Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Don't allow update_into to mutate immutable objects #8230

Merged
merged 1 commit into from
Feb 7, 2023
Merged

Don't allow update_into to mutate immutable objects #8230

merged 1 commit into from
Feb 7, 2023

Conversation

alex
Copy link
Member

@alex alex commented Feb 7, 2023

No description provided.

@reaperhulk reaperhulk enabled auto-merge (squash) February 7, 2023 16:25
@reaperhulk reaperhulk merged commit 9fbf84e into pyca:main Feb 7, 2023
@alex alex deleted the dont-mutate-me-bro branch February 7, 2023 16:35
reaperhulk pushed a commit to reaperhulk/cryptography that referenced this pull request Feb 7, 2023
@alex @reaperhulk
Don't allow update_into to mutate immutable objects (pyca#8230)
b35ad89
alex added a commit that referenced this pull request Feb 7, 2023
@reaperhulk @alex
changelog + security fix backport (#8231)
d6951dc 
* Don't allow update_into to mutate immutable objects (#8230)

* add changelog for 39.0.1

* oops

* bump versions

* remove circle

---------

Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
@zhuofeng6
Copy link

Does this involve interface changes?

@reaperhulk
Copy link
Member

It behaves exactly the same unless you were passing an immutable type (e.g. a byte string). So the interface has technically changed but in practice it has only changed for the vulnerable path.

@zhuofeng6
Copy link

In this case, change the buf class type from bytes to bytearray. it is OK?

it can't use the bytes type anymore.

def update_into(self, data: bytes, buf: bytes) -> int:

@zhuofeng6
Copy link

I'm not sure what the effect of this vulnerability is.

@reaperhulk
Copy link
Member

Unfortunately the Python type hint system doesn’t have a way to represent “all objects that implement the buffer protocol but only the mutable types”, so bytes is still the closest to “correct” type that we can declare.

@zhuofeng6
Copy link

What is the impact of this cve? I don't seem to feel the threat of this vulnerability.

icanhasmath added a commit to ActiveState/cryptography that referenced this pull request Jan 18, 2024
@icanhasmath
Cherry-pick fix for CVE-2023-23931 from (pyca#8230)
6b20296 
Don't allow update_into to mutate immutable objects pyca#8230
pyca#8230
icanhasmath added a commit to ActiveState/cryptography that referenced this pull request Jan 18, 2024
@icanhasmath
Cherry-pick fix for CVE-2023-23931 from (pyca#8230)
9626647 
Don't allow update_into to mutate immutable objects pyca#8230
pyca#8230
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@reaperhulk reaperhulk reaperhulk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alex @zhuofeng6 @reaperhulk