Bug 2172404

Summary: CVE-2023-23931 python-cryptography: memory corruption via immutable objects [rhel-8]
Product: Red Hat Enterprise Linux 8 Reporter: Christian Heimes <cheimes>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.9CC: frenaud, mpolovka, myusuf, ovasik, saroy, sumenon
Target Milestone: rcKeywords: Security, SecurityTracking, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-3.2.1-6.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:48:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2172416    
Bug Blocks: 2171817, 2171823, 2175090    

Description Christian Heimes 2023-02-22 09:48:57 UTC 
This bug was initially created as a copy of Bug #2171817

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Comment 1 Christian Heimes 2023-02-22 09:55:11 UTC 
c8s pull request: https://gitlab.com/redhat/centos-stream/rpms/python-cryptography/-/merge_requests/11
Comment 22 Michal Polovka 2023-04-24 08:25:49 UTC 
Verified manually using nightly RHEL8.9 machine with python3-cffi-1.11.5-6.el8.x86_64 and python3-cryptography-3.2.1-6.el8.x86_64.

# python3
Python 3.6.8 (default, Jan 23 2023, 22:31:05) 
[GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
>>> c = Cipher(algorithms.AES(os.urandom(16)), modes.ECB())
>>> encryptor = c.encryptor()
>>> buf = b"\x00" * 32
>>> encryptor.update_into(b"\xff" * 16, buf)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/primitives/ciphers/base.py", line 159, in update_into
    return self._ctx.update_into(data, buf)
  File "/usr/lib64/python3.6/site-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 138, in update_into
    baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
BufferError: Object is not writable.
>>> buf == b"\x00" * 32
True


Marking as Verified.
Comment 23 Florence Blanc-Renaud 2023-07-31 13:19:59 UTC 
*** Bug 2175092 has been marked as a duplicate of this bug. ***
Comment 26 errata-xmlrpc 2023-11-14 15:48:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: python-cryptography security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7096