anuj" <anuj.mittal@intel.com>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"steve@sakoman.com" <steve@sakoman.com>
Subject: Re: [OE-core][kirkstone 03/15] python3-cryptography: fix CVE-2023-49083
Date: Mon, 11 Mar 2024 06:34:43 +0000 [thread overview]
Message-ID: <c0224f8e1379bb61615a38985b1b3b82a07b9303.camel@intel.com> (raw)
In-Reply-To: <2d104f78cd13a10640bc284c7fc8358bf305279c.1702002667.git.steve@sakoman.com>
On Thu, 2023-12-07 at 16:33 -1000, Steve Sakoman wrote:
> From: Narpat Mali <narpat.mali@windriver.com>
>
> cryptography is a package designed to expose cryptographic primitives
> and recipes to Python developers. Calling
> `load_pem_pkcs7_certificates`
> or `load_der_pkcs7_certificates` could lead to a NULL-pointer
> dereference
> and segfault. Exploitation of this vulnerability poses a serious risk
> of
> Denial of Service (DoS) for any application attempting to deserialize
> a
> PKCS7 blob/certificate. The consequences extend to potential
> disruptions
> in system availability and stability. This vulnerability has been
> patched
> in version 41.0.6.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-49083
> https://security-tracker.debian.org/tracker/CVE-2023-49083
>
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> .../python3-cryptography/CVE-2023-49083.patch | 53
> +++++++++++++++++++
> .../python/python3-cryptography_36.0.2.bb | 1 +
> 2 files changed, 54 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python3-
> cryptography/CVE-2023-49083.patch
>
> diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-
> 2023-49083.patch b/meta/recipes-devtools/python/python3-
> cryptography/CVE-2023-49083.patch
> new file mode 100644
> index 0000000000..d398eea1d9
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-
> 49083.patch
> @@ -0,0 +1,53 @@
> +From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00
> 2001
> +From: Alex Gaynor <alex.gaynor@gmail.com>
> +Date: Wed, 6 Dec 2023 08:04:53 +0000
> +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no
> certificates
> + (#9926)
> +
> +CVE: CVE-2023-49083
> +
> +Upstream-Status: Backport
> [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69
> ad6754a6039fd6ff]
https://github.com/pyca/cryptography/pull/9947
It looks like this commit should be backported as well since the
original change was not quite right.
https://github.com/pyca/cryptography/pull/9926#discussion_r1409936939
Thanks,
Anuj
> +
> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> +---
> + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
> + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
> + 2 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py
> b/src/cryptography/hazmat/backends/openssl/backend.py
> +index 5606fe6..c43fea0 100644
> +--- a/src/cryptography/hazmat/backends/openssl/backend.py
> ++++ b/src/cryptography/hazmat/backends/openssl/backend.py
> +@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
> + _Reasons.UNSUPPORTED_SERIALIZATION,
> + )
> +
> ++ certs: list[x509.Certificate] = []
> ++ if p7.d.sign == self._ffi.NULL:
> ++ return certs
> ++
> + sk_x509 = p7.d.sign.cert
> + num = self._lib.sk_X509_num(sk_x509)
> +- certs = []
> + for i in range(num):
> + x509 = self._lib.sk_X509_value(sk_x509, i)
> + self.openssl_assert(x509 != self._ffi.NULL)
> +diff --git a/tests/hazmat/primitives/test_pkcs7.py
> b/tests/hazmat/primitives/test_pkcs7.py
> +index 91ac842..b98a9f1 100644
> +--- a/tests/hazmat/primitives/test_pkcs7.py
> ++++ b/tests/hazmat/primitives/test_pkcs7.py
> +@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
> + mode="rb",
> + )
> +
> ++ def test_load_pkcs7_empty_certificates(self):
> ++ der =
> b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
> ++
> ++ certificates = pkcs7.load_der_pkcs7_certificates(der)
> ++ assert certificates == []
> ++
> +
> + # We have no public verification API and won't be adding one until
> we get
> + # some requirements from users so this function exists to give us
> basic
> +--
> +2.40.0
> diff --git a/meta/recipes-devtools/python/python3-
> cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-
> cryptography_36.0.2.bb
> index c3ae0c1ab9..c429c75e1b 100644
> --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> @@ -18,6 +18,7 @@ SRC_URI += " \
> file://0002-Cargo.toml-edition-2018-2021.patch \
> file://fix-leak-metric.patch \
> file://CVE-2023-23931.patch \
> + file://CVE-2023-49083.patch \
> "
>
> inherit pypi python_setuptools3_rust
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#191995):
> https://lists.openembedded.org/g/openembedded-core/message/191995
> Mute This Topic: https://lists.openembedded.org/mt/103048224/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2024-03-11 6:34 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-08 2:33 [OE-core][kirkstone 00/15] Patch review Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 01/15] libsndfile: fix CVE-2022-33065 Signed integer overflow in src/mat4.c Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 02/15] xwayland: fix CVE-2023-5367 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 03/15] python3-cryptography: fix CVE-2023-49083 Steve Sakoman
2024-03-11 6:34 ` Mittal, Anuj [this message]
[not found] ` <17BBA241C3FF523B.17779@lists.openembedded.org>
2024-03-11 6:36 ` Mittal, Anuj
2023-12-08 2:33 ` [OE-core][kirkstone 04/15] vim: upgrade 9.0.2068 -> 9.0.2130 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 05/15] linux-yocto/5.10: update to v5.10.198 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 06/15] linux-yocto/5.10: update to v5.10.200 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 07/15] linux-yocto/5.10: update to v5.10.202 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 08/15] cve-exclusion_5.10.inc: update for 5.10.202 Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 09/15] bash: changes to SIGINT handler while waiting for a child Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 10/15] rust-llvm: Allow overriding LLVM target archs Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 11/15] rust-common: Set llvm-target correctly for cross SDK targets Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 12/15] rust-cross-canadian: Fix ordering of target json config generation Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 13/15] rust-cross/rust-common: Merge arm target handling code to fix cross-canadian Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 14/15] rust-cross: Simplfy the rust_gen_target calls Steve Sakoman
2023-12-08 2:33 ` [OE-core][kirkstone 15/15] native: Clear TUNE_FEATURES/ABIEXTENSION Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0224f8e1379bb61615a38985b1b3b82a07b9303.camel@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox