Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-python-jose for openSUSE:Factory checked in at 2024-06-03 17:44:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-python-jose (Old) and /work/SRC/openSUSE:Factory/.python-python-jose.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-python-jose" Mon Jun 3 17:44:29 2024 rev:9 rq:1178245 version:3.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-python-jose/python-python-jose.changes 2024-05-07 18:05:34.835256125 +0200 +++ /work/SRC/openSUSE:Factory/.python-python-jose.new.24587/python-python-jose.changes 2024-06-03 17:44:49.318025412 +0200 @@ -1,0 +2,7 @@ +Mon Jun 3 07:38:00 UTC 2024 - Daniel Garcia <[email protected]> + +- Update CVE-2024-33664.patch with upstream + https://github.com/mpdavis/python-jose/pull/352 + bsc#1223422 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-python-jose.spec ++++++ --- /var/tmp/diff_new_pack.ArEi6t/_old 2024-06-03 17:44:49.882046042 +0200 +++ /var/tmp/diff_new_pack.ArEi6t/_new 2024-06-03 17:44:49.886046188 +0200 @@ -36,8 +36,6 @@ %bcond_with testnative %endif -%{?!python_module:%define python_module() python3-%{**}} -%define skip_python2 1 %{?sle15_python_module_pythons} Name: python-python-jose%{psuffix} Version: 3.3.0 @@ -47,7 +45,7 @@ URL: https://github.com/mpdavis/python-jose Source: https://files.pythonhosted.org/packages/source/p/python-jose/python-jose-%{version}.tar.gz Patch0: unpin-deps.patch -# PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#345 +# PATCH-FIX-UPSTREAM CVE-2024-33664.patch gh#mpdavis/python-jose#352 Patch1: CVE-2024-33664.patch # PATCH-FIX-UPSTREAM CVE-2024-33663.patch gh#mpdavis/python-jose#349 Patch2: CVE-2024-33663.patch ++++++ CVE-2024-33664.patch ++++++ --- /var/tmp/diff_new_pack.ArEi6t/_old 2024-06-03 17:44:49.906046920 +0200 +++ /var/tmp/diff_new_pack.ArEi6t/_new 2024-06-03 17:44:49.910047066 +0200 @@ -1,26 +1,136 @@ -From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001 -From: princekhunt <[email protected]> -Date: Wed, 20 Mar 2024 22:12:36 +0530 -Subject: [PATCH] limit token size to 250 KB +From ff3357d9f91b93bc957aac9bc5a447c5c0bb74da Mon Sep 17 00:00:00 2001 +From: "[email protected]" <[email protected]> +Date: Tue, 7 May 2024 14:50:53 +0100 +Subject: [PATCH] Fix for CVE-2024-33664. JWE limited to 250K --- - jose/jwe.py | 5 +++++ - 1 file changed, 5 insertions(+) + jose/constants.py | 2 ++ + jose/jwe.py | 24 ++++++++++++++++++------ + tests/test_jwe.py | 34 +++++++++++++++++++++++++++++++++- + 3 files changed, 53 insertions(+), 7 deletions(-) +diff --git a/jose/constants.py b/jose/constants.py +index ab4d74d3..58787d46 100644 +--- a/jose/constants.py ++++ b/jose/constants.py +@@ -96,3 +96,5 @@ class Zips: + + + ZIPS = Zips() ++ ++JWE_SIZE_LIMIT = 250 * 1024 diff --git a/jose/jwe.py b/jose/jwe.py -index 2c387ff4..1e0833e7 100644 +index 2c387ff4..04923873 100644 --- a/jose/jwe.py +++ b/jose/jwe.py -@@ -76,6 +76,11 @@ def decrypt(jwe_str, key): +@@ -6,7 +6,7 @@ + + from . import jwk + from .backends import get_random_bytes +-from .constants import ALGORITHMS, ZIPS ++from .constants import ALGORITHMS, ZIPS, JWE_SIZE_LIMIT + from .exceptions import JWEError, JWEParseError + from .utils import base64url_decode, base64url_encode, ensure_binary + +@@ -76,6 +76,13 @@ def decrypt(jwe_str, key): >>> jwe.decrypt(jwe_string, 'asecret128bitkey') 'Hello, World!' """ -+ -+ # limit the token size to 250 KB -+ if len(jwe_str) > 250 * 1024: -+ raise JWEError("JWE string exceeds 250 KB") -+ ++ ++ # Limit the token size - if the data is compressed then decompressing the ++ # data could lead to large memory usage. This helps