CVE-2024-26130

NameCVE-2024-26130
Descriptioncryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1064778

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-cryptography (PTS)bullseye3.3.2-1fixed
bullseye (security)3.3.2-1+deb11u1fixed
bookworm38.0.4-3+deb12u1fixed
bookworm (security)38.0.4-3~deb12u1vulnerable
sid, trixie43.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-cryptographysourcebuster(not affected)
python-cryptographysourcebullseye(not affected)
python-cryptographysourcebookworm38.0.4-3+deb12u1
python-cryptographysource(unstable)42.0.5-11064778

Notes

[bullseye] - python-cryptography <not-affected> (Vulnerable code was introduced later)
[buster] - python-cryptography <not-affected> (Vulnerable code was introduced later)
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
https://github.com/pyca/cryptography/pull/10423
Introduced by: https://github.com/pyca/cryptography/commit/1742975367e457ee030e582b88bd870eaa788dfe (38.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (43.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4)
Search for package or bug name: Reporting problems