commit 8b9864d6115cbe669b65ecbda1d35d2def2c642a Author: MSVSphere Packaging Team Date: Fri Mar 29 16:16:37 2024 +0300 import python3.11-cryptography-37.0.2-6.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1dd30a2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/cryptography-37.0.2-vendor.tar.bz2 +SOURCES/cryptography-37.0.2.tar.gz diff --git a/.python3.11-cryptography.metadata b/.python3.11-cryptography.metadata new file mode 100644 index 0000000..13f1546 --- /dev/null +++ b/.python3.11-cryptography.metadata @@ -0,0 +1,2 @@ +eca566e4bf80dca2c2619c08ff1ae41d2c326e40 SOURCES/cryptography-37.0.2-vendor.tar.bz2 +b0a31457545b06b8baa32162a45399f79aabe58d SOURCES/cryptography-37.0.2.tar.gz diff --git a/SOURCES/CVE-2023-23931.patch b/SOURCES/CVE-2023-23931.patch new file mode 100644 index 0000000..7c31338 --- /dev/null +++ b/SOURCES/CVE-2023-23931.patch @@ -0,0 +1,45 @@ +From 3914106b613ad4f5f27a2d1b3fc8fc2efb41dec6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 1058de9..17abd3a 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -157,7 +157,7 @@ class _CipherContext: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd..bf3b047 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ class TestCipherUpdateInto: + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) +-- +2.39.1 + diff --git a/SOURCES/CVE-2023-49083.patch b/SOURCES/CVE-2023-49083.patch new file mode 100644 index 0000000..2312e26 --- /dev/null +++ b/SOURCES/CVE-2023-49083.patch @@ -0,0 +1,116 @@ +From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 27 Nov 2023 13:08:17 -0500 +Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no + certificates (#9926) + +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index bf34946..c7e95e5 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2356,9 +2356,12 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 138bc0f..b2d9757 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -89,6 +89,12 @@ class TestPKCS7Loading: + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.43.0 + + +From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Fri, 1 Dec 2023 13:26:38 -0600 +Subject: [PATCH 2/2] raise an exception instead of returning an empty list for + pkcs7 cert loading (#9947) + +* raise an exception instead of returning an empty list + +as davidben points out in #9926 we are calling a specific load +certificates function and an empty value doesn't necessarily mean empty +because PKCS7 contains multitudes. erroring is more correct. + +* changelog + +* Update CHANGELOG.rst + +Co-authored-by: Alex Gaynor + +--------- + +Co-authored-by: Alex Gaynor +--- + src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- + tests/hazmat/primitives/test_pkcs7.py | 4 ++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index c7e95e5..f8a2f5a 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2356,12 +2356,15 @@ class Backend: + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + +- certs: list[x509.Certificate] = [] + if p7.d.sign == self._ffi.NULL: +- return certs ++ raise ValueError( ++ "The provided PKCS7 has no certificate data, but a cert " ++ "loading method was called." ++ ) + + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) ++ certs: list[x509.Certificate] = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index b2d9757..7b092b7 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -92,8 +92,8 @@ class TestPKCS7Loading: + def test_load_pkcs7_empty_certificates(self): + der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" + +- certificates = pkcs7.load_der_pkcs7_certificates(der) +- assert certificates == [] ++ with pytest.raises(ValueError): ++ pkcs7.load_der_pkcs7_certificates(der) + + + # We have no public verification API and won't be adding one until we get +-- +2.43.0 + diff --git a/SOURCES/conftest-skipper.py b/SOURCES/conftest-skipper.py new file mode 100644 index 0000000..5a1de83 --- /dev/null +++ b/SOURCES/conftest-skipper.py @@ -0,0 +1,22 @@ + +class Skipper: + """Skip iso8601 and pretend tests + + RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip + all tests that use the excluded modules. + """ + + def parse_date(self, datestring): + pytest.skip(f"iso8601 module is not available.") + + def stub(self, **kwargs): + pytest.skip(f"pretend module is not available.") + + def raiser(self, exc): + pytest.skip(f"pretend module is not available.") + + +import sys + +sys.modules["iso8601"] = sys.modules["pretend"] = Skipper() + diff --git a/SPECS/python3.11-cryptography.spec b/SPECS/python3.11-cryptography.spec new file mode 100644 index 0000000..5e6edbb --- /dev/null +++ b/SPECS/python3.11-cryptography.spec @@ -0,0 +1,257 @@ +%global __python3 /usr/bin/python3.11 +%global python3_pkgversion 3.11 + +# RHEL: Tests disabled due to missing deps +%bcond_with tests + +%global srcname cryptography + +Name: python%{python3_pkgversion}-%{srcname} +Version: 37.0.2 +Release: 6%{?dist} +Summary: PyCA's cryptography library + +# We bundle various crates with cryptography which is dual licensed +# under the ASL 2.0 and BSD-3-Clause, as well as the Python license +# for the OS random engine derived by CPython. + +# Inflector: BSD +# aliasable: MIT +# asn1: BSD +# asn1_derive: BSD +# autocfg: MIT or ASL 2.0 +# base64: MIT or ASL 2.0 +# cfg-if: MIT or ASL 2.0 +# chrono: MIT or ASL 2.0 +# indoc: MIT or ASL 2.0 +# indoc-impl: MIT or ASL 2.0 +# instant: BSD +# lazy_static: MIT or ASL 2.0 +# libc: MIT or ASL 2.0 +# lock_api: MIT or ASL 2.0 +# num-integer: MIT or ASL 2.0 +# num-traits: MIT or ASL 2.0 +# once_cell: MIT or ASL 2.0 +# ouroboros: MIT or ASL 2.0 +# ouroboros_macro: MIT or ASL 2.0 +# parking_lot: MIT or ASL 2.0 +# parking_lot_core: MIT or ASL 2.0 +# paste: MIT or ASL 2.0 +# paste-impl: MIT or ASL 2.0 +# pem: MIT +# proc-macro-error: MIT or ASL 2.0 +# proc-macro-error-attr: MIT or ASL 2.0 +# proc-macro-hack: MIT or ASL 2.0 +# proc-macro2: MIT or ASL 2.0 +# pyo3: ASL 2.0 +# pyo3-build-config: ASL 2.0 +# pyo3-macros: ASL 2.0 +# pyo3-macros-backend: ASL 2.0 +# quote: MIT or ASL 2.0 +# scopeguard: MIT or ASL 2.0 +# smallvec: MIT or ASL 2.0 +# stable_deref_trait: MIT or ASL 2.0 +# syn: MIT or ASL 2.0 +# unicode-xid: MIT or ASL 2.0 +# unindent: MIT or ASL 2.0 +# version_check: MIT or ASL 2.0 + +License: (ASL 2.0 or BSD) and Python and BSD and MIT and (MIT or ASL 2.0) and ASL 2.0 +URL: https://cryptography.io/en/latest/ +Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz + # created by ./vendor_rust.py helper script +Source1: cryptography-%{version}-vendor.tar.bz2 +Source2: conftest-skipper.py + +# Security fix for CVE-2023-23931: memory corruption via immutable objects +# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2171817 +# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3 +Patch0: CVE-2023-23931.patch + +# Security fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates +# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2255331 +# Resolved upstream: +# https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff +# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013 +Patch1: CVE-2023-49083.patch + +ExclusiveArch: %{rust_arches} + +BuildRequires: openssl-devel +BuildRequires: gcc +BuildRequires: gnupg2 +%if 0%{?fedora} +BuildRequires: rust-packaging +%else +BuildRequires: rust-toolset +%endif + +BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-rpm-macros +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 +#BuildRequires: rust-asn1-devel >= 0.6.4 + +%if %{with tests} +%if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 +BuildRequires: python%{python3_pkgversion}-iso8601 +BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif +BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-benchmark +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytz +%endif + +Requires: openssl-libs +Requires: python%{python3_pkgversion}-cffi >= 1.7 + +# Provides for the bundled crates + +Provides: bundled(crate(Inflector)) = 0.11.4 +Provides: bundled(crate(aliasable)) = 0.1.3 +Provides: bundled(crate(asn1)) = 0.8.7 +Provides: bundled(crate(asn1_derive)) = 0.8.7 +Provides: bundled(crate(autocfg)) = 1.1.0 +Provides: bundled(crate(base64)) = 0.13.0 +Provides: bundled(crate(cfg-if)) = 1.0.0 +Provides: bundled(crate(chrono)) = 0.4.19 +Provides: bundled(crate(indoc)) = 0.3.6 +Provides: bundled(crate(indoc-impl)) = 0.3.6 +Provides: bundled(crate(instant)) = 0.1.12 +Provides: bundled(crate(lazy_static)) = 1.4.0 +Provides: bundled(crate(libc)) = 0.2.124 +Provides: bundled(crate(lock_api)) = 0.4.7 +Provides: bundled(crate(num-integer)) = 0.1.44 +Provides: bundled(crate(num-traits)) = 0.2.14 +Provides: bundled(crate(once_cell)) = 1.10.0 +Provides: bundled(crate(ouroboros)) = 0.15.0 +Provides: bundled(crate(ouroboros_macro)) = 0.15.0 +Provides: bundled(crate(parking_lot)) = 0.11.2 +Provides: bundled(crate(parking_lot_core)) = 0.8.5 +Provides: bundled(crate(paste)) = 0.1.18 +Provides: bundled(crate(paste-impl)) = 0.1.18 +Provides: bundled(crate(pem)) = 1.0.2 +Provides: bundled(crate(proc-macro-error)) = 1.0.4 +Provides: bundled(crate(proc-macro-error-attr)) = 1.0.4 +Provides: bundled(crate(proc-macro-hack)) = 0.5.19 +Provides: bundled(crate(proc-macro2)) = 1.0.37 +Provides: bundled(crate(pyo3)) = 0.15.2 +Provides: bundled(crate(pyo3-build-config)) = 0.15.2 +Provides: bundled(crate(pyo3-macros)) = 0.15.2 +Provides: bundled(crate(pyo3-macros-backend)) = 0.15.2 +Provides: bundled(crate(quote)) = 1.0.18 +Provides: bundled(crate(scopeguard)) = 1.1.0 +Provides: bundled(crate(smallvec)) = 1.8.0 +Provides: bundled(crate(stable_deref_trait)) = 1.2.0 +Provides: bundled(crate(syn)) = 1.0.91 +Provides: bundled(crate(unicode-xid)) = 0.2.2 +Provides: bundled(crate(unindent)) = 0.1.8 +Provides: bundled(crate(version_check)) = 0.9.4 + +# Cryptography crate +Provides: crate(cryptography-rust) = 0.1.0 + +%description +cryptography is a package designed to expose cryptographic primitives and +recipes to Python developers. + +%prep +%autosetup -p1 -n %{srcname}-%{version} + + +%if 0%{?fedora} +# Fedora: use cargo macros to make use of RPMified crates +%cargo_prep +cd src/rust +rm -f Cargo.lock +%cargo_generate_buildrequires +cd ../.. +%else +# RHEL: use vendored Rust crates +%cargo_prep -V 1 +%endif + +%build +export RUSTFLAGS="%build_rustflags" +%py3_build + +%install +# Actually other *.c and *.h are appropriate +# see https://github.com/pyca/cryptography/issues/1463 +find . -name .keep -print -delete +%py3_install + +%check +%if %{with tests} +%if 0%{?rhel} +# skip hypothesis tests on RHEL +rm -rf tests/hypothesis +# append skipper to skip iso8601 and pretend tests +cat < %{SOURCE2} >> tests/conftest.py +%endif + +%if 0%{?eln} +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes +%endif + +# see https://github.com/pyca/cryptography/issues/4885 and +# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes +# not much sense for downstream testing. +PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ + %{__python3} -m pytest \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" +%endif + +%files -n python%{python3_pkgversion}-%{srcname} +%doc README.rst docs +%license LICENSE LICENSE.APACHE LICENSE.BSD +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + +%changelog +* Fri Jan 26 2024 Charalampos Stratakis - 37.0.2-6 +- Security fix for CVE-2023-49083 +- Resolves: RHEL-19831 + +* Thu Feb 23 2023 Charalampos Stratakis - 37.0.2-5 +- Bump release for rebuild + +* Mon Feb 20 2023 Charalampos Stratakis - 37.0.2-4 +- Security fix for CVE-2023-23931 + +* Tue Feb 14 2023 Charalampos Stratakis - 37.0.2-3 +- Rebuild for gating + +* Mon Feb 13 2023 Charalampos Stratakis - 37.0.2-2 +- Add explicit dependency on python3.11-rpm-macros + +* Thu Dec 01 2022 Charalampos Stratakis - 37.0.2-1 +- Initial package +- Fedora contributions by: + Alfredo Moralejo + Charalampos Stratakis + Christian Heimes + Colin Walters + Dennis Gilmore + Fabio Valentini + Felix Schwarz + Haikel Guemar + Igor Gnatenko + Iryna Shcherbina + Lumir Balhar + Matěj Cepl + Miro Hrončok + Nathaniel McCallum + Randy Barlow + Robert Kuska + Sahana Prasad + Stephen Gallagher + Troy Dawson