Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-ecdsa User: [email protected] Usertags: pu bsp-2026-05-07-brazil
[ Reason ] Fix CVE-2026-33936 by backporting the upstream fix. Additionally, import an upstream test fix required for the package test suite to pass with Python 3.13. [ Impact ] Malformed DER-encoded private keys can trigger unexpected exceptions, leading to a denial of service. [ Tests ] The package was built successfully and the test suite passes with the included fixes. [ Risks ] Low. The update consists of upstream patches: - the security fix for CVE-2026-33936; - a test-only adjustment to keep the test suite compatible with newer Python versions. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - CVE-2026-33936: Import upstream patch. - Fix-tests-with-new-Python: Import upstream patch to fix test failures with Python 3.13. [ Other info ] The upload will be sponsored by @josue.
diff -Nru python-ecdsa-0.19.1/debian/changelog python-ecdsa-0.19.1/debian/changelog --- python-ecdsa-0.19.1/debian/changelog 2025-03-23 16:27:42.000000000 +0000 +++ python-ecdsa-0.19.1/debian/changelog 2026-06-17 15:56:06.000000000 +0000 @@ -1,3 +1,13 @@ +python-ecdsa (0.19.1-1+deb13u1) trixie; urgency=medium + + * Team upload. + * d/patches: (Closes: #1132164) + - CVE-2026-33936: Import upstream patch + - Fix-tests-with-new-Python: Import upstream patch + (Tests fails with python 3.13) + + -- Matheus Polkorny <[email protected]> Wed, 17 Jun 2026 12:56:06 -0300 + python-ecdsa (0.19.1-1) unstable; urgency=medium * Team upload. diff -Nru python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-1.patch python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-1.patch --- python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-1.patch 2026-06-17 15:56:06.000000000 +0000 @@ -0,0 +1,40 @@ +From: 0xmrma <[email protected]> +Date: Sun, 1 Mar 2026 09:18:21 +0200 +Subject: der: reject truncated lengths in octet/implicit/constructed + +Origin: upstream, https://github.com/tlsfuzzer/python-ecdsa/commit/acc40fdaf7bb09aafc912a687ca6ed063ecaface +--- + src/ecdsa/der.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py +index fab1e0b..4ebace1 100644 +--- a/src/ecdsa/der.py ++++ b/src/ecdsa/der.py +@@ -164,6 +164,8 @@ def remove_constructed(string): + ) + tag = s0 & 0x1F + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return tag, body, rest +@@ -207,6 +209,8 @@ def remove_implicit(string, exp_class="context-specific"): + + tag = s0 & 0x1F + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return tag, body, rest +@@ -230,6 +234,8 @@ def remove_octet_string(string): + n = str_idx_as_int(string, 0) + raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n) + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return body, rest diff -Nru python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-2.patch python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-2.patch --- python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ecdsa-0.19.1/debian/patches/CVE-2026-33936-2.patch 2026-06-17 15:56:06.000000000 +0000 @@ -0,0 +1,37 @@ +From: 0xmrma <[email protected]> +Date: Thu, 5 Mar 2026 18:44:50 +0200 +Subject: tests: reject truncated DER lengths + +Origin: upstream, https://github.com/tlsfuzzer/python-ecdsa/commit/9c046ee7f61649a8a43d3f6f9c64f13e76e148db +--- + src/ecdsa/test_der.py | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py +index b095543..33a2dca 100644 +--- a/src/ecdsa/test_der.py ++++ b/src/ecdsa/test_der.py +@@ -600,3 +600,23 @@ def test_oids(ids): + decoded_oid, rest = remove_object(encoded_oid) + assert rest == b"" + assert decoded_oid == ids ++ ++def test_remove_octet_string_rejects_truncated_length(): ++ # OCTET STRING: declared length 4096, but only 3 bytes present ++ bad = b"\x04\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_octet_string(bad) ++ ++def test_remove_constructed_rejects_truncated_length(): ++ # Constructed tag: 0xA0 (context-specific constructed, tag=0) ++ # declared length 4096, but only 3 bytes present ++ bad = b"\xA0\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_constructed(bad) ++ ++def test_remove_implicit_rejects_truncated_length(): ++ # IMPLICIT primitive context-specific tag 0: 0x80 ++ # declared length 4096, but only 3 bytes present ++ bad = b"\x80\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_implicit(bad) diff -Nru python-ecdsa-0.19.1/debian/patches/Fix-tests-with-new-Python.patch python-ecdsa-0.19.1/debian/patches/Fix-tests-with-new-Python.patch --- python-ecdsa-0.19.1/debian/patches/Fix-tests-with-new-Python.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ecdsa-0.19.1/debian/patches/Fix-tests-with-new-Python.patch 2026-06-17 15:56:06.000000000 +0000 @@ -0,0 +1,30 @@ +From: Alexander Shadchin <[email protected]> +Date: Thu, 9 Apr 2026 12:22:29 +0300 +Subject: Fix tests with new Python + +Origin: upstream, https://github.com/tlsfuzzer/python-ecdsa/commit/f8e0f3a0035b44fa2541e2c447ed1599f220c4b5 +--- + src/ecdsa/der.py | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py +index 4ebace1..d16c12b 100644 +--- a/src/ecdsa/der.py ++++ b/src/ecdsa/der.py +@@ -465,12 +465,11 @@ def unpem(pem): + if isinstance(pem, str): # pragma: no branch + pem = pem.encode() + ++ lines = (l.strip() for l in pem.split(b"\n")) + d = b"".join( +- [ +- l.strip() +- for l in pem.split(b"\n") +- if l and not l.startswith(b"-----") +- ] ++ l ++ for l in lines ++ if l and not l.startswith(b"-----") + ) + return base64.b64decode(d) + diff -Nru python-ecdsa-0.19.1/debian/patches/series python-ecdsa-0.19.1/debian/patches/series --- python-ecdsa-0.19.1/debian/patches/series 2025-03-23 16:27:42.000000000 +0000 +++ python-ecdsa-0.19.1/debian/patches/series 2026-06-17 15:56:06.000000000 +0000 @@ -1,2 +1,5 @@ 00-remove-temp-test-dir.patch remove-six.patch +CVE-2026-33936-1.patch +CVE-2026-33936-2.patch +Fix-tests-with-new-Python.patch
