packages/python-cryptography
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-36242

Browse Source
This commit is contained in:
sxt1001 2021-02-23 09:56:05 +08:00
parent 42ac02ac22
commit 86b787f079
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-CVE-2020-36242.patch Normal file
View File

@ -0,0 +1,46 @@
From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Feb 2021 11:04:43 -0600
Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
---
CHANGELOG.rst | 9 +++++++++
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 3cb53d0..4dd7146 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,15 @@
Changelog
=========
+.. _v3-3-2:
+
+3.3.2 - 2021-02-07
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
+ when symmetrically encrypting very large payloads (>2GB) could result in an
+ integer overflow, leading to buffer overflows. *CVE-2020-36242*
+
.. _v3-3-1:
3.3.1 - 2020-12-09
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 1e805d2..ad5dad3 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
- _MAX_CHUNK_SIZE = 2 ** 31 - 1
+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
def __init__(self, backend, cipher, mode, operation):
self._backend = backend
--
1.8.3.1

6
python-cryptography.spec
View File

@ -1,12 +1,13 @@
%global srcname cryptography %global srcname cryptography
Name: python-%{srcname} Name: python-%{srcname}
Version: 3.3.1 Version: 3.3.1
Release: 1 Release: 2
Summary: PyCA's cryptography library Summary: PyCA's cryptography library
License: ASL 2.0 or BSD License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/ URL: https://cryptography.io/en/latest/
Source0: %{pypi_source} Source0: %{pypi_source}
Patch6000: backport-CVE-2020-36242.patch
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: gcc BuildRequires: gcc
@ -70,6 +71,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
%doc README.rst docs %doc README.rst docs
%changelog %changelog
* Tue Feb 23 2021 shixuantong <shixuantong@huawei.com> - 3.3.1-2
- fix CVE-2020-36242
* Mon Feb 1 2021 liudabo <liudabo1@huawei.com> - 3.3.1-1 * Mon Feb 1 2021 liudabo <liudabo1@huawei.com> - 3.3.1-1
- upgrade version to 3.3.1 - upgrade version to 3.3.1