From: Nguyen Dat Tho <[email protected]> CVE-2026-26007 is fixed upstream in version 46.0.5. Our current version (42.0.5, scarthgap) is still reported as vulnerable by NVD. Backport the upstream fix to address this CVE.
Upstream commit: https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c CVE report: https://nvd.nist.gov/vuln/detail/CVE-2026-26007 Signed-off-by: Nguyen Dat Tho <[email protected]> --- .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++ .../python/python3-cryptography_42.0.5.bb | 1 + 2 files changed, 150 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch new file mode 100644 index 0000000000..a78d287ccd --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch @@ -0,0 +1,149 @@ +From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <[email protected]> +Date: Wed, 18 Mar 2026 16:01:03 +0900 +Subject: [PATCH] EC check key on cofactor > 1 + +An attacker could create a malicious public key that reveals portions of +your private key when using certain uncommon elliptic curves (binary +curves). This version now includes additional security checks to +prevent this attack. This issue only affects binary elliptic curves, +which are rarely used in real-world applications. Credit to **XlabAI +Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery +Engine** for reporting the issue. **CVE-2026-26007** + +This is a partial backport of upstream commit +0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's +relevant for CVE-2026-26007. + +CVE: CVE-2026-26007 + +Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c +Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59 + +Signed-off-by: Nguyen Dat Tho <[email protected]> +Signed-off-by: Paul Kehrer <[email protected]> +Co-authored-by: Alex Gaynor <[email protected]> +--- +Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c] + + src/rust/src/backend/ec.rs | 39 ++++++++++++++++++++---------- + tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 13 deletions(-) + +diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs +index 6a224b49f..27fced086 100644 +--- a/src/rust/src/backend/ec.rs ++++ b/src/rust/src/backend/ec.rs +@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey( + ) -> CryptographyResult<ECPublicKey> { + let ec = pkey.ec_key()?; + let curve = py_curve_from_curve(py, ec.group())?; +- check_key_infinity(&ec)?; +- Ok(ECPublicKey { +- pkey: pkey.to_owned(), +- curve: curve.into(), +- }) ++ ECPublicKey::new(pkey.to_owned(), curve.into()) + } ++ + #[pyo3::prelude::pyfunction] + fn generate_private_key( + py: pyo3::Python<'_>, +@@ -215,10 +212,7 @@ fn from_public_bytes( + let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + +- Ok(ECPublicKey { +- pkey, +- curve: py_curve.into(), +- }) ++ ECPublicKey::new(pkey, py_curve.into()) + } + + #[pyo3::prelude::pymethods] +@@ -357,6 +351,28 @@ impl ECPrivateKey { + } + } + ++impl ECPublicKey { ++ fn new( ++ pkey: openssl::pkey::PKey<openssl::pkey::Public>, ++ curve: pyo3::Py<pyo3::PyAny>, ++ ) -> CryptographyResult<ECPublicKey> { ++ let ec = pkey.ec_key()?; ++ check_key_infinity(&ec)?; ++ let mut bn_ctx = openssl::bn::BigNumContext::new()?; ++ let mut cofactor = openssl::bn::BigNum::new()?; ++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?; ++ let one = openssl::bn::BigNum::from_u32(1)?; ++ if cofactor != one { ++ ec.check_key().map_err(|_| { ++ pyo3::exceptions::PyValueError::new_err( ++ "Invalid EC key (key out of range, infinity, etc.)", ++ ) ++ })?; ++ } ++ ++ Ok(ECPublicKey { pkey, curve }) ++ } ++} + #[pyo3::prelude::pymethods] + impl ECPublicKey { + #[getter] +@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers { + + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; + +- Ok(ECPublicKey { +- pkey, +- curve: self.curve.clone_ref(py), +- }) ++ ECPublicKey::new(pkey, self.curve.clone_ref(py)) + } + + fn __eq__( +diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py +index 334e76dcc..f7f2242f6 100644 +--- a/tests/hazmat/primitives/test_ec.py ++++ b/tests/hazmat/primitives/test_ec.py +@@ -1340,3 +1340,40 @@ class TestECDH: + + with pytest.raises(ValueError): + key.exchange(ec.ECDH(), public_key) ++ ++ ++def test_invalid_sect_public_keys(backend): ++ _skip_curve_unsupported(backend, ec.SECT571K1()) ++ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1()) ++ with pytest.raises(ValueError): ++ public_numbers.public_key() ++ ++ point = binascii.unhexlify( ++ b"0400000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000010000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000001" ++ ) ++ with pytest.raises(ValueError): ++ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point) ++ ++ der = binascii.unhexlify( ++ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000100000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"0000000000000000000000000000000000000000000000000000000000000000000" ++ b"00001" ++ ) ++ with pytest.raises(ValueError): ++ serialization.load_der_public_key(der) ++ ++ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY----- ++ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= ++ -----END PUBLIC KEY-----""").encode() ++ with pytest.raises(ValueError): ++ serialization.load_pem_public_key(pem) diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb index 732f925d92..c4573fa689 100644 --- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb +++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb @@ -11,6 +11,7 @@ LDSHARED += "-pthread" SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1" SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \ + file://CVE-2026-26007.patch \ file://check-memfree.py \ file://run-ptest \ "
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233465): https://lists.openembedded.org/g/openembedded-core/message/233465 Mute This Topic: https://lists.openembedded.org/mt/118396581/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
