Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.ca...@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1085227, regarding bookworm-pu: package python-cryptography/38.0.4-3+deb12u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1085227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085227 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: Debian Python Team <team+pyt...@tracker.debian.org>, secur...@debian.org * CVE-2023-49083: NULL dereference when loading PKCS7 certificates (Closes: #1057108) * CVE-2024-26130: NULL dereference when PKCS#12 key and cert don't match (Closes: #1064778)diffstat for python-cryptography-38.0.4 python-cryptography-38.0.4 changelog | 10 + patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch | 48 +++++++ patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch | 63 ++++++++++ patches/series | 2 4 files changed, 123 insertions(+) diff -Nru python-cryptography-38.0.4/debian/changelog python-cryptography-38.0.4/debian/changelog --- python-cryptography-38.0.4/debian/changelog 2023-02-28 07:36:13.000000000 +0200 +++ python-cryptography-38.0.4/debian/changelog 2024-10-16 19:53:04.000000000 +0300 @@ -1,3 +1,13 @@ +python-cryptography (38.0.4-3+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2023-49083: NULL dereference when loading PKCS7 certificates + (Closes: #1057108) + * CVE-2024-26130: NULL dereference when PKCS#12 key and cert don't match + (Closes: #1064778) + + -- Adrian Bunk <b...@debian.org> Wed, 16 Oct 2024 19:53:04 +0300 + python-cryptography (38.0.4-3) unstable; urgency=medium [ Salvatore Bonaccorso ] diff -Nru python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch --- python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch 1970-01-01 02:00:00.000000000 +0200 +++ python-cryptography-38.0.4/debian/patches/0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch 2024-10-16 19:53:04.000000000 +0300 @@ -0,0 +1,48 @@ +From 8378c1ff784a9601966b88f1c5587d50120038c3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gay...@gmail.com> +Date: Mon, 27 Nov 2023 14:35:35 -0500 +Subject: Fixed crash when loading a PKCS#7 bundle with no certificates (#9926) + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index f8776b732..45a644cf6 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2454,9 +2454,12 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 138bc0f3b..559e1f274 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -89,6 +89,12 @@ class TestPKCS7Loading: + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self, backend): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.30.2 + diff -Nru python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch --- python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch 1970-01-01 02:00:00.000000000 +0200 +++ python-cryptography-38.0.4/debian/patches/0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch 2024-10-16 19:53:04.000000000 +0300 @@ -0,0 +1,63 @@ +From 5cf016c3ae8b4e60f564e6cac67d43e243034345 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gay...@gmail.com> +Date: Mon, 19 Feb 2024 12:09:10 -0500 +Subject: Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match + (#10423) (#10425) + +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 45a644cf6..0ae987bd3 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2378,6 +2378,15 @@ class Backend: + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + if ( + self._lib.Cryptography_HAS_PKCS12_SET_MAC +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index c9ef57e66..3de92f82a 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -682,6 +682,24 @@ class TestPKCS12Creation: + b"name", cakey, cacert, [], algorithm + ) + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." +-- +2.30.2 + diff -Nru python-cryptography-38.0.4/debian/patches/series python-cryptography-38.0.4/debian/patches/series --- python-cryptography-38.0.4/debian/patches/series 2023-02-28 07:36:13.000000000 +0200 +++ python-cryptography-38.0.4/debian/patches/series 2024-10-16 19:53:04.000000000 +0300 @@ -6,3 +6,5 @@ ease-chrono-dependency-from-0.4.22-to-0.4.patch drop-cffi-dep.patch Don-t-allow-update_into-to-mutate-immutable-objects-.patch +0001-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-cer.patch +0002-Fixes-10422-don-t-crash-when-a-PKCS-12-key-and-cert-.patch
--- End Message ---
--- Begin Message ---Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---
