pool/python-python-jose
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1178245 from devel:languages:python

Browse Source 
- Update CVE-2024-33664.patch with upstream
  https://github.com/mpdavis/python-jose/pull/352
  bsc#1223422

OBS-URL: https://build.opensuse.org/request/show/1178245
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-python-jose?expand=0&rev=9
This commit is contained in:
Ana Guerrero 2024-06-03 15:44:29 +00:00 committed by Git OBS Bridge
commit 144ef04ebf
3 changed files with 131 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
CVE-2024-33664.patch
View File

@ -1,25 +1,135 @@
From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001 From ff3357d9f91b93bc957aac9bc5a447c5c0bb74da Mon Sep 17 00:00:00 2001
From: princekhunt <info@princekhunt.com> From: "alistair.watts@groupbc.com" <alistair.watts@groupbc.com>
Date: Wed, 20 Mar 2024 22:12:36 +0530 Date: Tue, 7 May 2024 14:50:53 +0100
Subject: [PATCH] limit token size to 250 KB Subject: [PATCH] Fix for CVE-2024-33664. JWE limited to 250K
--- ---
jose/jwe.py | 5 +++++ jose/constants.py | 2 ++
1 file changed, 5 insertions(+) jose/jwe.py | 24 ++++++++++++++++++------
tests/test_jwe.py | 34 +++++++++++++++++++++++++++++++++-
3 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/jose/constants.py b/jose/constants.py
index ab4d74d3..58787d46 100644
--- a/jose/constants.py
+++ b/jose/constants.py
@@ -96,3 +96,5 @@ class Zips:
ZIPS = Zips()
+
+JWE_SIZE_LIMIT = 250 * 1024
diff --git a/jose/jwe.py b/jose/jwe.py diff --git a/jose/jwe.py b/jose/jwe.py
index 2c387ff4..1e0833e7 100644 index 2c387ff4..04923873 100644
--- a/jose/jwe.py --- a/jose/jwe.py
+++ b/jose/jwe.py +++ b/jose/jwe.py
@@ -76,6 +76,11 @@ def decrypt(jwe_str, key): @@ -6,7 +6,7 @@
from . import jwk
from .backends import get_random_bytes
-from .constants import ALGORITHMS, ZIPS
+from .constants import ALGORITHMS, ZIPS, JWE_SIZE_LIMIT
from .exceptions import JWEError, JWEParseError
from .utils import base64url_decode, base64url_encode, ensure_binary
@@ -76,6 +76,13 @@ def decrypt(jwe_str, key):
>>> jwe.decrypt(jwe_string, 'asecret128bitkey') >>> jwe.decrypt(jwe_string, 'asecret128bitkey')
'Hello, World!' 'Hello, World!'
""" """
+ +
+ # limit the token size to 250 KB + # Limit the token size - if the data is compressed then decompressing the
+ if len(jwe_str) > 250 * 1024: + # data could lead to large memory usage. This helps address This addresses
+ raise JWEError("JWE string exceeds 250 KB") + # CVE-2024-33664. Also see _decompress()
+ if len(jwe_str) > JWE_SIZE_LIMIT:
+ raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
+ +
header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str) header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
# Verify that the implementation understands and can process all # Verify that the implementation understands and can process all
@@ -424,13 +431,13 @@ def _compress(zip, plaintext):
(bytes): Compressed plaintext
"""
if zip not in ZIPS.SUPPORTED:
- raise NotImplementedError("ZIP {} is not supported!")
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
if zip is None:
compressed = plaintext
elif zip == ZIPS.DEF:
compressed = zlib.compress(plaintext)
else:
- raise NotImplementedError("ZIP {} is not implemented!")
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
return compressed
@@ -446,13 +453,18 @@ def _decompress(zip, compressed):
(bytes): Compressed plaintext
"""
if zip not in ZIPS.SUPPORTED:
- raise NotImplementedError("ZIP {} is not supported!")
+ raise NotImplementedError(f"ZIP {zip} is not supported!")
if zip is None:
decompressed = compressed
elif zip == ZIPS.DEF:
- decompressed = zlib.decompress(compressed)
+ # If, during decompression, there is more data than expected, the
+ # decompression halts and raise an error. This addresses CVE-2024-33664
+ decompressor = zlib.decompressobj()
+ decompressed = decompressor.decompress(compressed, max_length=JWE_SIZE_LIMIT)
+ if decompressor.unconsumed_tail:
+ raise JWEError(f"Decompressed JWE string exceeds {JWE_SIZE_LIMIT} bytes")
else:
- raise NotImplementedError("ZIP {} is not implemented!")
+ raise NotImplementedError(f"ZIP {zip} is not implemented!")
return decompressed
diff --git a/tests/test_jwe.py b/tests/test_jwe.py
index f089d565..8c5ff387 100644
--- a/tests/test_jwe.py
+++ b/tests/test_jwe.py
@@ -5,7 +5,7 @@
import jose.backends
from jose import jwe
from jose.constants import ALGORITHMS, ZIPS
-from jose.exceptions import JWEParseError
+from jose.exceptions import JWEParseError, JWEError
from jose.jwk import AESKey, RSAKey
from jose.utils import base64url_decode
@@ -525,3 +525,35 @@ def test_kid_header_not_present_when_not_provided(self):
encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg)
header = json.loads(base64url_decode(encrypted.split(b".")[0]))
assert "kid" not in header
+
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
+ def test_jwe_with_excessive_data(self):
+ enc = ALGORITHMS.A256CBC_HS512
+ alg = ALGORITHMS.RSA_OAEP_256
+ import jose.constants
+ old_limit = jose.constants.JWE_SIZE_LIMIT
+ try:
+ jose.constants.JWE_SIZE_LIMIT = 1024
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg)
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
+ with pytest.raises(JWEError):
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
+ finally:
+ jose.constants.JWE_SIZE_LIMIT = old_limit
+
+ @pytest.mark.skipif(AESKey is None, reason="No AES backend")
+ def test_jwe_zip_with_excessive_data(self):
+ # Test that a fix for CVE-2024-33664 is in place.
+ enc = ALGORITHMS.A256CBC_HS512
+ alg = ALGORITHMS.RSA_OAEP_256
+ import jose.constants
+ old_limit = jose.constants.JWE_SIZE_LIMIT
+ try:
+ jose.constants.JWE_SIZE_LIMIT = 1024
+ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF)
+ assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT
+ header = json.loads(base64url_decode(encrypted.split(b".")[0]))
+ with pytest.raises(JWEError):
+ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM)
+ finally:
+ jose.constants.JWE_SIZE_LIMIT = old_limit

