diff --git a/SPECS/python-cryptography/CVE-2026-26007.patch b/SPECS/python-cryptography/CVE-2026-26007.patch new file mode 100644 index 00000000000..050050aef15 --- /dev/null +++ b/SPECS/python-cryptography/CVE-2026-26007.patch @@ -0,0 +1,166 @@ +From 755f284e6e1ee5b67cc1feea1b8d1e5d14b4ef5c Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Fri, 13 Feb 2026 14:05:58 +0000 +Subject: [PATCH] Backport: EC check key on cofactor > 1; deprecate SECT + curves; add tests; add DeprecatedIn46; changelog entry + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c.patch +--- + .../hazmat/primitives/asymmetric/ec.py | 24 +++++++ + src/cryptography/utils.py | 1 + + src/rust/src/backend/ec.rs | 69 +++++++++++++++---- + 3 files changed, 81 insertions(+), 13 deletions(-) + +diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py +index b612b40..3bbc1f3 100644 +--- a/src/cryptography/hazmat/primitives/asymmetric/ec.py ++++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py +@@ -381,3 +381,27 @@ def get_curve_for_oid(oid: ObjectIdentifier) -> type[EllipticCurve]: + "The provided object identifier has no matching elliptic " + "curve class" + ) ++ ++ ++ ++_SECT_CURVES: tuple[type[EllipticCurve], ...] = ( ++ SECT163K1, ++ SECT163R2, ++ SECT233K1, ++ SECT233R1, ++ SECT283K1, ++ SECT283R1, ++ SECT409K1, ++ SECT409R1, ++ SECT571K1, ++ SECT571R1, ++) ++ ++for _curve_cls in _SECT_CURVES: ++ utils.deprecated( ++ _curve_cls, ++ __name__, ++ f"{_curve_cls.__name__} will be removed in the next release.", ++ utils.DeprecatedIn46, ++ name=_curve_cls.__name__, ++ ) +diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py +index a0ec7a3..e883efa 100644 +--- a/src/cryptography/utils.py ++++ b/src/cryptography/utils.py +@@ -25,6 +25,7 @@ DeprecatedIn37 = CryptographyDeprecationWarning + DeprecatedIn40 = CryptographyDeprecationWarning + DeprecatedIn41 = CryptographyDeprecationWarning + DeprecatedIn42 = CryptographyDeprecationWarning ++DeprecatedIn46 = CryptographyDeprecationWarning + + + def _check_bytes(name: str, value: bytes) -> None: +diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs +index 6a224b4..af99499 100644 +--- a/src/rust/src/backend/ec.rs ++++ b/src/rust/src/backend/ec.rs +@@ -155,11 +155,8 @@ pub(crate) fn public_key_from_pkey( + ) -> CryptographyResult { + let ec = pkey.ec_key()?; + let curve = py_curve_from_curve(py, ec.group())?; +- check_key_infinity(&ec)?; +- Ok(ECPublicKey { +- pkey: pkey.to_owned(), +- curve: curve.into(), +- }) ++ ++ ECPublicKey::new(pkey.to_owned(), curve.into()) + } + #[pyo3::prelude::pyfunction] + fn generate_private_key( +@@ -215,10 +212,7 @@ fn from_public_bytes( + let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?; + let pkey = openssl::pkey::PKey::from_ec_key(ec)?; + +- Ok(ECPublicKey { +- pkey, +- curve: py_curve.into(), +- }) ++ ECPublicKey::new(pkey, py_curve.into()) + } + + #[pyo3::prelude::pymethods] +@@ -357,10 +351,62 @@ impl ECPrivateKey { + } + } + ++ ++impl ECPublicKey { ++ fn new( ++ pkey: openssl::pkey::PKey, ++ curve: pyo3::Py, ++ ) -> CryptographyResult { ++ let ec = pkey.ec_key()?; ++ check_key_infinity(&ec)?; ++ let mut bn_ctx = openssl::bn::BigNumContext::new()?; ++ let mut cofactor = openssl::bn::BigNum::new()?; ++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?; ++ let one = openssl::bn::BigNum::from_u32(1)?; ++ if cofactor != one { ++ ec.check_key().map_err(|_| { ++ pyo3::exceptions::PyValueError::new_err( ++ "Invalid EC key (key out of range, infinity, etc.)", ++ ) ++ })?; ++ } ++ ++ Ok(ECPublicKey { pkey, curve }) ++ } ++} ++ + #[pyo3::prelude::pymethods] + impl ECPublicKey { + #[getter] ++ ++impl ECPublicKey { ++ fn new( ++ pkey: openssl::pkey::PKey, ++ curve: pyo3::Py, ++ ) -> CryptographyResult { ++ let ec = pkey.ec_key()?; ++ check_key_infinity(&ec)?; ++ let mut bn_ctx = openssl::bn::BigNumContext::new()?; ++ let mut cofactor = openssl::bn::BigNum::new()?; ++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?; ++ let one = openssl::bn::BigNum::from_u32(1)?; ++ if cofactor != one { ++ ec.check_key().map_err(|_| { ++ pyo3::exceptions::PyValueError::new_err( ++ "Invalid EC key (key out of range, infinity, etc.)", ++ ) ++ })?; ++ } ++ ++ Ok(ECPublicKey { pkey, curve }) ++ } ++} ++ + fn key_size<'p>(&'p self, py: pyo3::Python<'p>) -> pyo3::PyResult<&'p pyo3::PyAny> { ++ ++ ++ ++ + self.curve.as_ref(py).getattr(pyo3::intern!(py, "key_size")) + } + +@@ -591,10 +637,7 @@ impl EllipticCurvePublicNumbers { + + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?; + +- Ok(ECPublicKey { +- pkey, +- curve: self.curve.clone_ref(py), +- }) ++ ECPublicKey::new(pkey, self.curve.clone_ref(py)) + } + + fn __eq__( +-- +2.45.4 + diff --git a/SPECS/python-cryptography/python-cryptography.spec b/SPECS/python-cryptography/python-cryptography.spec index 9e949a1c02a..0b6482603b5 100644 --- a/SPECS/python-cryptography/python-cryptography.spec +++ b/SPECS/python-cryptography/python-cryptography.spec @@ -2,7 +2,7 @@ Summary: Python cryptography library Name: python-cryptography Version: 42.0.5 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -16,6 +16,7 @@ Source1: cryptography-%{version}-vendor.tar.gz # due to their absence. Patch0: 0001-remove-openssl-cipher-Cipher-chacha20_poly1305.patch Patch1: 0002-remove-poly1305-tests.patch +Patch2: CVE-2026-26007.patch %description Cryptography is a Python library which exposes cryptographic recipes and primitives. @@ -111,6 +112,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} \ %license LICENSE %changelog +* Fri Feb 13 2026 Azure Linux Security Servicing Account - 42.0.5-4 +- Patch for CVE-2026-26007 + * Tue May 06 2025 Riken Maharjan - 42.0.5-3 - Fix Ptest for python-cryptography