packages/python-jwcrypto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-6681

Browse Source
This commit is contained in:
starlet-dx 2023-12-29 09:36:08 +08:00
parent 5b0e28b82a
commit a31b2cb002
2 changed files with 74 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
CVE-2023-6681.patch Normal file
View File

@ -0,0 +1,67 @@
From d2655d370586cb830e49acfb450f87598da60be8 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 7 Dec 2023 12:49:07 -0500
Subject: [PATCH] Fix potential DoS issue with p2c header
Unbounded p2c headers may be used to cause an application that accept
PBES algorithms to spend alot of resources running PBKDF2 with a very
high number of iterations.
Clamp the default maximum to 16384 (double the default of 8192).
An application that wants to use more iterations will have to chenge the
jwa default max.
Fixes CVE-2023-6681
Signed-off-by: Simo Sorce <simo@redhat.com>
---
jwcrypto/jwa.py | 5 +++++
jwcrypto/tests.py | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/jwcrypto/jwa.py b/jwcrypto/jwa.py
index de7a79f..ca4568e 100644
--- a/jwcrypto/jwa.py
+++ b/jwcrypto/jwa.py
@@ -28,6 +28,8 @@
# Implements RFC 7518 - JSON Web Algorithms (JWA)
+default_max_pbkdf2_iterations = 16384
+
class JWAAlgorithm(metaclass=ABCMeta):
@@ -588,6 +590,9 @@ def __init__(self):
self.aeskwmap = {128: _A128KW, 192: _A192KW, 256: _A256KW}
def _get_key(self, alg, key, p2s, p2c):
+ if p2c > default_max_pbkdf2_iterations:
+ raise ValueError('Invalid p2c value, too large')
+
if not isinstance(key, JWK):
# backwards compatibility for old interface
if isinstance(key, bytes):
diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
index 6069fab..bb2ff10 100644
--- a/jwcrypto/tests.py
+++ b/jwcrypto/tests.py
@@ -2099,6 +2099,18 @@ def test_pbes2_hs256_aeskw_custom_params(self):
key = jwk.JWK.from_password('password')
self.assertRaises(ValueError, enc.add_recipient, key)
+ # Test p2c iteration checks
+ maxiter = jwa.default_max_pbkdf2_iterations
+ p2cenc = jwe.JWE(plaintext='plain',
+ protected={"alg": "PBES2-HS256+A128KW",
+ "enc": "A256CBC-HS512",
+ "p2c": maxiter + 1,
+ "p2s": base64url_encode("A" * 16)})
+ with self.assertRaisesRegex(ValueError, 'too large'):
+ p2cenc.add_recipient(key)
+ jwa.default_max_pbkdf2_iterations += 2
+ p2cenc.add_recipient(key)
+
class JWATests(unittest.TestCase):
def test_jwa_create(self):

9
python-jwcrypto.spec
View File

@ -1,11 +1,13 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-jwcrypto Name: python-jwcrypto
Version: 1.5.0 Version: 1.5.0
Release: 1 Release: 2
Summary: Implementation of JOSE Web standards Summary: Implementation of JOSE Web standards
License: LGPL-3.0-or-later License: LGPL-3.0-or-later
URL: https://github.com/latchset/jwcrypto URL: https://github.com/latchset/jwcrypto
Source0: https://files.pythonhosted.org/packages/ed/72/b9289ee27d228fc7cae5c83d1c640de2a7cc0621805aa839ba239d6ef8fc/jwcrypto-1.5.0.tar.gz Source0: https://files.pythonhosted.org/packages/ed/72/b9289ee27d228fc7cae5c83d1c640de2a7cc0621805aa839ba239d6ef8fc/jwcrypto-1.5.0.tar.gz
# https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8
Patch0: CVE-2023-6681.patch
BuildArch: noarch BuildArch: noarch
@ -27,7 +29,7 @@ Provides: python3-jwcrypto-doc
Implements JWK, JWS, JWE specifications with python-cryptography Implements JWK, JWS, JWE specifications with python-cryptography
%prep %prep
%autosetup -n jwcrypto-%{version} %autosetup -n jwcrypto-%{version} -p1
%build %build
%py3_build %py3_build
@ -67,6 +69,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Fri Dec 29 2023 yaoxin <yao_xin001@hoperun.com> - 1.5.0-2
- Fix CVE-2023-6681
* Tue Jul 04 2023 chenzixuan <chenzixuan@kylinos.cn> - 1.5.0-1 * Tue Jul 04 2023 chenzixuan <chenzixuan@kylinos.cn> - 1.5.0-1
- Update package to version 1.5.0 - Update package to version 1.5.0