Bug#850003: jessie-pu: package python-cryptography/0.6.1-1+deb8u1

Tristan Seligmann Mon, 02 Jan 2017 20:18:56 -0800

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


Backport the fix for CVE-2016-9243 which was deemed not severe enough for a
DSA. I've attached a full debdiff, the patch is quite small and self-contained,
although I needed another patch to fix building against the libssl now in
jessie.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.utf8, LC_CTYPE=en_ZA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru python-cryptography-0.6.1/debian/changelog 
python-cryptography-0.6.1/debian/changelog
--- python-cryptography-0.6.1/debian/changelog  2014-10-16 06:46:31.000000000 
+0200
+++ python-cryptography-0.6.1/debian/changelog  2017-01-01 22:19:17.000000000 
+0200
@@ -1,3 +1,12 @@
+python-cryptography (0.6.1-1+deb8u1) stable; urgency=high
+
+  * Stable update.
+  * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string
+    for small key sizes).
+  * Fix FTBFS due to SSL2 method detection.
+
+ -- Tristan Seligmann <mithra...@debian.org>  Sun, 01 Jan 2017 22:19:17 +0200
+
 python-cryptography (0.6.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-cryptography-0.6.1/debian/patches/3215.patch 
python-cryptography-0.6.1/debian/patches/3215.patch
--- python-cryptography-0.6.1/debian/patches/3215.patch 1970-01-01 
02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/3215.patch 2017-01-01 
22:19:17.000000000 +0200
@@ -0,0 +1,40 @@
+From d945a5213f2b2bbb189bbc2be407aa35e0dab204 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gay...@gmail.com>
+Date: Sat, 5 Nov 2016 21:18:15 -0400
+Subject: [PATCH] Fixes #3211 -- fixed hkdf's output with short length
+
+Index: python-cryptography/cryptography/hazmat/primitives/kdf/hkdf.py
+===================================================================
+--- python-cryptography.orig/cryptography/hazmat/primitives/kdf/hkdf.py        
2017-01-01 22:24:27.090828930 +0200
++++ python-cryptography/cryptography/hazmat/primitives/kdf/hkdf.py     
2017-01-01 22:24:27.086828861 +0200
+@@ -99,7 +99,7 @@
+         output = [b""]
+         counter = 1
+ 
+-        while (self._algorithm.digest_size // 8) * len(output) < self._length:
++        while self._algorithm.digest_size * (len(output) - 1) < self._length:
+             h = hmac.HMAC(key_material, self._algorithm, 
backend=self._backend)
+             h.update(output[-1])
+             h.update(self._info)
+Index: python-cryptography/tests/hazmat/primitives/test_hkdf.py
+===================================================================
+--- python-cryptography.orig/tests/hazmat/primitives/test_hkdf.py      
2017-01-01 22:24:27.090828930 +0200
++++ python-cryptography/tests/hazmat/primitives/test_hkdf.py   2017-01-01 
22:24:27.086828861 +0200
+@@ -152,6 +152,17 @@
+ 
+             hkdf.verify(b"foo", six.u("bar"))
+ 
++    def test_derive_short_output(self, backend):
++        hkdf = HKDF(
++            hashes.SHA256(),
++            4,
++            salt=None,
++            info=None,
++            backend=backend
++        )
++
++        assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
++
+ 
+ @pytest.mark.hmac
+ class TestHKDFExpand(object):
diff -Nru python-cryptography-0.6.1/debian/patches/series 
python-cryptography-0.6.1/debian/patches/series
--- python-cryptography-0.6.1/debian/patches/series     1970-01-01 
02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/series     2017-01-01 
22:19:17.000000000 +0200
@@ -0,0 +1,2 @@
+ssl2-detection.patch
+3215.patch
diff -Nru python-cryptography-0.6.1/debian/patches/ssl2-detection.patch 
python-cryptography-0.6.1/debian/patches/ssl2-detection.patch
--- python-cryptography-0.6.1/debian/patches/ssl2-detection.patch       
1970-01-01 02:00:00.000000000 +0200
+++ python-cryptography-0.6.1/debian/patches/ssl2-detection.patch       
2017-01-01 22:19:17.000000000 +0200
@@ -0,0 +1,13 @@
+Index: python-cryptography/cryptography/hazmat/bindings/openssl/ssl.py
+===================================================================
+--- python-cryptography.orig/cryptography/hazmat/bindings/openssl/ssl.py       
2017-01-01 22:33:41.640198755 +0200
++++ python-cryptography/cryptography/hazmat/bindings/openssl/ssl.py    
2017-01-01 22:34:20.336845122 +0200
+@@ -384,7 +384,7 @@
+ #else
+ static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1;
+ #endif
+-#ifdef OPENSSL_NO_SSL2
++#ifdef OPENSSL_NO_SSL2_METHOD
+ static const long Cryptography_HAS_SSL2 = 0;
+ SSL_METHOD* (*SSLv2_method)(void) = NULL;
+ SSL_METHOD* (*SSLv2_client_method)(void) = NULL;

Bug#850003: jessie-pu: package python-cryptography/0.6.1-1+deb8u1

Reply via email to