5 changed files with 82 additions and 86 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/jwcrypto-0.8.tar.gz
+SOURCES/jwcrypto-0.5.0.tar.gz
--- a/.python-jwcrypto.metadata
+++ b/.python-jwcrypto.metadata
@ -1 +1 @@
-038ee5faf896548477c0b57c3cacb92add36e550 SOURCES/jwcrypto-0.8.tar.gz
+8eccc6fbeeee2fedc602998a7c7a97b8bd550e59 SOURCES/jwcrypto-0.5.0.tar.gz
--- a/SOURCES/0001-Address-potential-DoS-with-high-compression-ratio_rhel#28697.patch
+++ b/SOURCES/0001-Address-potential-DoS-with-high-compression-ratio_rhel#28697.patch
@ -15,7 +15,7 @@ diff --git a/jwcrypto/jwe.py b/jwcrypto/jwe.py
 index 9412881..5df500b 100644
 --- a/jwcrypto/jwe.py
 +++ b/jwcrypto/jwe.py
-@@ -10,5 +10,8 @@
+@@ -9,5 +10,8 @@
 from jwcrypto.jwa import JWA
 
 +# Limit the amount of data we are willing to decompress by default.
@ -24,7 +24,7 @@ index 9412881..5df500b 100644
 
 # RFC 7516 - 4.1
 # name: (description, supported?)
-@@ -387,6 +387,10 @@ def _decrypt(self, key, ppe):
+@@ -374,6 +374,10 @@ def _decrypt(self, key, ppe):
 
         compress = jh.get('zip', None)
         if compress == 'DEF':
@ -39,9 +39,9 @@ diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
 index bb2ff10..59049f8 100644
 --- a/jwcrypto/tests.py
 +++ b/jwcrypto/tests.py
-@@ -1526,6 +1526,32 @@ def test_pbes2_hs256_aeskw_custom_params(self):
-             token.deserialize(jwt=e)
-             json_decode(token.claims)
+@@ -1196,6 +1196,32 @@ def test_pbes2_hs256_aeskw_custom_params(self):
+         check.deserialize(enc, key)
+         self.assertEqual(b'plain', check.payload)
 
 +    def test_jwe_decompression_max(self):
 +        key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
--- a/SOURCES/0002-Limit-number-of-iterations-for-PBES_rhel#23038.patch
+++ b/SOURCES/0002-Limit-number-of-iterations-for-PBES_rhel#23038.patch
@ -0,0 +1,44 @@
+From d2655d370586cb830e49acfb450f87598da60be8 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 7 Dec 2023 12:49:07 -0500
+Subject: [PATCH] Fix potential DoS issue with p2c header
+
+Unbounded p2c headers may be used to cause an application that accept
+PBES algorithms to spend alot of resources running PBKDF2 with a very
+high number of iterations.
+
+Clamp the default maximum to 16384 (double the default of 8192).
+An application that wants to use more iterations will have to chenge the
+jwa default max.
+
+Fixes CVE-2023-6681
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ jwcrypto/jwa.py   |  5 +++++
+ jwcrypto/tests.py | 12 ++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/jwcrypto/jwa.py b/jwcrypto/jwa.py
+index de7a79f..ca4568e 100644
+--- a/jwcrypto/jwa.py
+++ b/jwcrypto/jwa.py
+@@ -29,6 +29,8 @@
+ 
+ # Implements RFC 7518 - JSON Web Algorithms (JWA)
+ 
+default_max_pbkdf2_iterations = 16384
+
+
+ @six.add_metaclass(abc.ABCMeta)
+ class JWAAlgorithm(object):
+@@ -588,6 +590,9 @@ def __init__(self):
+         self.aeskwmap = {128: _A128KW, 192: _A192KW, 256: _A256KW}
+ 
+     def _get_key(self, alg, key, p2s, p2c):
+        if p2c > default_max_pbkdf2_iterations:
+            raise ValueError('Invalid p2c value, too large')
+
+         if isinstance(key, bytes):
+             plain = key
+         else:
--- a/SPECS/python-jwcrypto.spec
+++ b/SPECS/python-jwcrypto.spec
@ -5,7 +5,7 @@
 %bcond_with python3
 %endif

-%if 0%{?fedora} > 31 || 0%{?rhel} > 7
+%if 0%{?rhel} > 7
 # Disable python2 build by default
 %bcond_with python2
 %else
@ -15,25 +15,25 @@
 %global srcname jwcrypto

 Name:           python-%{srcname}
-Version:        0.8
-Release:        5%{?dist}
+Version:        0.5.0
+Release:        2%{?dist}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography

 License:        LGPLv3+
 URL:            https://github.com/latchset/%{srcname}
 Source0:        https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz

-Patch1:         0001-Address-potential-DoS-with-high-compression-ratio_rhel#28698.patch
+Patch1:         0001-Address-potential-DoS-with-high-compression-ratio_rhel#28697.patch
+Patch2:         0002-Limit-number-of-iterations-for-PBES_rhel#23038.patch

 BuildArch:      noarch
-%if 0%{?with_python2}
+%if %{with python2}
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 BuildRequires:  python2-cryptography >= 1.5
 BuildRequires:  python2-pytest
 %endif
-
-%if 0%{?with_python3}
+%if %{with python3}
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-cryptography >= 1.5
@ -43,8 +43,7 @@ BuildRequires:  python%{python3_pkgversion}-pytest
 %description
 Implements JWK, JWS, JWE specifications using python-cryptography

-
-%if 0%{?with_python2}
+%if %{with python2}
 %package -n python2-%{srcname}
 Summary:        Implements JWK,JWS,JWE specifications using python-cryptography
 Requires:       python2-cryptography >= 1.5
@ -54,8 +53,7 @@ Requires:       python2-cryptography >= 1.5
 Implements JWK, JWS, JWE specifications using python-cryptography
 %endif

-
-%if 0%{?with_python3}
+%if %{with python3}
 %package -n python%{python3_pkgversion}-%{srcname}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography
 Requires:       python%{python3_pkgversion}-cryptography >= 1.5
@ -72,42 +70,37 @@ Implements JWK, JWS, JWE specifications using python-cryptography
 %autopatch -p 1

 %build
-%if 0%{?with_python2}
+%if %{with python2}
 %py2_build
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %py3_build
 %endif


 %check
-%if 0%{?with_python2}
+%if %{with python2}
 %{__python2} -bb -m pytest %{srcname}/test*.py
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %{__python3} -bb -m pytest %{srcname}/test*.py
 %endif


 %install
-%if 0%{?with_python2}
+%if %{with python2}
 %py2_install
-%endif
-%if 0%{?with_python3}
-%py3_install
-%endif
-
 rm -rf %{buildroot}%{_docdir}/%{srcname}
-%if 0%{?with_python2}
 rm -rf %{buildroot}%{python2_sitelib}/%{srcname}/tests{,-cookbook}.py*
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
+%py3_install
 rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/tests{,-cookbook}.py*
 rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*.py*
 %endif
+rm -rf %{buildroot}/usr/share/doc/jwcrypto

-
-%if 0%{?with_python2}
+%if %{with python2}
 %files -n python2-%{srcname}
 %doc README.md
 %license LICENSE
@ -115,7 +108,7 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*
 %{python2_sitelib}/%{srcname}-%{version}-py%{python2_version}.egg-info
 %endif

-%if 0%{?with_python3}
+%if %{with python3}
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.md
 %license LICENSE
@ -125,65 +118,24 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*


 %changelog
-* Thu Apr 04 2024 Rafael Jeffman <rjeffman@redhat.com> - 0.8-5
+* Mon Apr 15 2024 Rafael Jeffman <rjeffman@redhat.com> - 0.5.0-2
 - Address potential DoS with high compression ratio
-  Resolves: RHEL-28698
-
-* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Dec 01 2020 Simo Sorce <simo@redhat.com> - 0.8-1
- Sync with upstream release 0.8
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-8
- Rebuilt for Python 3.9
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-6
- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Thu Aug 29 2019 Christian Heimes <cheimes@redhat.com> - 0.6.0-5
- Remove Python 2 subpackages from F32+
- Resolves: RHBZ #1746760
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-4
- Rebuilt for Python 3.8
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Nov 05 2018 Christian Heimes <cheimes@redhat.com> - 0.6.0-1
- New upstream release 0.6.0
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+  Resolves: RHEL-28697
+- Limit number of iterations for PBES
+  Resolves: RHEL-23036 RHEL-23037

-* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 0.5.0-2
- Rebuilt for Python 3.7
+* Fri Jun 17 2022 Christian Heimes <cheimes@redhat.com> - 0.5.0-1.1
+- Bump dist to solve version sorting issue, fixes RHBZ#2097800

-* Wed Jun 27 2018 Christian Heimes <cheimes@redhat.com> - 0.5.0-1
+* Thu Jun 28 2018 Christian Heimes <cheimes@redhat.com> - 0.5.0-1
 - New upstream release 0.5.0
+- Fixes Coverity scan issue

-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4.2-5
- Rebuilt for Python 3.7
+* Mon Apr 16 2018 Christian Heimes <cheimes@redhat.com> - 0.4.2-5
+- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1567152

-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+* Thu Nov 23 2017 Christian Heimes <cheimes@redhat.com> - 0.4.2-4
+- Build Python 3 package on RHEL > 7, fixes RHBZ#1516813

 * Wed Aug 02 2017 Christian Heimes <cheimes@redhat.com> - 0.4.2-3
 - Run tests with bytes warning