1208036 – (CVE-2023-23931) VUL-0: CVE-2023-23931: python-cryptography: Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf

Bug 1208036 (CVE-2023-23931) - VUL-0: CVE-2023-23931: python-cryptography: Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf

Summary: VUL-0: CVE-2023-23931: python-cryptography: Cipher.update_into can corrupt me...

Status:	RESOLVED FIXED

Alias:	CVE-2023-23931

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/356403/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-23931:4.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-02-08 09:09 UTC by Thomas Leroy
Modified:	2024-06-13 15:45 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2023-02-08 09:09:42 UTC

CVE-2023-23931

cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers. In affected versions `Cipher.update_into` would
accept Python objects which implement the buffer protocol, but provide only
immutable buffers. This would allow immutable objects (such as `bytes`) to be
mutated, thus violating fundamental rules of Python and resulting in corrupted
output. This now correctly raises an exception. This issue has been present
since `update_into` was originally introduced in cryptography 1.8.

Upstream fix:
https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23931
https://www.cve.org/CVERecord?id=CVE-2023-23931
https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

Comment 1 Thomas Leroy 2023-02-08 09:12:57 UTC

All codestreams affected:
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP4:Update
- openSUSE:Factory

Comment 2 Daniel Garcia 2023-02-13 11:38:21 UTC

Fixed in openSUSE:Factory with the latest upstream release 39.0.1: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography

Comment 4 Daniel Garcia 2023-02-14 13:02:43 UTC

SLE-12 versions have a python-cffi that doesn't have the "require_writable" so a patch for that package is also required first to be able to apply this patch.

So it's a bit more complicated than just one patch.

Comment 5 Daniel Garcia 2023-02-14 13:03:56 UTC

(In reply to Daniel Garcia from comment #4)
> SLE-12 versions have a python-cffi that doesn't have the "require_writable"
> so a patch for that package is also required first to be able to apply this
> patch.
> 
> So it's a bit more complicated than just one patch.

Here's the patch that I'm applying for python-cffi:

https://foss.heptapod.net/pypy/cffi/-/commit/c5c4d32c3e3ec0fbaabc4b9890fd17c9c58407d2

Comment 12 Christian Almeida de Oliveira 2023-03-14 15:57:43 UTC

Clod 8 (SOC 8) and Cloud 9 (SOC 9) are under LTSS thus only CVE's with a cvss score higher than 7 are considered for fixing, which is not the case of this CVE.

Comment 13 Maintenance Automation 2023-03-14 16:30:12 UTC

SUSE-SU-2023:0722-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
openSUSE Leap Micro 5.3 (src): python-cryptography-3.3.2-150400.16.6.1
openSUSE Leap 15.4 (src): python-cryptography-3.3.2-150400.16.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-cryptography-3.3.2-150400.16.6.1
SUSE Linux Enterprise Micro 5.3 (src): python-cryptography-3.3.2-150400.16.6.1
Basesystem Module 15-SP4 (src): python-cryptography-3.3.2-150400.16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2023-03-15 08:30:06 UTC

SUSE-SU-2023:0737-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-cryptography-2.9.2-150100.7.12.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-cryptography-2.9.2-150100.7.12.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-cryptography-2.9.2-150100.7.12.1
SUSE CaaS Platform 4.0 (src): python-cryptography-2.9.2-150100.7.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2023-03-21 12:30:18 UTC

SUSE-SU-2023:0839-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
HPE Helion OpenStack 8 (src): python-cffi-1.10.0-4.3.1
SUSE OpenStack Cloud 8 (src): python-cffi-1.10.0-4.3.1
SUSE OpenStack Cloud Crowbar 8 (src): python-cffi-1.10.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2023-03-21 12:30:20 UTC

SUSE-SU-2023:0838-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE OpenStack Cloud 9 (src): python-cffi-1.11.5-3.3.1
SUSE OpenStack Cloud Crowbar 9 (src): python-cffi-1.11.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2023-03-21 12:30:22 UTC

SUSE-SU-2023:0837-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-cffi-1.11.5-5.19.1
SUSE Linux Enterprise Server 12 SP5 (src): python-cffi-1.11.5-5.19.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-cffi-1.11.5-5.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Daniel Garcia 2023-03-22 08:04:27 UTC

Fix accepted now in all affected versions.

