diff -Nru python-cryptography-2.8/debian/changelog python-cryptography-2.8/debian/changelog --- python-cryptography-2.8/debian/changelog 2023-12-04 20:04:00.000000000 +0000 +++ python-cryptography-2.8/debian/changelog 2024-02-29 10:30:05.000000000 +0000 @@ -1,3 +1,14 @@ +python-cryptography (2.8-3ubuntu0.3) focal-security; urgency=medium + + * SECURITY UPDATE: exposure of confidential data + - debian/patches/CVE-2023-50782.patch: update bindings in + src/_cffi_src/openssl/rsa.py to be compatible with new openssl version + 31.1.1f-1ubuntu2.22, which fixes the issue by changing PKCS#1 v1.5 RSA to + return random output instead of an exception when detecting wrong padding + - CVE-2023-50782 + + -- Jorge Sancho Larraz Thu, 29 Feb 2024 11:30:05 +0100 + python-cryptography (2.8-3ubuntu0.2) focal-security; urgency=medium * SECURITY UPDATE: corrupted output via immutable objects diff -Nru python-cryptography-2.8/debian/patches/CVE-2023-50782.patch python-cryptography-2.8/debian/patches/CVE-2023-50782.patch --- python-cryptography-2.8/debian/patches/CVE-2023-50782.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-cryptography-2.8/debian/patches/CVE-2023-50782.patch 2024-02-29 10:30:05.000000000 +0000 @@ -0,0 +1,52 @@ +From 9c101390a199e3c8b2b969e3f27fd5a005543637 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 12 Dec 2022 19:26:06 -0500 +Subject: [PATCH] Attempt to work-around wycheproof tests + +--- + src/_cffi_src/openssl/rsa.py | 8 ++++++++ + tests/hazmat/primitives/test_rsa.py | 5 +++-- + tests/wycheproof/test_rsa.py | 20 +++++++++++++++----- + 3 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py +index b1f6e4a4d645..3492d4588e11 100644 +--- a/src/_cffi_src/openssl/rsa.py ++++ b/src/_cffi_src/openssl/rsa.py +@@ -16,6 +16,8 @@ + static const int RSA_PKCS1_OAEP_PADDING; + static const int RSA_PKCS1_PSS_PADDING; + static const int RSA_F4; ++ ++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION; + + static const int Cryptography_HAS_PSS_PADDING; + static const int Cryptography_HAS_RSA_OAEP_MD; +@@ -49,4 +51,10 @@ + *iqmp = r->iqmp; + } + #endif ++ ++#if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION) ++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1; ++#else ++static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 0; ++#endif + """ +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 5a9fa19f37b4..7a4b2f1e3234 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1713,8 +1713,9 @@ def test_unsupported_padding(self, backend): + private_key.decrypt(b"0" * 64, DummyAsymmetricPadding()) + + @pytest.mark.supported( +- only_if=lambda backend: backend.rsa_padding_supported( +- padding.PKCS1v15() ++ only_if=lambda backend: ( ++ backend.rsa_padding_supported(padding.PKCS1v15()) ++ and not backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION + ), + skip_message="Does not support PKCS1v1.5." + ) + diff -Nru python-cryptography-2.8/debian/patches/series python-cryptography-2.8/debian/patches/series --- python-cryptography-2.8/debian/patches/series 2023-12-04 20:03:48.000000000 +0000 +++ python-cryptography-2.8/debian/patches/series 2024-02-29 10:30:05.000000000 +0000 @@ -1,2 +1,3 @@ CVE-2020-25659.patch CVE-2023-23931.patch +CVE-2023-50782.patch