diff --git a/backport-chore-fix-lint-errors.patch b/backport-chore-fix-lint-errors.patch new file mode 100644 index 0000000000000000000000000000000000000000..e107052775a9bd8ca5e776d2e58cce71cf1ad176 --- /dev/null +++ b/backport-chore-fix-lint-errors.patch @@ -0,0 +1,80 @@ +From 23feb3b068deb5f077e37c98541e7151782e544f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Padilla?= +Date: Sun, 15 May 2022 15:18:29 -0400 +Subject: [PATCH] chore: fix lint errors + +--- + jwt/utils.py | 2 +- + tests/test_advisory.py | 19 +++++++++++-------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/jwt/utils.py b/jwt/utils.py +index 8ab73b4..b8ad5fa 100644 +--- a/jwt/utils.py ++++ b/jwt/utils.py +@@ -136,7 +136,7 @@ def is_pem_format(key: bytes) -> bool: + + # Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46 + _CERT_SUFFIX = b"-cert-v01@openssh.com" +-_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") ++_SSH_PUBKEY_RC = re.compile(rb"\A(\S+)[ \t]+(\S+)") + _SSH_KEY_FORMATS = [ + b"ssh-ed25519", + b"ssh-rsa", +diff --git a/tests/test_advisory.py b/tests/test_advisory.py +index a4a7d23..ed768d4 100644 +--- a/tests/test_advisory.py ++++ b/tests/test_advisory.py +@@ -1,14 +1,17 @@ +-import jwt + import pytest ++ ++import jwt + from jwt.exceptions import InvalidKeyError + + from .utils import crypto_required + +-priv_key_bytes = b'''-----BEGIN PRIVATE KEY----- ++priv_key_bytes = b"""-----BEGIN PRIVATE KEY----- + MC4CAQAwBQYDK2VwBCIEIIbBhdo2ah7X32i50GOzrCr4acZTe6BezUdRIixjTAdL +------END PRIVATE KEY-----''' ++-----END PRIVATE KEY-----""" + +-pub_key_bytes = b'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPL1I9oiq+B8crkmuV4YViiUnhdLjCp3hvy1bNGuGfNL' ++pub_key_bytes = ( ++ b"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPL1I9oiq+B8crkmuV4YViiUnhdLjCp3hvy1bNGuGfNL" ++) + + ssh_priv_key_bytes = b"""-----BEGIN EC PRIVATE KEY----- + MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49 +@@ -41,11 +44,11 @@ class TestAdvisory: + # Making a good jwt token that should work by signing it + # with the private key + # encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="EdDSA") +- encoded_good = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJ0ZXN0IjoxMjM0fQ.M5y1EEavZkHSlj9i8yi9nXKKyPBSAUhDRTOYZi3zZY11tZItDaR3qwAye8pc74_lZY3Ogt9KPNFbVOSGnUBHDg' ++ encoded_good = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJ0ZXN0IjoxMjM0fQ.M5y1EEavZkHSlj9i8yi9nXKKyPBSAUhDRTOYZi3zZY11tZItDaR3qwAye8pc74_lZY3Ogt9KPNFbVOSGnUBHDg" + + # Using HMAC with the public key to trick the receiver to think that the + # public key is a HMAC secret +- encoded_bad = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZXN0IjoxMjM0fQ.6ulDpqSlbHmQ8bZXhZRLFko9SwcHrghCwh8d-exJEE4' ++ encoded_bad = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZXN0IjoxMjM0fQ.6ulDpqSlbHmQ8bZXhZRLFko9SwcHrghCwh8d-exJEE4" + + # Both of the jwt tokens are validated as valid + jwt.decode( +@@ -101,12 +104,12 @@ class TestAdvisory: + jwt.decode( + encoded_good, + ssh_key_bytes, +- algorithms=jwt.algorithms.get_default_algorithms() ++ algorithms=jwt.algorithms.get_default_algorithms(), + ) + + with pytest.raises(InvalidKeyError): + jwt.decode( + encoded_bad, + ssh_key_bytes, +- algorithms=jwt.algorithms.get_default_algorithms() ++ algorithms=jwt.algorithms.get_default_algorithms(), + ) +-- +2.23.0 \ No newline at end of file diff --git a/backport-fix-failing-advisory-test.patch b/backport-fix-failing-advisory-test.patch new file mode 100644 index 0000000000000000000000000000000000000000..22b0dc234abde22cf58b6a75a9b1ccfacbc1d32f --- /dev/null +++ b/backport-fix-failing-advisory-test.patch @@ -0,0 +1,32 @@ +From 96f3f0275745c5a455c019a0d3476a054980e8ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Padilla?= +Date: Thu, 12 May 2022 14:44:55 -0400 +Subject: [PATCH] fix: failing advisory test + +--- + tests/test_advisory.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/test_advisory.py b/tests/test_advisory.py +index f70f54b..a4a7d23 100644 +--- a/tests/test_advisory.py ++++ b/tests/test_advisory.py +@@ -2,6 +2,8 @@ import jwt + import pytest + from jwt.exceptions import InvalidKeyError + ++from .utils import crypto_required ++ + priv_key_bytes = b'''-----BEGIN PRIVATE KEY----- + MC4CAQAwBQYDK2VwBCIEIIbBhdo2ah7X32i50GOzrCr4acZTe6BezUdRIixjTAdL + -----END PRIVATE KEY-----''' +@@ -18,6 +20,7 @@ ssh_key_bytes = b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz + + + class TestAdvisory: ++ @crypto_required + def test_ghsa_ffqj_6fqr_9h24(self): + # Generate ed25519 private key + # private_key = ed25519.Ed25519PrivateKey.generate() +-- +2.23.0 \ No newline at end of file diff --git a/python-jwt.spec b/python-jwt.spec index 4ccd82d05be7f28f06ef79b1f04ec3522d95bf05..19dbefced7f5e52d2d4390a0b4e6feb5a84df4a3 100644 --- a/python-jwt.spec +++ b/python-jwt.spec @@ -2,7 +2,7 @@ %bcond_without tests Name: python-jwt Version: 2.3.0 -Release: 3 +Release: 4 Summary: JSON Web Token implementation in Python License: MIT URL: https://github.com/jpadilla/pyjwt @@ -10,6 +10,8 @@ Source0: https://files.pythonhosted.org/packages/source/P/PyJWT/PyJWT BuildArch: noarch Patch6000: backport-CVE-2022-29217.patch +Patch6001: backport-fix-failing-advisory-test.patch +Patch6002: backport-chore-fix-lint-errors.patch %if %{with tests} BuildRequires: python3-pytest python3-pytest-cov python3-pytest-runner @@ -55,6 +57,9 @@ Requires: python%{python3_pkgversion}-cryptography %doc README.rst %changelog +* Mon Jul 18 2022 yanglongkang - 2.3.0-4 +- fix failing advisory test and fix lint errors + * Thu Jun 09 2022 shixuantong - 2.3.0-3 - fix CVE-2022-29217