GHSA-w7pp-m8wf-vj6r

Suggest an improvement
Source
https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w7pp-m8wf-vj6r
Aliases
Published
2023-02-07T20:54:10Z
Modified
2024-09-13T20:24:39.876926Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf
Details

Previously, Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers:

>>> outbuf = b"\x00" * 32
>>> c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor()
>>> c.update_into(b"\x00" * 16, outbuf)
16
>>> outbuf
b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

This now correctly raises an exception.

This issue has been present since update_into was originally introduced in cryptography 1.8.

References

Affected packages

PyPI / cryptography

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8
Fixed
39.0.1

Affected versions

1.*

1.8
1.8.1
1.8.2
1.9

2.*

2.0
2.0.1
2.0.2
2.0.3
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.2
2.2.1
2.2.2
2.3
2.3.1
2.4
2.4.1
2.4.2
2.5
2.6
2.6.1
2.7
2.8
2.9
2.9.1
2.9.2

3.*

3.0
3.1
3.1.1
3.2
3.2.1
3.3
3.3.1
3.3.2
3.4
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8

35.*

35.0.0

36.*

36.0.0
36.0.1
36.0.2

37.*

37.0.0
37.0.1
37.0.2
37.0.3
37.0.4

38.*

38.0.0
38.0.1
38.0.2
38.0.3
38.0.4

39.*

39.0.0

Ecosystem specific

{
    "affected_functions": [
        "cryptography.hazmat.primitives.ciphers.Cipher"
    ]
}