Comment 20 Maintenance Automation 2023-04-04 16:30:04 UTC

SUSE-SU-2023:1763-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE Linux Enterprise Real Time 15 SP3 (src): python-cryptography-3.3.2-150200.19.1
SUSE Linux Enterprise Micro 5.1 (src): python-cryptography-3.3.2-150200.19.1
SUSE Linux Enterprise Micro 5.2 (src): python-cryptography-3.3.2-150200.19.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-cryptography-3.3.2-150200.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Maintenance Automation 2023-04-05 12:30:25 UTC

SUSE-SU-2023:1767-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): python-cryptography-2.8-7.40.1
SUSE Linux Enterprise Server 12 SP5 (src): python-cryptography-2.8-7.40.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): python-cryptography-2.8-7.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Maintenance Automation 2023-05-09 12:30:09 UTC

SUSE-SU-2023:0722-2: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-cryptography-3.3.2-150400.16.6.1
SUSE Linux Enterprise Micro 5.4 (src): python-cryptography-3.3.2-150400.16.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Maintenance Automation 2023-05-09 16:31:00 UTC

SUSE-SU-2023:2144-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
HPE Helion OpenStack 8 (src): venv-openstack-sahara-7.0.5~dev4-11.44.1, venv-openstack-ceilometer-9.0.8~dev7-12.42.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.52.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.40.1, venv-openstack-octavia-1.0.6~dev3-12.45.1, venv-openstack-designate-5.0.3~dev7-12.43.1, venv-openstack-barbican-5.0.2~dev3-12.47.1, venv-openstack-monasca-2.2.2~dev1-11.49.1, venv-openstack-nova-16.1.9~dev92-11.48.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.40.1, venv-openstack-trove-8.0.2~dev2-11.44.1, venv-openstack-aodh-5.1.1~dev7-12.44.1, venv-openstack-cinder-11.2.3~dev29-14.46.1, venv-openstack-murano-4.0.2~dev3-12.42.1, venv-openstack-neutron-11.0.9~dev69-13.50.1, venv-openstack-ironic-9.1.8~dev8-12.45.1, venv-openstack-keystone-12.0.4~dev11-11.49.1, python-cryptography-2.0.3-3.14.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.44.1, venv-openstack-manila-5.1.1~dev5-12.49.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.35.1, venv-openstack-heat-9.0.8~dev22-12.49.1, venv-openstack-glance-15.0.3~dev3-12.43.1
SUSE OpenStack Cloud 8 (src): venv-openstack-sahara-7.0.5~dev4-11.44.1, venv-openstack-ceilometer-9.0.8~dev7-12.42.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.40.1, venv-openstack-octavia-1.0.6~dev3-12.45.1, venv-openstack-designate-5.0.3~dev7-12.43.1, venv-openstack-barbican-5.0.2~dev3-12.47.1, venv-openstack-monasca-2.2.2~dev1-11.49.1, venv-openstack-nova-16.1.9~dev92-11.48.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.40.1, venv-openstack-horizon-12.0.5~dev6-14.52.1, venv-openstack-aodh-5.1.1~dev7-12.44.1, venv-openstack-cinder-11.2.3~dev29-14.46.1, venv-openstack-trove-8.0.2~dev2-11.44.1, venv-openstack-murano-4.0.2~dev3-12.42.1, venv-openstack-neutron-11.0.9~dev69-13.50.1, venv-openstack-ironic-9.1.8~dev8-12.45.1, venv-openstack-keystone-12.0.4~dev11-11.49.1, python-cryptography-2.0.3-3.14.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.44.1, venv-openstack-manila-5.1.1~dev5-12.49.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.35.1, venv-openstack-heat-9.0.8~dev22-12.49.1, venv-openstack-glance-15.0.3~dev3-12.43.1
SUSE OpenStack Cloud Crowbar 8 (src): python-cryptography-2.0.3-3.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Maintenance Automation 2023-05-16 12:30:10 UTC

SUSE-SU-2023:2218-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1208036
CVE References: CVE-2023-23931
Sources used:
SUSE OpenStack Cloud 9 (src): venv-openstack-glance-17.0.1~dev30-3.37.2, venv-openstack-barbican-7.0.1~dev24-3.41.2, venv-openstack-nova-18.3.1~dev92-3.47.2, venv-openstack-keystone-14.2.1~dev9-3.40.2, venv-openstack-horizon-14.1.1~dev11-4.47.2, venv-openstack-heat-11.0.4~dev4-3.41.2, venv-openstack-neutron-13.0.8~dev209-6.47.2, venv-openstack-monasca-2.7.1~dev10-3.41.2, python-cryptography-2.3.1-3.6.6, venv-openstack-octavia-3.2.3~dev7-4.39.2, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.39.2, venv-openstack-swift-2.19.2~dev48-2.34.2, venv-openstack-cinder-13.0.10~dev24-3.42.3, venv-openstack-ironic-11.1.5~dev18-4.37.2, venv-openstack-magnum-7.2.1~dev1-4.39.3, venv-openstack-sahara-9.0.2~dev15-3.39.2, venv-openstack-manila-7.4.2~dev60-3.45.2, venv-openstack-designate-7.0.2~dev2-3.39.2
SUSE OpenStack Cloud Crowbar 9 (src): python-cryptography-2.3.1-3.6.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 OBSbugzilla Bot 2023-09-06 21:15:09 UTC

This is an autogenerated message for OBS integration:
This bug (1208036) was mentioned in
https://build.opensuse.org/request/show/1109339 Factory / python-cryptography