FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-cryptography -- allows programmers to misuse an API

Affected packages
1.8 <= py310-cryptography < 39.0.1
1.8 <= py311-cryptography < 39.0.1
1.8 <= py37-cryptography < 39.0.1
1.8 <= py38-cryptography < 39.0.1
1.8 <= py39-cryptography < 39.0.1

Details

VuXML ID a32ef450-9781-414b-a944-39f2f61677f2
Discovery 2023-02-07
Entry 2023-04-10

alex reports:

Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers.

This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python.

This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.

This now correctly raises an exception.

This issue has been present since `update_into` was originally introduced in cryptography 1.8.

[source]

References

CVE Name CVE-2023-23931
URL https://osv.dev/vulnerability/GHSA-w7pp-m8wf-vj6r

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.