GHSA-6vqw-3v5j-54x4

Suggest an improvement
Source
https://github.com/advisories/GHSA-6vqw-3v5j-54x4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6vqw-3v5j-54x4/GHSA-6vqw-3v5j-54x4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6vqw-3v5j-54x4
Aliases
Related
Published
2024-02-21T18:04:40Z
Modified
2024-09-11T06:12:55.797077Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
Details

If pkcs12.serialize_key_and_certificates is called with both:

  1. A certificate whose public key did not match the provided private key
  2. An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in https://github.com/pyca/cryptography/pull/10423

References

Affected packages

PyPI / cryptography

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
38.0.0
Fixed
42.0.4

Affected versions

38.*

38.0.0
38.0.1
38.0.2
38.0.3
38.0.4

39.*

39.0.0
39.0.1
39.0.2

40.*

40.0.0
40.0.1
40.0.2

41.*

41.0.0
41.0.1
41.0.2
41.0.3
41.0.4
41.0.5
41.0.6
41.0.7

42.*

42.0.0
42.0.1
42.0.2
42.0.3