diff --git a/SPECS/m2crypto/0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch b/SPECS/m2crypto/0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch deleted file mode 100644 index adb918928b5..00000000000 --- a/SPECS/m2crypto/0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 118f25fcb5d22e2f96ffa76a22fd2b4d127005fc Mon Sep 17 00:00:00 2001 -From: Muhammad Falak Wani -Date: Thu, 10 Feb 2022 21:58:34 +0530 -Subject: [PATCH] tests: skip test_tls1_nok which can't be run in FIPS mode - -Signed-off-by: Muhammad Falak Wani ---- - tests/test_ssl.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index e18adf5..5d5a9c8 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -401,7 +401,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): - self.assertIn('s_server -quiet -www', data) - - # TLS is required in FIPS mode -- @unittest.skipIf(fips_mode, "Can't be run in FIPS mode") -+ @unittest.skip("Can't be run in FIPS mode") - def test_tls1_nok(self): - self.args.append('-no_tls1') - pid = self.start_server(self.args) -@@ -417,6 +417,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): - finally: - self.stop_server(pid) - -+ @unittest.skip("Skip TLS1 test which fails on Mariner") - def test_tls1_ok(self): - self.args.append('-tls1') - pid = self.start_server(self.args) --- -2.17.1 - diff --git a/SPECS/m2crypto/CVE-2019-11358.patch b/SPECS/m2crypto/CVE-2019-11358.patch deleted file mode 100644 index a262ca67af0..00000000000 --- a/SPECS/m2crypto/CVE-2019-11358.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d3e8292d3c2ac5e78ee4f8cf7ea00241335159b4 Mon Sep 17 00:00:00 2001 -From: jykanase -Date: Wed, 29 Jan 2025 13:46:24 +0000 -Subject: [PATCH] CVE-2019-11358 - -Source Link: https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b ---- - doc/html/_static/jquery-3.2.1.js | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/doc/html/_static/jquery-3.2.1.js b/doc/html/_static/jquery-3.2.1.js -index d2d8ca4..8bbd717 100644 ---- a/doc/html/_static/jquery-3.2.1.js -+++ b/doc/html/_static/jquery-3.2.1.js -@@ -229,8 +229,9 @@ jQuery.extend = jQuery.fn.extend = function() { - src = target[ name ]; - copy = options[ name ]; - -+ // Prevent Object.prototype pollution - // Prevent never-ending loop -- if ( target === copy ) { -+ if ( name === "__proto__" || target === copy ) { - continue; - } - --- -2.45.2 - diff --git a/SPECS/m2crypto/CVE-2020-25657.patch b/SPECS/m2crypto/CVE-2020-25657.patch deleted file mode 100644 index cf45f933d63..00000000000 --- a/SPECS/m2crypto/CVE-2020-25657.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Tue, 28 Jun 2022 21:17:01 +0200 -Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA - decryption API (CVE-2020-25657) - -Fixes #282 - -Upstream commit: 84c53958def0f510e92119fca14d74f94215827a -backported by @mfrw on 2022-08-16 - -Signed-off-by: Muhammad Falak R Wani ---- - src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- - src/SWIG/_rsa.i | 20 ++++++++++++-------- - tests/test_rsa.py | 15 +++++++-------- - 3 files changed, 31 insertions(+), 24 deletions(-) - -diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c -index aba9eb6..a9f30da 100644 ---- a/src/SWIG/_m2crypto_wrap.c -+++ b/src/SWIG/_m2crypto_wrap.c -@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i -index bc714e0..1377b8b 100644 ---- a/src/SWIG/_rsa.i -+++ b/src/SWIG/_rsa.i -@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); -@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { - tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, - (unsigned char *)tbuf, rsa, padding); - if (tlen == -1) { -- m2_PyErr_Msg(_rsa_err); -+ ERR_clear_error(); -+ PyErr_Clear(); - PyMem_Free(tbuf); -- return NULL; -+ Py_RETURN_NONE; - } - ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); - -diff --git a/tests/test_rsa.py b/tests/test_rsa.py -index 7bb3af7..5e75d68 100644 ---- a/tests/test_rsa.py -+++ b/tests/test_rsa.py -@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): - # The other paddings. - for padding in self.s_padding_nok: - p = getattr(RSA, padding) -- with self.assertRaises(RSA.RSAError): -- priv.private_encrypt(self.data, p) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with self.assertRaises(RSA.RSAError): -+ priv.private_encrypt(self.data, p) - # Type-check the data to be encrypted. - with self.assertRaises(TypeError): - priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) -@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): - self.assertEqual(ptxt, self.data) - - # no_padding -- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -- priv.public_encrypt(self.data, RSA.no_padding) -+ # Exception disabled as a part of mitigation against CVE-2020-25657 -+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): -+ priv.public_encrypt(self.data, RSA.no_padding) - - # Type-check the data to be encrypted. -+ # Exception disabled as a part of mitigation against CVE-2020-25657 - with self.assertRaises(TypeError): - priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) - -@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): - b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 - with self.assertRaises(RSA.RSAError): - setattr(rsa, 'e', '\000\000\000\003\001\000\001') -- with self.assertRaises(RSA.RSAError): -- rsa.private_encrypt(1) -- with self.assertRaises(RSA.RSAError): -- rsa.private_decrypt(1) - assert rsa.check_key() - - def test_loadpub_bad(self): --- -2.37.2 - diff --git a/SPECS/m2crypto/m2crypto.signatures.json b/SPECS/m2crypto/m2crypto.signatures.json index 18ed5cf6644..2dd78c137e3 100644 --- a/SPECS/m2crypto/m2crypto.signatures.json +++ b/SPECS/m2crypto/m2crypto.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "M2Crypto-0.38.0.tar.gz": "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" + "m2crypto-0.48.0.tar.gz": "178e290f558ddf0379aaefd34c0a8ddb21f21502594e588f928dda85f1ad202b" } } diff --git a/SPECS/m2crypto/m2crypto.spec b/SPECS/m2crypto/m2crypto.spec index b8da8793dd1..e99200f0b99 100644 --- a/SPECS/m2crypto/m2crypto.spec +++ b/SPECS/m2crypto/m2crypto.spec @@ -1,16 +1,13 @@ Summary: Crypto and SSL toolkit for Python Name: m2crypto -Version: 0.38.0 -Release: 4%{?dist} -License: MIT +Version: 0.48.0 +Release: 1%{?dist} +License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages/Python URL: https://pypi.python.org/pypi/M2Crypto -Source0: https://files.pythonhosted.org/packages/2c/52/c35ec79dd97a8ecf6b2bbd651df528abb47705def774a4a15b99977274e8/M2Crypto-%{version}.tar.gz -Patch0: 0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch -Patch1: CVE-2020-25657.patch -Patch2: CVE-2019-11358.patch +Source0: https://files.pythonhosted.org/packages/89/7a/06ed5c66d63506bc77a7823d56e5e6b4ad3143f3fca2337c46d8b2c191f5/m2crypto-%{version}.tar.gz %description M2Crypto is a crypto and SSL toolkit for Python @@ -19,13 +16,16 @@ M2Crypto is a crypto and SSL toolkit for Python Summary: Crypto and SSL toolkit for Python BuildRequires: openssl-devel BuildRequires: python3-devel +BuildRequires: python3-packaging BuildRequires: python3-setuptools BuildRequires: python3-xml BuildRequires: swig Requires: openssl >= 1.1.1g-6 Requires: python3 +Requires: python3-packaging %if 0%{?with_check} -BuildRequires: python3-pip +BuildRequires: openssl +BuildRequires: python3-pytest %endif %description -n python3-m2crypto @@ -39,7 +39,7 @@ server. S/MIME. ZServerSSL: A HTTPS server for Zope. ZSmime: An S/MIME messenger for Zope. %prep -%autosetup -n M2Crypto-%{version} -p1 +%autosetup -n m2crypto-%{version} %build %py3_build @@ -48,16 +48,39 @@ messenger for Zope. %py3_install %check -pip3 install parameterized -#Testing: MiscSSLClientTestCase failing with SSLError not raised -%python3 setup.py test +# setuptools >= 72 removed the 'setup.py test' command, so run the suite +# directly with pytest. Tests import M2Crypto from the installed buildroot. +# Azure Linux's OpenSSL 3.x keeps MD5 in the "legacy" provider, which is not +# loaded by default; enable it for the test run so the HMAC-MD5 assertion in +# tests/test_evp.py (EVPTestCase.test_hmac) runs and passes unmodified. +cat > %{_builddir}/openssl-legacy.cnf <<'EOF' +openssl_conf = openssl_init +[openssl_init] +providers = provider_sect +[provider_sect] +default = default_sect +legacy = legacy_sect +[default_sect] +activate = 1 +[legacy_sect] +activate = 1 +EOF +OPENSSL_CONF=%{_builddir}/openssl-legacy.cnf \ + PYTHONPATH=%{buildroot}%{python3_sitelib} %python3 -m pytest -v tests/ %files -n python3-m2crypto %defattr(-,root,root) -%license LICENCE +%license LICENSES/BSD-2-Clause.txt %{python3_sitelib}/* %changelog +* Tue Jun 30 2026 Sumit Jena - 0.48.0-1 +- Upgrade to version 0.48.0 +- Drop CVE-2020-25657.patch (fixed upstream) and CVE-2019-11358.patch (bundled jQuery doc no longer shipped) +- Drop FIPS TLS1 test-skip patch (upstream tests now handle OpenSSL 3.x) +- Run %%check offline via pytest instead of removed 'setup.py test'; enable the OpenSSL legacy provider during %%check so the HMAC-MD5 test runs unmodified; drop network 'pip3 install parameterized' +- License verified as BSD-2-Clause + * Wed Jan 29 2025 Jyoti Kanase - 0.38.0-4 - Fix CVE-2019-11358 diff --git a/cgmanifest.json b/cgmanifest.json index be9a8a398af..486ab1e75ae 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -12921,8 +12921,8 @@ "type": "other", "other": { "name": "m2crypto", - "version": "0.38.0", - "downloadUrl": "https://files.pythonhosted.org/packages/2c/52/c35ec79dd97a8ecf6b2bbd651df528abb47705def774a4a15b99977274e8/M2Crypto-0.38.0.tar.gz" + "version": "0.48.0", + "downloadUrl": "https://files.pythonhosted.org/packages/89/7a/06ed5c66d63506bc77a7823d56e5e6b4ad3143f3fca2337c46d8b2c191f5/m2crypto-0.48.0.tar.gz" } } },