7
python-python-jose.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jun 3 07:38:00 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
- Update CVE-2024-33664.patch with upstream
https://github.com/mpdavis/python-jose/pull/352
bsc#1223422
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 7 09:58:08 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com> Tue May 7 09:58:08 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>

4
python-python-jose.spec
View File

@ -36,8 +36,6 @@
%bcond_with testnative %bcond_with testnative
%endif %endif
%{?!python_module:%define python_module() python3-%{**}}
%define skip_python2 1
%{?sle15_python_module_pythons} %{?sle15_python_module_pythons}
Name: python-python-jose%{psuffix} Name: python-python-jose%{psuffix}
Version: 3.3.0 Version: 3.3.0
@ -47,7 +45,7 @@ License: MIT
URL: https://github.com/mpdavis/python-jose URL: https://github.com/mpdavis/python-jose
Source: https://files.pythonhosted.org/packages/source/p/python-jose/python-jose-%{version}.tar.gz Source: https://files.pythonhosted.org/packages/source/p/python-jose/python-jose-%{version}.tar.gz
Patch0: unpin-deps.patch Patch0: unpin-deps.patch
# PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#345 # PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#352
Patch1: CVE-2024-33664.patch Patch1: CVE-2024-33664.patch
# PATCH-FIX-UPSTREAM CVE-2024-33663.patch gh#mpdavis/python-jose#349 # PATCH-FIX-UPSTREAM CVE-2024-33663.patch gh#mpdavis/python-jose#349
Patch2: CVE-2024-33663.patch Patch2: CVE-2024-33663.patch