5 changed files with 82 additions and 65 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/jwcrypto-1.5.6.tar.gz
+SOURCES/jwcrypto-0.8.tar.gz
--- a/.python-jwcrypto.metadata
+++ b/.python-jwcrypto.metadata
@ -1 +1 @@
-e3fdb8f42c60e947cbe58346d086850d915a2b60 SOURCES/jwcrypto-1.5.6.tar.gz
+038ee5faf896548477c0b57c3cacb92add36e550 SOURCES/jwcrypto-0.8.tar.gz
--- a/SOURCES/0001-Address-potential-DoS-with-high-compression-ratio_rhel#28698.patch
+++ b/SOURCES/0001-Address-potential-DoS-with-high-compression-ratio_rhel#28698.patch
@ -0,0 +1,74 @@
 From 90477a3b6e73da69740e00b8161f53fea19b831f Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Tue, 5 Mar 2024 16:57:17 -0500
 Subject: [PATCH] Address potential DoS with high compression ratio
 Fixes CVE-2024-28102
 Signed-off-by: Simo Sorce <simo@redhat.com>
 ---
 jwcrypto/jwe.py   |  7 +++++++
 jwcrypto/tests.py | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 diff --git a/jwcrypto/jwe.py b/jwcrypto/jwe.py
 index 9412881..5df500b 100644
 --- a/jwcrypto/jwe.py
 +++ b/jwcrypto/jwe.py
@@ -10,5 +10,8 @@
 from jwcrypto.jwa import JWA
 +# Limit the amount of data we are willing to decompress by default.
 +default_max_compressed_size = 256 * 1024
 +
 # RFC 7516 - 4.1
 # name: (description, supported?)
@@ -387,6 +387,10 @@ def _decrypt(self, key, ppe):
         compress = jh.get('zip', None)
         if compress == 'DEF':
 +            if len(data) > default_max_compressed_size:
 +                raise InvalidJWEData(
 +                    'Compressed data exceeds maximum allowed'
 +                    'size' + f' ({default_max_compressed_size})')
             self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
         elif compress is None:
             self.plaintext = data
 diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
 index bb2ff10..59049f8 100644
 --- a/jwcrypto/tests.py
 +++ b/jwcrypto/tests.py
@@ -1526,6 +1526,32 @@ def test_pbes2_hs256_aeskw_custom_params(self):
             token.deserialize(jwt=e)
             json_decode(token.claims)
 +    def test_jwe_decompression_max(self):
 +        key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
 +        payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
 +            + "u" * 400000000 + '"}'
 +        protected_header = {
 +            "alg": "A128KW",
 +            "enc": "A128GCM",
 +            "typ": "JWE",
 +            "zip": "DEF",
 +        }
 +        enc = jwe.JWE(payload.encode('utf-8'),
 +                      recipient=key,
 +                      protected=protected_header).serialize(compact=True)
 +        with self.assertRaises(jwe.InvalidJWEData):
 +            check = jwe.JWE()
 +            check.deserialize(enc)
 +            check.decrypt(key)
 +
 +        defmax = jwe.default_max_compressed_size
 +        jwe.default_max_compressed_size = 1000000000
 +        # ensure we can eraise the limit and decrypt
 +        check = jwe.JWE()
 +        check.deserialize(enc)
 +        check.decrypt(key)
 +        jwe.default_max_compressed_size = defmax
 +
 class JWATests(unittest.TestCase):
     def test_jwa_create(self):
--- a/SOURCES/0001-ignore-deprecated-annotation.patch
+++ b/SOURCES/0001-ignore-deprecated-annotation.patch
@ -1,40 +0,0 @@
 diff -Naur jwcrypto-1.5.6/jwcrypto/jwk.py jwcrypto-1.5.6-new/jwcrypto/jwk.py
 --- jwcrypto-1.5.6/jwcrypto/jwk.py	2024-02-07 13:52:39.000000000 -0300
 +++ jwcrypto-1.5.6-new/jwcrypto/jwk.py	2024-06-12 13:06:28.553972422 -0300
@@ -11,7 +11,15 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric import rsa
