Bug 2171817 (CVE-2023-23931)

Summary: CVE-2023-23931 python-cryptography: memory corruption via immutable objects
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, apevec, asoldano, bbaranow, bcoca, bdettelb, bmaxwell, brian.stansberry, cdewolf, chazlett, cheimes, cwelton, darran.lofthouse, davidn, dkreling, dosoudil, eglynn, epacific, fjuma, gtanzill, hhorak, ivassile, iweiss, jcammara, jhardy, jjoyce, jkoehler, jneedle, jobarker, jorton, kshier, lgao, lhh, mabashia, mburns, mgarciac, mminar, mosmerov, msochure, msvehla, nwallace, osapryki, pjindal, pmackay, python-maint, rbiba, rhos-maint, rstancel, simaishi, smaestri, smcdonal, spower, sskracic, stcannon, teagle, tfister, tom.jenkinson, torsava, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-cryptography 39.0.1, cryptography 39.0.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in python-cryptography. In affected versions, `Cipher.update_into` would accept Python objects which implement the buffer protocol but provide only immutable buffers. This issue allows immutable objects (such as `bytes`) to be mutated, thus violating the fundamental rules of Python, resulting in corrupted output.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2171823, 2173566, 2173646, 2173647, 2171820, 2171821, 2171822, 2171826, 2171831, 2172399, 2172404, 2173564, 2173565, 2173568, 2173569, 2173643, 2173644, 2173645, 2173648, 2173649, 2173650, 2173651, 2173652, 2173653, 2173654, 2173655, 2173656, 2173657, 2173658, 2173659, 2173660, 2173661, 2173662, 2173663, 2173664, 2175090, 2175091, 2175092, 2175093, 2175094    
Bug Blocks: 2168033    

Description ybuenos 2023-02-20 14:01:54 UTC 
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Comment 1 ybuenos 2023-02-20 14:06:31 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: fedora-36 [bug 2171820]
Comment 3 ybuenos 2023-02-20 14:10:55 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: fedora-37 [bug 2171826]
Comment 6 Tomas Orsava 2023-02-22 14:37:39 UTC 
Hi ybuenos,
we're currently adding python3.11-cryptography to [RHEL 8.8] and [RHEL 9.2]. Could you please create a CVE bug for these components so we can fix them before we release the packages?

[RHEL 8.8] https://issues.redhat.com/browse/RHELPLAN-143585
[RHEl 9.2] https://issues.redhat.com/browse/RHELPLAN-143619

Thank you!
Comment 7 Christian Heimes 2023-02-22 14:46:17 UTC 
FYI, RHEL 8.8 builds are blocked until rhbz#2172416 is resolved.
Comment 10 ybuenos 2023-02-27 09:27:14 UTC 
Created python-cryptography tracking bugs for this issue:

Affects: openstack-rdo [bug 2173564]


Created python-docker tracking bugs for this issue:

Affects: openstack-rdo [bug 2173565]


Created python3-cryptography tracking bugs for this issue:

Affects: epel-7 [bug 2173566]
Comment 12 ybuenos 2023-02-27 15:22:24 UTC 
Created ansible-lint tracking bugs for this issue:

Affects: fedora-all [bug 2173649]


Created centpkg tracking bugs for this issue:

Affects: epel-all [bug 2173643]
Affects: fedora-all [bug 2173650]


Created cura tracking bugs for this issue:

Affects: fedora-all [bug 2173651]


Created limnoria tracking bugs for this issue:

Affects: fedora-all [bug 2173652]


Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2173653]


Created pypy3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2173654]


Created pypy3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2173655]


Created pypy3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2173656]


Created python-cryptography tracking bugs for this issue:

Affects: fedora-all [bug 2173657]


Created python-cryptography-vectors tracking bugs for this issue:

Affects: epel-all [bug 2173644]


Created python-docker tracking bugs for this issue:

Affects: epel-all [bug 2173645]
Affects: fedora-all [bug 2173658]


Created python-molecule tracking bugs for this issue:

Affects: fedora-all [bug 2173659]


Created python-play-scraper tracking bugs for this issue:

Affects: fedora-all [bug 2173660]


Created python-rpi-gpio2 tracking bugs for this issue:

Affects: fedora-all [bug 2173661]


Created python-stem tracking bugs for this issue:

Affects: fedora-all [bug 2173662]


Created python-types-cryptography tracking bugs for this issue:

Affects: fedora-all [bug 2173663]


Created python-uvicorn tracking bugs for this issue:

Affects: fedora-all [bug 2173664]


Created python3-cryptography tracking bugs for this issue:

Affects: epel-all [bug 2173646]


Created python3-cryptography-vectors tracking bugs for this issue:

Affects: epel-all [bug 2173647]


Created python3-docker tracking bugs for this issue:

Affects: epel-all [bug 2173648]
Comment 19 errata-xmlrpc 2023-08-21 21:49:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
Comment 20 errata-xmlrpc 2023-09-05 11:50:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2023:4971 https://access.redhat.com/errata/RHSA-2023:4971
Comment 21 errata-xmlrpc 2023-11-07 08:21:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6615 https://access.redhat.com/errata/RHSA-2023:6615
Comment 22 errata-xmlrpc 2023-11-08 08:17:12 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
Comment 23 errata-xmlrpc 2023-11-14 15:21:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7096 https://access.redhat.com/errata/RHSA-2023:7096
Comment 24 errata-xmlrpc 2023-11-30 14:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341
Comment 25 errata-xmlrpc 2024-05-22 09:26:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2985 https://access.redhat.com/errata/RHSA-2024:2985