Fix CVE 2020-36242 (#634)

* Update python-cryptography to 3.3.2
* Update python-cffi
* Update cgmanifest
* Remove old patch file

SPECS/python-cffi/python-cffi.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "cffi-1.11.5.tar.gz": "e90f17980e6ab0f3c2f3730e56d1fe9bcba1891eeea58966e89d352492cc74f4"
+  "cffi-1.14.5.tar.gz": "fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
  }
 }

SPECS/python-cffi/python-cffi.spec

@@ -3,15 +3,14 @@
 
 Summary:        Interface for Python to call C code
 Name:           python-cffi
-Version:        1.11.5
-Release:        4%{?dist}
+Version:        1.14.5
+Release:        1%{?dist}
 Url:            https://pypi.python.org/pypi/cffi
 License:        MIT
 Group:          Development/Languages/Python
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        https://pypi.python.org/packages/source/c/cffi/cffi-%{version}.tar.gz
-%define sha1    cffi=1686e6689a691414d3d22626c837adeee3996dd9
 
 BuildRequires:  python2
 BuildRequires:  python2-libs
@@ -82,9 +81,10 @@ popd
 %{python3_sitelib}/*
 
 %changelog
-* Sat May 09 00:20:43 PST 2020 Nick Samson <nisamson@microsoft.com>
-- Added %%license line automatically
-
+*   Thu Feb 11 2021 Mateusz Malisz <mamalisz@microsoft.com> 1.14.5-1
+-   Update to 1.14.5
+*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.11.5-4
+-   Added %%license line automatically
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.11.5-3
 -   Initial CBL-Mariner import from Photon (license: Apache2).
 *   Thu Nov 15 2018 Tapas Kundu <tkundu@vmware.com> 1.11.5-2

SPECS/python-cryptography/CVE-2020-25659.patch

@@ -1,91 +0,0 @@
-From ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Sun, 25 Oct 2020 19:01:50 -0400
-Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
-Patch backported to python-cryptography version 2.3.1 by henry.beberman@microsoft.com
-
-diff -ur a/CHANGELOG.rst b/CHANGELOG.rst
---- a/CHANGELOG.rst	2018-08-14 10:24:28.000000000 -0700
-+++ b/CHANGELOG.rst	2021-01-20 11:09:02.661169269 -0800
-@@ -1,6 +1,16 @@
- Changelog
- =========
- 
-+2.3.1 - 2021-01-20
-+~~~~~~~~~~~~~~~~~~
-+
-++* **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
-++  time, to protect against Bleichenbacher vulnerabilities. Due to limitations
-++  imposed by our API, we cannot completely mitigate this vulnerability and a
-++  future release will contain a new API which is designed to be resilient to
-++  these for contexts where it is required. Credit to **Hubert Kario** for
-++  reporting the issue. *CVE-2020-25659*
-+
- .. _v2-3-1:
- 
- 2.3.1 - 2018-08-14
-diff -ur a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
---- a/docs/spelling_wordlist.txt	2018-08-14 10:24:28.000000000 -0700
-+++ b/docs/spelling_wordlist.txt	2021-01-20 11:10:26.001031614 -0800
-@@ -5,6 +5,7 @@
- Backends
- backends
- bcrypt
-+Bleichenbacher
- Blowfish
- boolean
- Botan
-diff -ur a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
---- a/src/cryptography/hazmat/backends/openssl/rsa.py	2018-08-14 10:24:23.000000000 -0700
-+++ b/src/cryptography/hazmat/backends/openssl/rsa.py	2021-01-20 11:10:20.461040920 -0800
-@@ -120,39 +120,19 @@
- 
-     outlen = backend._ffi.new("size_t *", buf_size)
-     buf = backend._ffi.new("unsigned char[]", buf_size)
-+    # Everything from this line onwards is written with the goal of being as
-+    # constant-time as is practical given the constraints of Python and our
-+    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
-+    # As such, you should not attempt to change this (particularly to "clean it
-+    # up") without understanding why it was written this way (see
-+    # Chesterton's Fence), and without measuring to verify you have not
-+    # introduced observable time differences.
-     res = crypt(pkey_ctx, buf, outlen, data, len(data))
-+    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
-+    backend._lib.ERR_clear_error()
-     if res <= 0:
--        _handle_rsa_enc_dec_error(backend, key)
--
--    return backend._ffi.buffer(buf)[:outlen[0]]
--
--
--def _handle_rsa_enc_dec_error(backend, key):
--    errors = backend._consume_errors()
--    backend.openssl_assert(errors)
--    assert errors[0].lib == backend._lib.ERR_LIB_RSA
--    if isinstance(key, _RSAPublicKey):
--        assert (errors[0].reason ==
--                backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE)
--        raise ValueError(
--            "Data too long for key size. Encrypt less data or use a "
--            "larger key size."
--        )
--    else:
--        decoding_errors = [
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
--            backend._lib.RSA_R_OAEP_DECODING_ERROR,
--            # Though this error looks similar to the
--            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
--            # rather than on encrypts
--            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
--        ]
--        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
--            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
--
--        assert errors[0].reason in decoding_errors
--        raise ValueError("Decryption failed.")
-+        raise ValueError("Encryption/decryption failed.")
-+    return resbuf
- 
- 
- def _rsa_sig_determine_padding(backend, key, padding, algorithm):

