mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
31507dd07a
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49083 https://security-tracker.debian.org/tracker/CVE-2023-49083 (From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001
|
|
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
Date: Wed, 6 Dec 2023 08:04:53 +0000
|
|
Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
|
|
(#9926)
|
|
|
|
CVE: CVE-2023-49083
|
|
|
|
Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff]
|
|
|
|
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
|
---
|
|
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
|
|
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
|
|
2 files changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
index 5606fe6..c43fea0 100644
|
|
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
|
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
|
|
_Reasons.UNSUPPORTED_SERIALIZATION,
|
|
)
|
|
|
|
+ certs: list[x509.Certificate] = []
|
|
+ if p7.d.sign == self._ffi.NULL:
|
|
+ return certs
|
|
+
|
|
sk_x509 = p7.d.sign.cert
|
|
num = self._lib.sk_X509_num(sk_x509)
|
|
- certs = []
|
|
for i in range(num):
|
|
x509 = self._lib.sk_X509_value(sk_x509, i)
|
|
self.openssl_assert(x509 != self._ffi.NULL)
|
|
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
|
index 91ac842..b98a9f1 100644
|
|
--- a/tests/hazmat/primitives/test_pkcs7.py
|
|
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
|
@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
|
|
mode="rb",
|
|
)
|
|
|
|
+ def test_load_pkcs7_empty_certificates(self):
|
|
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
|
+
|
|
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
|
|
+ assert certificates == []
|
|
+
|
|
|
|
# We have no public verification API and won't be adding one until we get
|
|
# some requirements from users so this function exists to give us basic
|
|
--
|
|
2.40.0
|