 -from typing_extensions import deprecated
 +try:
 +    from typing_extensions import deprecated
 +except ImportError:
 +    def deprecated(_fn, *args):
 +        def inner(func):
 +            return func
 +
 +        return inner
 +
 from jwcrypto.common import JWException
 from jwcrypto.common import base64url_decode, base64url_encode
 diff -Naur jwcrypto-1.5.6/jwcrypto/jwt.py jwcrypto-1.5.6-new/jwcrypto/jwt.py
 --- jwcrypto-1.5.6/jwcrypto/jwt.py	2024-02-07 13:52:39.000000000 -0300
 +++ jwcrypto-1.5.6-new/jwcrypto/jwt.py	2024-06-12 13:26:48.534696766 -0300
@@ -4,7 +4,15 @@
 import time
 import uuid
 -from typing_extensions import deprecated
 +try:
 +    from typing_extensions import deprecated
 +except ImportError:
 +    def deprecated(*args):
 +        def inner(func):
 +            return func
 +
 +        return inner
 +
 from jwcrypto.common import JWException, JWKeyNotFound
 from jwcrypto.common import json_decode, json_encode
--- a/SPECS/python-jwcrypto.spec
+++ b/SPECS/python-jwcrypto.spec
@ -12,21 +12,18 @@
 %bcond_without python2
 %endif
 # Disable auto-generation of python dependencies.
 %{?python_disable_dependency_generator}
 %global srcname jwcrypto
 Name:           python-%{srcname}
-Version:        1.5.6
+Version:        0.8
-Release:        2%{?dist}
+Release:        5%{?dist}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography
 License:        LGPLv3+
 URL:            https://github.com/latchset/%{srcname}
 Source0:        https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz
-Patch0001:         0001-ignore-deprecated-annotation.patch
+Patch1:         0001-Address-potential-DoS-with-high-compression-ratio_rhel#28698.patch
 BuildArch:      noarch
 %if 0%{?with_python2}
@ -39,7 +36,7 @@ BuildRequires:  python2-pytest
 %if 0%{?with_python3}
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-cryptography >= 2.3
+BuildRequires:  python%{python3_pkgversion}-cryptography >= 1.5
 BuildRequires:  python%{python3_pkgversion}-pytest
 %endif
@ -61,7 +58,7 @@ Implements JWK, JWS, JWE specifications using python-cryptography
 %if 0%{?with_python3}
 %package -n python%{python3_pkgversion}-%{srcname}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography
-Requires:       python%{python3_pkgversion}-cryptography >= 2.3
+Requires:       python%{python3_pkgversion}-cryptography >= 1.5
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 %description -n python%{python3_pkgversion}-%{srcname}
@ -72,10 +69,7 @@ Implements JWK, JWS, JWE specifications using python-cryptography
 %prep
 %setup -q -n %{srcname}-%{version}
-for p in %patches; do
+%autopatch -p 1
    %__patch -p1 -i $p
 done
 %build
 %if 0%{?with_python2}
@ -131,17 +125,6 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*
 %changelog
 * Mon Oct 07 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.5.6-2
 - Rebuilt for MSVSphere 9.5 beta
 * Fri Aug 09 2024 Rafael Jeffman <rjeffman@redhat.com> - 1.5.6-2
 - Disable auto-generation of dependencies
  Related: RHEL-34809
 * Tue Jun 18 2024 Rafael Jeffman <rjeffman@redhat.com> - 1.5.6-1
 - Rebase to version 1.5.6
  Resolve: RHEL-34809
 * Thu Apr 04 2024 Rafael Jeffman <rjeffman@redhat.com> - 0.8-5
 - Address potential DoS with high compression ratio
  Resolves: RHEL-28698
`@ -1 +1 @@`
	`SOURCES/jwcrypto-1.5.6.tar.gz`	`SOURCES/jwcrypto-0.8.tar.gz`
`@ -1 +1 @@`
	`e3fdb8f42c60e947cbe58346d086850d915a2b60 SOURCES/jwcrypto-1.5.6.tar.gz`	`038ee5faf896548477c0b57c3cacb92add36e550 SOURCES/jwcrypto-0.8.tar.gz`