Name | CVE-2024-26130 |
Description | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1064778 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
python-cryptography (PTS) | bullseye | 3.3.2-1 | fixed |
bullseye (security) | 3.3.2-1+deb11u1 | fixed | |
bookworm | 38.0.4-3+deb12u1 | fixed | |
bookworm (security) | 38.0.4-3~deb12u1 | vulnerable | |
sid, trixie | 43.0.0-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
python-cryptography | source | buster | (not affected) | |||
python-cryptography | source | bullseye | (not affected) | |||
python-cryptography | source | bookworm | 38.0.4-3+deb12u1 | |||
python-cryptography | source | (unstable) | 42.0.5-1 | 1064778 |
[bullseye] - python-cryptography <not-affected> (Vulnerable code was introduced later)
[buster] - python-cryptography <not-affected> (Vulnerable code was introduced later)
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
https://github.com/pyca/cryptography/pull/10423
Introduced by: https://github.com/pyca/cryptography/commit/1742975367e457ee030e582b88bd870eaa788dfe (38.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (43.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4)