GHSA-6vqw-3v5j-54x4

Source

https://github.com/advisories/GHSA-6vqw-3v5j-54x4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6vqw-3v5j-54x4/GHSA-6vqw-3v5j-54x4.json

Aliases

CVE-2024-26130

Published

2024-02-21T18:04:40Z

Modified

2024-02-21T23:01:06.779298Z

Details

If pkcs12.serialize_key_and_certificates is called with both:

A certificate whose public key did not match the provided private key
An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in https://github.com/pyca/cryptography/pull/10423

References

Affected packages

PyPI / cryptography

Package

Name: cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

38.0.0

Fixed

42.0.4

Affected versions

38.*

38.0.0

38.0.1

38.0.2

38.0.3

38.0.4

39.*

39.0.0

39.0.1

39.0.2

40.*

40.0.0

40.0.1

40.0.2

41.*

41.0.0

41.0.1

41.0.2

41.0.3

41.0.4

41.0.5

41.0.6

41.0.7

42.*

42.0.0

42.0.1

42.0.2

42.0.3