diff --git a/disable-RSA-PKCS-1v1.5-padding.patch b/disable-RSA-PKCS-1v1.5-padding.patch new file mode 100644 index 0000000000000000000000000000000000000000..bda17144ce55a281d753c6e359645a4d345b9b5f --- /dev/null +++ b/disable-RSA-PKCS-1v1.5-padding.patch @@ -0,0 +1,60 @@ +From e61e2f4964d13e38954fc626b5bf727eccbdd10b Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Wed, 2 Jul 2025 10:52:10 +0800 +Subject: [PATCH] disable RSA PKCS#1v1.5 padding + +--- + src/cryptography/hazmat/backends/openssl/rsa.py | 2 ++ + tests/hazmat/primitives/test_rsa.py | 16 +++++++++------- + 2 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py +index 82cd49c..798bb54 100644 +--- a/src/cryptography/hazmat/backends/openssl/rsa.py ++++ b/src/cryptography/hazmat/backends/openssl/rsa.py +@@ -76,6 +76,8 @@ def _enc_dec_rsa(backend, key, data, padding): + + + def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding): ++ if isinstance(padding, PKCS1v15): ++ raise ValueError("RSA PKCS#1v1.5 has security problems and it has been banned.") + if isinstance(key, _RSAPublicKey): + init = backend._lib.EVP_PKEY_encrypt_init + crypt = backend._lib.EVP_PKEY_encrypt +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 61c4815..03852b0 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1523,8 +1523,9 @@ class TestRSADecryption(object): + ).private_key(backend) + ciphertext = binascii.unhexlify(example["encryption"]) + assert len(ciphertext) == (skey.key_size + 7) // 8 +- message = skey.decrypt(ciphertext, padding.PKCS1v15()) +- assert message == binascii.unhexlify(example["message"]) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ message = skey.decrypt(ciphertext, padding.PKCS1v15()) ++ assert message == binascii.unhexlify(example["message"]) + + def test_unsupported_padding(self, backend): + private_key = RSA_KEY_512.private_key(backend) +@@ -1854,11 +1855,12 @@ class TestRSAEncryption(object): + private_key = key_data.private_key(backend) + pt = b"encrypt me!" + public_key = private_key.public_key() +- ct = public_key.encrypt(pt, pad) +- assert ct != pt +- assert len(ct) == (public_key.key_size + 7) // 8 +- recovered_pt = private_key.decrypt(ct, pad) +- assert recovered_pt == pt ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ ct = public_key.encrypt(pt, pad) ++ assert ct != pt ++ assert len(ct) == (public_key.key_size + 7) // 8 ++ recovered_pt = private_key.decrypt(ct, pad) ++ assert recovered_pt == pt + + @pytest.mark.parametrize( + ("key_data", "pad"), +-- +2.27.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 83c955aa3d6f3b4f23ac7ba2b9564a91e28bf5d5..9c7895585156d11815425ec42402379e83bcb450 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,7 +3,7 @@ %global srcname cryptography Name: python-%{srcname} Version: 3.3.1 -Release: 5 +Release: 6 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ @@ -17,6 +17,8 @@ Patch6003: backport-CVE-2023-23931.patch Patch6004: backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch Patch6005: backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch +Patch9000: disable-RSA-PKCS-1v1.5-padding.patch + BuildRequires: openssl-devel BuildRequires: gcc @@ -125,6 +127,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %doc README.rst docs %changelog +* Wed Jul 2 2025 shixuantong - 3.3.1-6 +- disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + * Sat Dec 2 2023 liningjie - 3.3.1-5 - raise an exception instead of returning an empty list for pkcs7 cert loading