fix CVE-2024-33664

CVE-2024-33664.patch

@@ -0,0 +1,14 @@
+diff -Naur python-jose-3.3.0/jose/jwe.py python-jose-3.3.0_cve/jose/jwe.py
+--- python-jose-3.3.0/jose/jwe.py	2021-06-05 00:11:22.000000000 +0800
++++ python-jose-3.3.0_cve/jose/jwe.py	2024-04-26 17:33:01.319314391 +0800
+@@ -76,6 +76,10 @@
+         >>> jwe.decrypt(jwe_string, 'asecret128bitkey')
+         'Hello, World!'
+     """
++    # limit the token size to 250 KB
++    if len(jwe_str) > 250 * 1024:
++        raise JWEError("JWE string exceeds 250 KB")
++ 
+     header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
+ 
+     # Verify that the implementation understands and can process all

python-jose.spec

@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-jose
 Version:	3.3.0
-Release:	1
+Release:	2
 Summary:	An implementation of the JOSE draft
 License:	MIT License (MIT)
 URL:		https://github.com/Demonware/jose
 Source0:	https://files.pythonhosted.org/packages/e4/19/b2c86504116dc5f0635d29f802da858404d77d930a25633d2e86a64a35b3/python-jose-3.3.0.tar.gz
 BuildArch:	noarch
 
+Patch0001:    CVE-2024-33664.patch
 
 %description
 JOSE is a framework intended to provide a method to securely transfer
@@ -61,7 +62,7 @@ This library implements JWS and JWEs along with a subset of the
 encryption / authentication algorithms recommended by the JOSE framework.
 
 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 
 %build
 %py3_build
@@ -101,6 +102,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Fri Apr 26 2024 yueyaoqiang <yueyaoqiang@kylinos.cn> - 3.3.0-2
+- fix CVE-2024-33664
+
 * Tue Jul 12 2022 wangqiang <wangqiang1@kylinos.cn> - 3.3.0-1
 - Type: update
 - ID: NA