Bug 2172399

Summary: CVE-2023-23931 python-cryptography: memory corruption via immutable objects [rhel-9]
Product: Red Hat Enterprise Linux 9 Reporter: Christian Heimes <cheimes>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.3CC: frenaud, mpolovka, myusuf, saroy
Target Milestone: rcKeywords: Security, SecurityTracking, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-36.0.1-4.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2171817, 2175093    

Description Christian Heimes 2023-02-22 09:21:49 UTC 
This bug was initially created as a copy of Bug #2171817

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Comment 1 Christian Heimes 2023-02-22 09:47:44 UTC 
c9s pull request: https://gitlab.com/redhat/centos-stream/rpms/python-cryptography/-/merge_requests/10
Comment 22 Michal Polovka 2023-04-24 08:30:34 UTC 
Verified manually on RHEL9.3 nightly machine with python3-cffi-1.14.5-5.el9.x86_64 and python3-cryptography-36.0.1-3.el9.x86_64

# python3
Python 3.9.16 (main, Dec  8 2022, 00:00:00) 
[GCC 11.3.1 20221121 (Red Hat 11.3.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
>>> c = Cipher(algorithms.AES(os.urandom(16)), modes.ECB())
>>> encryptor = c.encryptor()
>>> buf = b"\x00" * 32
>>> encryptor.update_into(b"\xff" * 16, buf)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/primitives/ciphers/base.py", line 128, in update_into
    return self._ctx.update_into(data, buf)
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 158, in update_into
    baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
BufferError: Object is not writable.
>>> buf == b"\x00" * 32
True


Marking as verified.
Comment 23 Florence Blanc-Renaud 2023-07-31 13:16:10 UTC 
*** Bug 2175093 has been marked as a duplicate of this bug. ***
Comment 26 errata-xmlrpc 2023-11-07 08:52:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: python-cryptography security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6615