search

fedora-infra / fasjson

GNU General Public License v3.0
8 stars 15 forks source link

Update dependency cryptography to v41.0.6 [SECURITY] #624

Closed renovate[bot] closed 7 months ago

renovate[bot] commented 7 months ago

Mend Renovate logo banner

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cryptography (changelog) ==41.0.5 -> ==41.0.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49083

Summary

Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault.

PoC

Here is a Python code that triggers the issue:

from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates

pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""

der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

Impact

Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.

Release Notes

pyca/cryptography (cryptography) ### [`v41.0.6`](https://togithub.com/pyca/cryptography/compare/41.0.5...41.0.6) [Compare Source](https://togithub.com/pyca/cryptography/compare/41.0.5...41.0.6)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.