[kirkstone,03/15] python3-cryptography: fix CVE-2023-49083

From: Narpat Mali <narpat.mali@windriver.com>

cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. Calling `load_pem_pkcs7_certificates`
or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference
and segfault. Exploitation of this vulnerability poses a serious risk of
Denial of Service (DoS) for any application attempting to deserialize a
PKCS7 blob/certificate. The consequences extend to potential disruptions
in system availability and stability. This vulnerability has been patched
in version 41.0.6.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49083
https://security-tracker.debian.org/tracker/CVE-2023-49083

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python3-cryptography/CVE-2023-49083.patch | 53 +++++++++++++++++++
 .../python/python3-cryptography_36.0.2.bb     |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch

On Thu, 2023-12-07 at 16:33 -1000, Steve Sakoman wrote:
> From: Narpat Mali <narpat.mali@windriver.com>
> 
> cryptography is a package designed to expose cryptographic primitives
> and recipes to Python developers. Calling
> `load_pem_pkcs7_certificates`
> or `load_der_pkcs7_certificates` could lead to a NULL-pointer
> dereference
> and segfault. Exploitation of this vulnerability poses a serious risk
> of
> Denial of Service (DoS) for any application attempting to deserialize
> a
> PKCS7 blob/certificate. The consequences extend to potential
> disruptions
> in system availability and stability. This vulnerability has been
> patched
> in version 41.0.6.
> 
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-49083
> https://security-tracker.debian.org/tracker/CVE-2023-49083
> 
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  .../python3-cryptography/CVE-2023-49083.patch | 53
> +++++++++++++++++++
>  .../python/python3-cryptography_36.0.2.bb     |  1 +
>  2 files changed, 54 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3-
> cryptography/CVE-2023-49083.patch
> 
> diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-
> 2023-49083.patch b/meta/recipes-devtools/python/python3-
> cryptography/CVE-2023-49083.patch
> new file mode 100644
> index 0000000000..d398eea1d9
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-
> 49083.patch
> @@ -0,0 +1,53 @@
> +From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00
> 2001
> +From: Alex Gaynor <alex.gaynor@gmail.com>
> +Date: Wed, 6 Dec 2023 08:04:53 +0000
> +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no
> certificates
> + (#9926)
> +
> +CVE: CVE-2023-49083
> +
> +Upstream-Status: Backport
> [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69
> ad6754a6039fd6ff]

https://github.com/pyca/cryptography/pull/9947

It looks like this commit should be backported as well since the
original change was not quite right.

https://github.com/pyca/cryptography/pull/9926#discussion_r1409936939

Thanks,

Anuj

> +
> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> +---
> + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
> + tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
> + 2 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py
> b/src/cryptography/hazmat/backends/openssl/backend.py
> +index 5606fe6..c43fea0 100644
> +--- a/src/cryptography/hazmat/backends/openssl/backend.py
> ++++ b/src/cryptography/hazmat/backends/openssl/backend.py
> +@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
> +                 _Reasons.UNSUPPORTED_SERIALIZATION,
> +             )
> +
> ++        certs: list[x509.Certificate] = []
> ++        if p7.d.sign == self._ffi.NULL:
> ++            return certs
> ++
> +         sk_x509 = p7.d.sign.cert
> +         num = self._lib.sk_X509_num(sk_x509)
> +-        certs = []
> +         for i in range(num):
> +             x509 = self._lib.sk_X509_value(sk_x509, i)
> +             self.openssl_assert(x509 != self._ffi.NULL)
> +diff --git a/tests/hazmat/primitives/test_pkcs7.py
> b/tests/hazmat/primitives/test_pkcs7.py
> +index 91ac842..b98a9f1 100644
> +--- a/tests/hazmat/primitives/test_pkcs7.py
> ++++ b/tests/hazmat/primitives/test_pkcs7.py
> +@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
> +                 mode="rb",
> +             )
> +
> ++    def test_load_pkcs7_empty_certificates(self):
> ++        der =
> b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
> ++
> ++        certificates = pkcs7.load_der_pkcs7_certificates(der)
> ++        assert certificates == []
> ++
> +
> + # We have no public verification API and won't be adding one until
> we get
> + # some requirements from users so this function exists to give us
> basic
> +--
> +2.40.0
> diff --git a/meta/recipes-devtools/python/python3-
> cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-
> cryptography_36.0.2.bb
> index c3ae0c1ab9..c429c75e1b 100644
> --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> @@ -18,6 +18,7 @@ SRC_URI += " \
>      file://0002-Cargo.toml-edition-2018-2021.patch \
>      file://fix-leak-metric.patch \
>      file://CVE-2023-23931.patch \
> +    file://CVE-2023-49083.patch \
>  "
>  
>  inherit pypi python_setuptools3_rust
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#191995):
> https://lists.openembedded.org/g/openembedded-core/message/191995
> Mute This Topic: https://lists.openembedded.org/mt/103048224/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Sun, 2024-03-10 at 23:34 -0700, Anuj Mittal wrote:
> On Thu, 2023-12-07 at 16:33 -1000, Steve Sakoman wrote:
> > From: Narpat Mali <narpat.mali@windriver.com>
> > 
> > cryptography is a package designed to expose cryptographic
> > primitives
> > and recipes to Python developers. Calling
> > `load_pem_pkcs7_certificates`
> > or `load_der_pkcs7_certificates` could lead to a NULL-pointer
> > dereference
> > and segfault. Exploitation of this vulnerability poses a serious
> > risk
> > of
> > Denial of Service (DoS) for any application attempting to
> > deserialize
> > a
> > PKCS7 blob/certificate. The consequences extend to potential
> > disruptions
> > in system availability and stability. This vulnerability has been
> > patched
> > in version 41.0.6.
> > 
> > References:
> > https://nvd.nist.gov/vuln/detail/CVE-2023-49083
> > https://security-tracker.debian.org/tracker/CVE-2023-49083
> > 
> > Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  .../python3-cryptography/CVE-2023-49083.patch | 53
> > +++++++++++++++++++
> >  .../python/python3-cryptography_36.0.2.bb     |  1 +
> >  2 files changed, 54 insertions(+)
> >  create mode 100644 meta/recipes-devtools/python/python3-
> > cryptography/CVE-2023-49083.patch
> > 
> > diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-
> > 2023-49083.patch b/meta/recipes-devtools/python/python3-
> > cryptography/CVE-2023-49083.patch
> > new file mode 100644
> > index 0000000000..d398eea1d9
> > --- /dev/null
> > +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-
> > 49083.patch
> > @@ -0,0 +1,53 @@
> > +From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00
> > 2001
> > +From: Alex Gaynor <alex.gaynor@gmail.com>
> > +Date: Wed, 6 Dec 2023 08:04:53 +0000
> > +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no
> > certificates
> > + (#9926)
> > +
> > +CVE: CVE-2023-49083
> > +
> > +Upstream-Status: Backport
> > [
> > https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69
> > ad6754a6039fd6ff]
> 
> https://github.com/pyca/cryptography/pull/9947
> 
> It looks like this commit should be backported as well since the
> original change was not quite right.
> 
> https://github.com/pyca/cryptography/pull/9926#discussion_r1409936939
> 
> 

