| Name | CVE-2024-26130 |
| Description | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1064778 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-cryptography (PTS) | jessie | 0.6.1-1+deb8u1 | fixed |
| stretch | 1.7.1-3+deb9u2 | fixed | |
| buster, buster (lts) | 2.6.1-3+deb10u5 | fixed | |
| buster (security) | 2.6.1-3+deb10u4 | fixed | |
| bullseye | 3.3.2-1 | fixed | |
| bullseye (security) | 3.3.2-1+deb11u1 | fixed | |
| bookworm | 38.0.4-3+deb12u1 | fixed | |
| bookworm (security) | 38.0.4-3~deb12u1 | vulnerable | |
| sid, trixie | 43.0.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-cryptography | source | jessie | (not affected) | |||
| python-cryptography | source | stretch | (not affected) | |||
| python-cryptography | source | buster | (not affected) | |||
| python-cryptography | source | bullseye | (not affected) | |||
| python-cryptography | source | bookworm | 38.0.4-3+deb12u1 | |||
| python-cryptography | source | (unstable) | 42.0.5-1 | 1064778 |
[bullseye] - python-cryptography <not-affected> (Vulnerable code was introduced later)
[buster] - python-cryptography <not-affected> (Vulnerable code was introduced later)
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
https://github.com/pyca/cryptography/pull/10423
Introduced by: https://github.com/pyca/cryptography/commit/1742975367e457ee030e582b88bd870eaa788dfe (38.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (43.0.0)
Fixed by: https://github.com/pyca/cryptography/commit/7a4d012991061974da5d9cb7614de65eac94f49b (42.0.4)
[stretch] - python-cryptography <not-affected> (Vulnerable code was introduced later)
[jessie] - python-cryptography <not-affected> (Vulnerable code was introduced later)