packages/python-Authlib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1 fix CVE-2024-37568

Browse Source 
From: @addrexist 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot 2024-06-26 07:51:56 +00:00 committed by Gitee
commit 543d1163ae
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 53 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch Normal file
View File

@ -0,0 +1,46 @@
From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Tue, 4 Jun 2024 11:34:43 +0900
Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys
https://github.com/lepture/authlib/issues/654
---
authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
index 1db321a..44e1f72 100644
--- a/authlib/jose/rfc7518/oct_key.py
+++ b/authlib/jose/rfc7518/oct_key.py
@@ -6,6 +6,16 @@ from authlib.common.security import generate_token
from ..rfc7517 import Key
+POSSIBLE_UNSAFE_KEYS = (
+ b"-----BEGIN ",
+ b"---- BEGIN ",
+ b"ssh-rsa ",
+ b"ssh-dss ",
+ b"ssh-ed25519 ",
+ b"ecdsa-sha2-",
+)
+
+
class OctKey(Key):
"""Key class of the ``oct`` key type."""
@@ -65,6 +75,11 @@ class OctKey(Key):
key._dict_data = raw
else:
raw_key = to_bytes(raw)
+
+ # security check
+ if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
+ raise ValueError("This key may not be safe to import")
+
key = cls(raw_key=raw_key, options=options)
return key
--
2.33.0

9
python-Authlib.spec
View File

@ -1,13 +1,15 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-Authlib Name: python-Authlib
Version: 1.2.0 Version: 1.2.0
Release: 1 Release: 2
Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients. Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
License: BSD 3-Clause License License: BSD 3-Clause License
URL: https://authlib.org/ URL: https://authlib.org/
Source0: https://files.pythonhosted.org/packages/1e/84/3c82d181a04053fefa456dcb15edea93ffdb06071570b6cb05783f5e5fa5/Authlib-1.2.0.tar.gz Source0: https://files.pythonhosted.org/packages/1e/84/3c82d181a04053fefa456dcb15edea93ffdb06071570b6cb05783f5e5fa5/Authlib-1.2.0.tar.gz
BuildArch: noarch BuildArch: noarch
Patch0001: backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
Requires: python3-cryptography Requires: python3-cryptography
%description %description
@ -32,7 +34,7 @@ The ultimate Python library in building OAuth and OpenID Connect servers.
JWS, JWK, JWA, JWT are included. JWS, JWK, JWA, JWT are included.
%prep %prep
%autosetup -n Authlib-1.2.0 %autosetup -p1 -n Authlib-1.2.0
%build %build
%py3_build %py3_build
@ -72,5 +74,8 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Wed Jun 26 2024 wangziliang <wangziliang@kylinos.cn> - 1.2.0-2
- fix CVE-2024-37568
* Wed Jun 07 2023 lichaoran <pkwarcraft@hotmail.com> - 1.2.0-1 * Wed Jun 07 2023 lichaoran <pkwarcraft@hotmail.com> - 1.2.0-1
- Package Spec generated - Package Spec generated