Sorry, I didn't realize that I was replying to a really old email.

If this is no longer relevant, please ignore.

Thanks,

Anuj

> > +
> > +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> > +---
> > + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
> > + tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
> > + 2 files changed, 10 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py
> > b/src/cryptography/hazmat/backends/openssl/backend.py
> > +index 5606fe6..c43fea0 100644
> > +--- a/src/cryptography/hazmat/backends/openssl/backend.py
> > ++++ b/src/cryptography/hazmat/backends/openssl/backend.py
> > +@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
> > +                 _Reasons.UNSUPPORTED_SERIALIZATION,
> > +             )
> > +
> > ++        certs: list[x509.Certificate] = []
> > ++        if p7.d.sign == self._ffi.NULL:
> > ++            return certs
> > ++
> > +         sk_x509 = p7.d.sign.cert
> > +         num = self._lib.sk_X509_num(sk_x509)
> > +-        certs = []
> > +         for i in range(num):
> > +             x509 = self._lib.sk_X509_value(sk_x509, i)
> > +             self.openssl_assert(x509 != self._ffi.NULL)
> > +diff --git a/tests/hazmat/primitives/test_pkcs7.py
> > b/tests/hazmat/primitives/test_pkcs7.py
> > +index 91ac842..b98a9f1 100644
> > +--- a/tests/hazmat/primitives/test_pkcs7.py
> > ++++ b/tests/hazmat/primitives/test_pkcs7.py
> > +@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
> > +                 mode="rb",
> > +             )
> > +
> > ++    def test_load_pkcs7_empty_certificates(self):
> > ++        der =
> > b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
> > ++
> > ++        certificates = pkcs7.load_der_pkcs7_certificates(der)
> > ++        assert certificates == []
> > ++
> > +
> > + # We have no public verification API and won't be adding one
> > until
> > we get
> > + # some requirements from users so this function exists to give us
> > basic
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-devtools/python/python3-
> > cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-
> > cryptography_36.0.2.bb
> > index c3ae0c1ab9..c429c75e1b 100644
> > --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> > +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
> > @@ -18,6 +18,7 @@ SRC_URI += " \
> >      file://0002-Cargo.toml-edition-2018-2021.patch \
> >      file://fix-leak-metric.patch \
> >      file://CVE-2023-23931.patch \
> > +    file://CVE-2023-49083.patch \
> >  "
> >  
> >  inherit pypi python_setuptools3_rust
> > 
> > 
> > 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196913):
> https://lists.openembedded.org/g/openembedded-core/message/196913
> Mute This Topic: https://lists.openembedded.org/mt/103048224/3616702
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> anuj.mittal@intel.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>