mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
python3-ecdsa: fix CVE-2026-33936
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,56 @@
|
|||||||
|
From 41e6b7be293284ef8b1f102587f0da6eae1b753f Mon Sep 17 00:00:00 2001
|
||||||
|
From: 0xmrma <moabdelaal442004@gmail.com>
|
||||||
|
Date: Sun, 1 Mar 2026 09:18:21 +0200
|
||||||
|
Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed
|
||||||
|
|
||||||
|
CVE: CVE-2026-33936
|
||||||
|
Upstream-Status: Backport [https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/ecdsa/der.py | 4 ++++
|
||||||
|
src/ecdsa/test_der.py | 13 +++++++++++++
|
||||||
|
2 files changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py
|
||||||
|
index b291485..5bbfaa3 100644
|
||||||
|
--- a/src/ecdsa/der.py
|
||||||
|
+++ b/src/ecdsa/der.py
|
||||||
|
@@ -137,6 +137,8 @@ def remove_constructed(string):
|
||||||
|
)
|
||||||
|
tag = s0 & 0x1F
|
||||||
|
length, llen = read_length(string[1:])
|
||||||
|
+ if length > len(string) - 1 - llen:
|
||||||
|
+ raise UnexpectedDER("Length longer than the provided buffer")
|
||||||
|
body = string[1 + llen : 1 + llen + length]
|
||||||
|
rest = string[1 + llen + length :]
|
||||||
|
return tag, body, rest
|
||||||
|
@@ -160,6 +162,8 @@ def remove_octet_string(string):
|
||||||
|
n = str_idx_as_int(string, 0)
|
||||||
|
raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
|
||||||
|
length, llen = read_length(string[1:])
|
||||||
|
+ if length > len(string) - 1 - llen:
|
||||||
|
+ raise UnexpectedDER("Length longer than the provided buffer")
|
||||||
|
body = string[1 + llen : 1 + llen + length]
|
||||||
|
rest = string[1 + llen + length :]
|
||||||
|
return body, rest
|
||||||
|
diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py
|
||||||
|
index 0c2dc4d..28d231e 100644
|
||||||
|
--- a/src/ecdsa/test_der.py
|
||||||
|
+++ b/src/ecdsa/test_der.py
|
||||||
|
@@ -476,3 +476,16 @@ def test_oids(ids):
|
||||||
|
decoded_oid, rest = remove_object(encoded_oid)
|
||||||
|
assert rest == b""
|
||||||
|
assert decoded_oid == ids
|
||||||
|
+
|
||||||
|
+def test_remove_octet_string_rejects_truncated_length():
|
||||||
|
+ # OCTET STRING: declared length 4096, but only 3 bytes present
|
||||||
|
+ bad = b"\x04\x82\x10\x00" + b"ABC"
|
||||||
|
+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
|
||||||
|
+ remove_octet_string(bad)
|
||||||
|
+
|
||||||
|
+def test_remove_constructed_rejects_truncated_length():
|
||||||
|
+ # Constructed tag: 0xA0 (context-specific constructed, tag=0)
|
||||||
|
+ # declared length 4096, but only 3 bytes present
|
||||||
|
+ bad = b"\xA0\x82\x10\x00" + b"ABC"
|
||||||
|
+ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
|
||||||
|
+ remove_constructed(bad)
|
||||||
@@ -10,6 +10,7 @@ inherit pypi setuptools3 python3native ptest
|
|||||||
|
|
||||||
SRC_URI += " \
|
SRC_URI += " \
|
||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
|
file://CVE-2026-33936.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
RDEPENDS:${PN}-ptest += " \
|
RDEPENDS:${PN}-ptest += " \
|
||||||
|
|||||||
Reference in New Issue
Block a user