diff --git a/CVE-2024-33664.patch b/CVE-2024-33664.patch index d23bb92..e04b6a9 100644 --- a/CVE-2024-33664.patch +++ b/CVE-2024-33664.patch @@ -1,25 +1,135 @@ -From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001 -From: princekhunt -Date: Wed, 20 Mar 2024 22:12:36 +0530 -Subject: [PATCH] limit token size to 250 KB +From ff3357d9f91b93bc957aac9bc5a447c5c0bb74da Mon Sep 17 00:00:00 2001 +From: "alistair.watts@groupbc.com" +Date: Tue, 7 May 2024 14:50:53 +0100 +Subject: [PATCH] Fix for CVE-2024-33664. JWE limited to 250K --- - jose/jwe.py | 5 +++++ - 1 file changed, 5 insertions(+) + jose/constants.py | 2 ++ + jose/jwe.py | 24 ++++++++++++++++++------ + tests/test_jwe.py | 34 +++++++++++++++++++++++++++++++++- + 3 files changed, 53 insertions(+), 7 deletions(-) +diff --git a/jose/constants.py b/jose/constants.py +index ab4d74d3..58787d46 100644 +--- a/jose/constants.py ++++ b/jose/constants.py +@@ -96,3 +96,5 @@ class Zips: + + + ZIPS = Zips() ++ ++JWE_SIZE_LIMIT = 250 * 1024 diff --git a/jose/jwe.py b/jose/jwe.py -index 2c387ff4..1e0833e7 100644 +index 2c387ff4..04923873 100644 --- a/jose/jwe.py +++ b/jose/jwe.py -@@ -76,6 +76,11 @@ def decrypt(jwe_str, key): +@@ -6,7 +6,7 @@ + + from . import jwk + from .backends import get_random_bytes +-from .constants import ALGORITHMS, ZIPS ++from .constants import ALGORITHMS, ZIPS, JWE_SIZE_LIMIT + from .exceptions import JWEError, JWEParseError + from .utils import base64url_decode, base64url_encode, ensure_binary + +@@ -76,6 +76,13 @@ def decrypt(jwe_str, key): >>> jwe.decrypt(jwe_string, 'asecret128bitkey') 'Hello, World!' """ -+ -+ # limit the token size to 250 KB -+ if len(jwe_str) > 250 * 1024: -+ raise JWEError("JWE string exceeds 250 KB") -+ ++ ++ # Limit the token size - if the data is compressed then decompressing the ++ # data could lead to large memory usage. This helps address This addresses ++ # CVE-2024-33664. Also see _decompress() ++ if len(jwe_str) > JWE_SIZE_LIMIT: ++ raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes") ++ header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str) # Verify that the implementation understands and can process all +@@ -424,13 +431,13 @@ def _compress(zip, plaintext): + (bytes): Compressed plaintext + """ + if zip not in ZIPS.SUPPORTED: +- raise NotImplementedError("ZIP {} is not supported!") ++ raise NotImplementedError(f"ZIP {zip} is not supported!") + if zip is None: + compressed = plaintext + elif zip == ZIPS.DEF: + compressed = zlib.compress(plaintext) + else: +- raise NotImplementedError("ZIP {} is not implemented!") ++ raise NotImplementedError(f"ZIP {zip} is not implemented!") + return compressed + + +@@ -446,13 +453,18 @@ def _decompress(zip, compressed): + (bytes): Compressed plaintext + """ + if zip not in ZIPS.SUPPORTED: +- raise NotImplementedError("ZIP {} is not supported!") ++ raise NotImplementedError(f"ZIP {zip} is not supported!") + if zip is None: + decompressed = compressed + elif zip == ZIPS.DEF: +- decompressed = zlib.decompress(compressed) ++ # If, during decompression, there is more data than expected, the ++ # decompression halts and raise an error. This addresses CVE-2024-33664 ++ decompressor = zlib.decompressobj() ++ decompressed = decompressor.decompress(compressed, max_length=JWE_SIZE_LIMIT) ++ if decompressor.unconsumed_tail: ++ raise JWEError(f"Decompressed JWE string exceeds {JWE_SIZE_LIMIT} bytes") + else: +- raise NotImplementedError("ZIP {} is not implemented!") ++ raise NotImplementedError(f"ZIP {zip} is not implemented!") + return decompressed + + +diff --git a/tests/test_jwe.py b/tests/test_jwe.py +index f089d565..8c5ff387 100644 +--- a/tests/test_jwe.py ++++ b/tests/test_jwe.py +@@ -5,7 +5,7 @@ + import jose.backends + from jose import jwe + from jose.constants import ALGORITHMS, ZIPS +-from jose.exceptions import JWEParseError ++from jose.exceptions import JWEParseError, JWEError + from jose.jwk import AESKey, RSAKey + from jose.utils import base64url_decode + +@@ -525,3 +525,35 @@ def test_kid_header_not_present_when_not_provided(self): + encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg) + header = json.loads(base64url_decode(encrypted.split(b".")[0])) + assert "kid" not in header ++ ++ @pytest.mark.skipif(AESKey is None, reason="No AES backend") ++ def test_jwe_with_excessive_data(self): ++ enc = ALGORITHMS.A256CBC_HS512 ++ alg = ALGORITHMS.RSA_OAEP_256 ++ import jose.constants ++ old_limit = jose.constants.JWE_SIZE_LIMIT ++ try: ++ jose.constants.JWE_SIZE_LIMIT = 1024 ++ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg) ++ header = json.loads(base64url_decode(encrypted.split(b".")[0])) ++ with pytest.raises(JWEError): ++ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM) ++ finally: ++ jose.constants.JWE_SIZE_LIMIT = old_limit ++ ++ @pytest.mark.skipif(AESKey is None, reason="No AES backend") ++ def test_jwe_zip_with_excessive_data(self): ++ # Test that a fix for CVE-2024-33664 is in place. ++ enc = ALGORITHMS.A256CBC_HS512 ++ alg = ALGORITHMS.RSA_OAEP_256 ++ import jose.constants ++ old_limit = jose.constants.JWE_SIZE_LIMIT ++ try: ++ jose.constants.JWE_SIZE_LIMIT = 1024 ++ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF) ++ assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT ++ header = json.loads(base64url_decode(encrypted.split(b".")[0])) ++ with pytest.raises(JWEError): ++ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM) ++ finally: ++ jose.constants.JWE_SIZE_LIMIT = old_limit diff --git a/python-python-jose.changes b/python-python-jose.changes index 59c665f..2535e6f 100644 --- a/python-python-jose.changes +++ b/python-python-jose.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jun 3 07:38:00 UTC 2024 - Daniel Garcia + +- Update CVE-2024-33664.patch with upstream + https://github.com/mpdavis/python-jose/pull/352 + bsc#1223422 + ------------------------------------------------------------------- Tue May 7 09:58:08 UTC 2024 - Daniel Garcia diff --git a/python-python-jose.spec b/python-python-jose.spec index 1c4e8b4..9b8567e 100644 --- a/python-python-jose.spec +++ b/python-python-jose.spec @@ -36,8 +36,6 @@ %bcond_with testnative %endif -%{?!python_module:%define python_module() python3-%{**}} -%define skip_python2 1 %{?sle15_python_module_pythons} Name: python-python-jose%{psuffix} Version: 3.3.0 @@ -47,7 +45,7 @@ License: MIT URL: https://github.com/mpdavis/python-jose Source: https://files.pythonhosted.org/packages/source/p/python-jose/python-jose-%{version}.tar.gz Patch0: unpin-deps.patch -# PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#345 +# PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#352 Patch1: CVE-2024-33664.patch # PATCH-FIX-UPSTREAM CVE-2024-33663.patch gh#mpdavis/python-jose#349 Patch2: CVE-2024-33663.patch