changelog + security fix backport (#8231)

reaperhulk · alex · web-flow · commit d6951dca25de · 2023-02-07T13:24:19.000-05:00
* Don't allow update_into to mutate immutable objects (#8230) * add changelog for 39.0.1 * oops * bump versions * remove circle --------- Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,15 @@
 Changelog
 =========
 
+.. _v39-0-1:
+
+39.0.1 - 2023-02-07
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
+  buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
+
 .. _v39-0-0:
 
 39.0.0 - 2023-01-01
diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         data_processed = 0
         total_out = 0
         outlen = self._backend._ffi.new("int *")
-        baseoutbuf = self._backend._ffi.from_buffer(buf)
+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
         baseinbuf = self._backend._ffi.from_buffer(data)
 
         while data_processed != total_data_len:
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
         with pytest.raises(ValueError):
             encryptor.update_into(b"testing", buf)
 
+    def test_update_into_immutable(self, backend):
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        buf = b"\x00" * 32
+        with pytest.raises((TypeError, BufferError)):
+            encryptor.update_into(b"testing", buf)
+
     @pytest.mark.supported(
         only_if=lambda backend: backend.cipher_supported(
             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"__copyright__",`
`10`	`10`	`]`
`11`	`11`
`12`		`-__version__ = "39.0.0"`
	`12`	`+__version__ = "39.0.1"`
`13`	`13`
`14`	`14`	`__author__ = "The Python Cryptographic Authority and individual contributors"`
`15`	`15`	`__copyright__ = "Copyright 2013-2022 {}".format(__author__)`
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,4 @@`
`6`	`6`	`"__version__",`
`7`	`7`	`]`
`8`	`8`
`9`		`-__version__ = "39.0.0"`
	`9`	`+__version__ = "39.0.1"`