address This addresses ++ # CVE-2024-33664. Also see _decompress() ++ if len(jwe_str) > JWE_SIZE_LIMIT: ++ raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes") ++ header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str) # Verify that the implementation understands and can process all +@@ -424,13 +431,13 @@ def _compress(zip, plaintext): + (bytes): Compressed plaintext + """ + if zip not in ZIPS.SUPPORTED: +- raise NotImplementedError("ZIP {} is not supported!") ++ raise NotImplementedError(f"ZIP {zip} is not supported!") + if zip is None: + compressed = plaintext + elif zip == ZIPS.DEF: + compressed = zlib.compress(plaintext) + else: +- raise NotImplementedError("ZIP {} is not implemented!") ++ raise NotImplementedError(f"ZIP {zip} is not implemented!") + return compressed + + +@@ -446,13 +453,18 @@ def _decompress(zip, compressed): + (bytes): Compressed plaintext + """ + if zip not in ZIPS.SUPPORTED: +- raise NotImplementedError("ZIP {} is not supported!") ++ raise NotImplementedError(f"ZIP {zip} is not supported!") + if zip is None: + decompressed = compressed + elif zip == ZIPS.DEF: +- decompressed = zlib.decompress(compressed) ++ # If, during decompression, there is more data than expected, the ++ # decompression halts and raise an error. This addresses CVE-2024-33664 ++ decompressor = zlib.decompressobj() ++ decompressed = decompressor.decompress(compressed, max_length=JWE_SIZE_LIMIT) ++ if decompressor.unconsumed_tail: ++ raise JWEError(f"Decompressed JWE string exceeds {JWE_SIZE_LIMIT} bytes") + else: +- raise NotImplementedError("ZIP {} is not implemented!") ++ raise NotImplementedError(f"ZIP {zip} is not implemented!") + return decompressed + + +diff --git a/tests/test_jwe.py b/tests/test_jwe.py +index f089d565..8c5ff387 100644 +--- a/tests/test_jwe.py ++++ b/tests/test_jwe.py +@@ -5,7 +5,7 @@ + import jose.backends + from jose import jwe + from jose.constants import ALGORITHMS, ZIPS +-from jose.exceptions import JWEParseError ++from jose.exceptions import JWEParseError, JWEError + from jose.jwk import AESKey, RSAKey + from jose.utils import base64url_decode + +@@ -525,3 +525,35 @@ def test_kid_header_not_present_when_not_provided(self): + encrypted = jwe.encrypt("Text", PUBLIC_KEY_PEM, enc, alg) + header = json.loads(base64url_decode(encrypted.split(b".")[0])) + assert "kid" not in header ++ ++ @pytest.mark.skipif(AESKey is None, reason="No AES backend") ++ def test_jwe_with_excessive_data(self): ++ enc = ALGORITHMS.A256CBC_HS512 ++ alg = ALGORITHMS.RSA_OAEP_256 ++ import jose.constants ++ old_limit = jose.constants.JWE_SIZE_LIMIT ++ try: ++ jose.constants.JWE_SIZE_LIMIT = 1024 ++ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg) ++ header = json.loads(base64url_decode(encrypted.split(b".")[0])) ++ with pytest.raises(JWEError): ++ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM) ++ finally: ++ jose.constants.JWE_SIZE_LIMIT = old_limit ++ ++ @pytest.mark.skipif(AESKey is None, reason="No AES backend") ++ def test_jwe_zip_with_excessive_data(self): ++ # Test that a fix for CVE-2024-33664 is in place. ++ enc = ALGORITHMS.A256CBC_HS512 ++ alg = ALGORITHMS.RSA_OAEP_256 ++ import jose.constants ++ old_limit = jose.constants.JWE_SIZE_LIMIT ++ try: ++ jose.constants.JWE_SIZE_LIMIT = 1024 ++ encrypted = jwe.encrypt(b"Text"*64*1024, PUBLIC_KEY_PEM, enc, alg, zip=ZIPS.DEF) ++ assert len(encrypted) < jose.constants.JWE_SIZE_LIMIT ++ header = json.loads(base64url_decode(encrypted.split(b".")[0])) ++ with pytest.raises(JWEError): ++ actual = jwe.decrypt(encrypted, PRIVATE_KEY_PEM) ++ finally: ++ jose.constants.JWE_SIZE_LIMIT = old_limit
