Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-ecdsa User: [email protected] Usertags: pu
[ Reason ] Fix CVE-2026-33936 by backporting the upstream fix. [ Impact ] Malformed DER-encoded private keys can trigger unexpected exceptions, leading to a denial of service. [ Tests ] The package was built successfully and the test suite passes with the included fixes. [ Risks ] Low. The update consists of upstream patches for CVE-2026-33936. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Import and Backport patch. [ Other info ] The upload will be sponsored by @josue.
diff -Nru python-ecdsa-0.18.0/debian/changelog python-ecdsa-0.18.0/debian/changelog --- python-ecdsa-0.18.0/debian/changelog 2022-12-21 20:15:41.000000000 +0000 +++ python-ecdsa-0.18.0/debian/changelog 2026-06-02 23:23:31.000000000 +0000 @@ -1,3 +1,11 @@ +python-ecdsa (0.18.0-3+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: (Closes: #1132164) + - CVE-2026-33936: Import and backport upstream patch + + -- Matheus Polkorny <[email protected]> Tue, 02 Jun 2026 20:23:31 -0300 + python-ecdsa (0.18.0-3) unstable; urgency=medium * Team Upload. diff -Nru python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-1.patch python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-1.patch --- python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-1.patch 2026-06-02 23:23:31.000000000 +0000 @@ -0,0 +1,42 @@ +From: 0xmrma <[email protected]> +Date: Sun, 1 Mar 2026 09:18:21 +0200 +Subject: der: reject truncated lengths in octet/implicit/constructed + +Origin: upstream, https://github.com/tlsfuzzer/python-ecdsa/commit/acc40fdaf7bb09aafc912a687ca6ed063ecaface + +Backported by: Matheus Polkorny <[email protected]> + +Changes: +- Refresh Context patch +- Drop remove_implicit changes, as it's not present in this version +--- + src/ecdsa/der.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py +index 8b27941..8388cb0 100644 +--- a/src/ecdsa/der.py ++++ b/src/ecdsa/der.py +@@ -137,11 +137,12 @@ def remove_constructed(string): + ) + tag = s0 & 0x1F + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return tag, body, rest + +- + def remove_sequence(string): + if not string: + raise UnexpectedDER("Empty string does not encode a sequence") +@@ -160,6 +161,8 @@ def remove_octet_string(string): + n = str_idx_as_int(string, 0) + raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n) + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return body, rest diff -Nru python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-2.patch python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-2.patch --- python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-ecdsa-0.18.0/debian/patches/CVE-2026-33936-2.patch 2026-06-02 23:23:31.000000000 +0000 @@ -0,0 +1,35 @@ +From: 0xmrma <[email protected]> +Date: Thu, 5 Mar 2026 18:44:50 +0200 +Subject: tests: reject truncated DER lengths + +Origin: upstream, https://github.com/tlsfuzzer/python-ecdsa/commit/9c046ee7f61649a8a43d3f6f9c64f13e76e148db + +Backported by: Matheus Polkorny <[email protected]> +Changes: +- Refresh patch context +- Drop remove_implicit changes, as it's not present in this version +--- + src/ecdsa/test_der.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py +index 0ca5bd7..bdabbd7 100644 +--- a/src/ecdsa/test_der.py ++++ b/src/ecdsa/test_der.py +@@ -474,3 +474,16 @@ def test_oids(ids): + decoded_oid, rest = remove_object(encoded_oid) + assert rest == b"" + assert decoded_oid == ids ++ ++def test_remove_octet_string_rejects_truncated_length(): ++ # OCTET STRING: declared length 4096, but only 3 bytes present ++ bad = b"\x04\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_octet_string(bad) ++ ++def test_remove_constructed_rejects_truncated_length(): ++ # Constructed tag: 0xA0 (context-specific constructed, tag=0) ++ # declared length 4096, but only 3 bytes present ++ bad = b"\xA0\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_constructed(bad) diff -Nru python-ecdsa-0.18.0/debian/patches/series python-ecdsa-0.18.0/debian/patches/series --- python-ecdsa-0.18.0/debian/patches/series 2022-12-21 20:14:49.000000000 +0000 +++ python-ecdsa-0.18.0/debian/patches/series 2026-06-02 23:23:31.000000000 +0000 @@ -1,2 +1,4 @@ 00-remove-temp-test-dir.patch tighter-hypothesis-bounds.patch +CVE-2026-33936-1.patch +CVE-2026-33936-2.patch
