cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. Calling `load_pem_pkcs7_certificates`
or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference
and segfault. Exploitation of this vulnerability poses a serious risk of
Denial of Service (DoS) for any application attempting to deserialize a
PKCS7 blob/certificate. The consequences extend to potential disruptions
in system availability and stability. This vulnerability has been patched
in version 41.0.6.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49083https://security-tracker.debian.org/tracker/CVE-2023-49083
(From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. In affected versions `Cipher.update_into`
would accept Python objects which implement the buffer protocol, but
provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of
Python and resulting in corrupted output. This now correctly raises
an exception. This issue has been present since `update_into` was
originally introduced in cryptography 1.8.
(From OE-Core rev: 368e450c2d800790a05924519f34c579e28e9cbb)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The leaking test case has been fixed upstream, so backport the patch.
(From OE-Core rev: 4705b8a724fe288a20f1a080e2796ea90f46c9fb)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We run the tests correctly, we just don't get individual test result
reporting. Borrow the code from python3-bcrypt to handle this correctly
and ensure the test pass/fail scores and individual test results are
reported in a format we can read.
(From OE-Core rev: 17b7dfc46f75f66854c1e540480ef19df6fc43a2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This test causes OpenSSL to leak some memory. Until this is resolved in
OpenSSL, mark the test as expected-to-fail.
(From OE-Core rev: b32917b113df6dce0200d35dd1b539279635d524)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* inherit new setuptools_rust class (which inherits new pyo3 class, which
inherits cargo and python3-dir).
* RDEPENDS on python3-pytest-subtests for ptest
* Copy pyproject.toml for ptest as it defines the pytest.marker(s) needed
* Use 'cargo bitbake' to generate the crate:// SRC_URIs
- Needed some hacks to the Cargo.toml in src/rust/ to make this work (probably
only package.repository was strictly required):
[package]
description = "cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions."
homepage = "https://github.com/pyca/cryptography"
repository = "https://github.com/pyca/cryptography"
* Add patches to src/rust/Cargo.toml to fix cargo errors including pem version
* Add check-memfree.py to ptest to check for sufficient free memory
(From OE-Core rev: 27bd134c899d00d93806ecb0a62ec3f30b1e6ec6)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