SPECS/python-cryptography/python-cryptography.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "cryptography-2.3.1.tar.gz": "8d10113ca826a4c29d5b85b2c4e045ffa8bad74fb525ee0eceb1d38d4c70dfd6"
+  "cryptography-3.3.2.tar.gz": "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed"
  }
-}
+}

SPECS/python-cryptography/python-cryptography.spec

@@ -3,8 +3,8 @@
 
 Summary:        Python cryptography library
 Name:           python-cryptography
-Version:        2.3.1
-Release:        4%{?dist}
+Version:        3.3.2
+Release:        1%{?dist}
 Url:            https://pypi.python.org/pypi/cryptography
 License:        ASL 2.0
 Group:          Development/Languages/Python
@@ -12,8 +12,6 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz
 
-Patch0:         CVE-2020-25659.patch
-
 BuildRequires:  python2
 BuildRequires:  python2-libs
 BuildRequires:  python2-devel
@@ -56,11 +54,11 @@ Requires:       python3-packaging
 Requires:       python3-asn1crypto
 
 %description -n python3-cryptography
-
-Python 3 version.
+Cryptography is a Python library which exposes cryptographic recipes and primitives.
+This is a Python 3 version.
 
 %prep
-%autosetup -p1 -n cryptography-%{version}
+%autosetup -n cryptography-%{version}
 rm -rf ../p3dir
 cp -a . ../p3dir
 
@@ -101,6 +99,9 @@ python3 setup.py test
 %{python3_sitelib}/*
 
 %changelog
+*   Wed Feb 10 2021 Mateusz Malisz <mamalisz@microsoft.com> 3.3.2-1
+-   Update to version 3.3.2, fixing CVE-2020-36242
+-   Remove Patch for CVE-2020-25659.
 *   Wed Jan 20 2021 Henry Beberman <henry.beberman@microsoft.com> 2.3.1-4
 -   Patch CVE-2020-25659
 -   License verified

cgmanifest.json

@@ -4605,8 +4605,8 @@
         "type": "other",
         "other": {
           "name": "python-cffi",
-          "version": "1.11.5",
-          "downloadUrl": "https://pypi.python.org/packages/source/c/cffi/cffi-1.11.5.tar.gz"
+          "version": "1.14.5",
+          "downloadUrl": "https://pypi.python.org/packages/source/c/cffi/cffi-1.14.5.tar.gz"
         }
       }
     },
@@ -4655,8 +4655,8 @@
         "type": "other",
         "other": {
           "name": "python-cryptography",
-          "version": "2.3.1",
-          "downloadUrl": "https://pypi.io/packages/source/c/cryptography/cryptography-2.3.1.tar.gz"
+          "version": "3.3.2",
+          "downloadUrl": "https://pypi.io/packages/source/c/cryptography/cryptography-3.3.2.tar.gz"
         }
       }
     },