Skip to content

Fix CVE-2024-33663#349

Open
danigm wants to merge 1 commit intompdavis:masterfrom
danigm:CVE-2024-33663
Open

Fix CVE-2024-33663#349
danigm wants to merge 1 commit intompdavis:masterfrom
danigm:CVE-2024-33663

Conversation

@danigm
Copy link

@danigm danigm commented May 2, 2024

@milliesolem
Copy link

milliesolem commented May 2, 2024

I recommend throwing an exception if algorithms is None, rather than setting to ALL. Not specifying the algorithms field is the source of algorithm confusion issues.

smittysmee
smittysmee reviewed May 2, 2024
View reviewed changes
smittysmee
smittysmee reviewed May 2, 2024
View reviewed changes
smittysmee
smittysmee reviewed May 2, 2024
View reviewed changes
jose/jwt.py Outdated
verify_signature = defaults.get("verify_signature", True)

if algorithms is None:
algorithms = ALGORITHMS.ALL
Copy link

@smittysmee smittysmee May 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why specify? Inline comment & exception would be helpful here. Don't know if there will be downstream impacts:

the algorithms field in jwt.decode is not mandatory, allowing developers to shoot themselves in the foot
inadequate protections in the cryptography backend allowing for HMAC verification with an asymmetric public key

https://github.com/danigm/python-jose/blob/4638c12780636a66b118e699f5b70ce193555106/jose/jws.py#L258C5-L259C65

@danigm danigm force-pushed the CVE-2024-33663 branch from 4638c12 to 057bc6f Compare May 2, 2024 16:10
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request May 6, 2024
@bmwiedemann
Update python-python-jose to version 3.3.0 / rev 7 via SR 1172135
fb0ad57 
https://build.opensuse.org/request/show/1172135
by user dgarcia + anag+factory
- Add upstream patches:
   * CVE-2024-33663.patch, bsc#1223417, gh#mpdavis/python-jose#349
   * CVE-2024-33664.patch, bsc#1223422, gh#mpdavis/python-jose#345
   * fix-tests-ecdsa-019.patch, gh#mpdavis/python-jose#350
@CharlesPerrotMinot
Copy link

CharlesPerrotMinot commented May 10, 2024

Let's try pinging @asherf and @mpdavis

@smittysmee
Copy link

smittysmee commented May 21, 2024

@mpdavis @asherf
following up on this

@twwildey
Copy link
Collaborator

twwildey commented May 30, 2024

Can you rebase your changes onto the latest master branch and force-update your branch for this PR?

Would you mind collapsing your commits to a single commit as well?

@danigm
Improve asymmetric key check in CryptographyHMACKey
9320fed 
This change should fix mpdavis#346
security issue.

The code is based on pyjwt change:
jpadilla/pyjwt@9c52867
@danigm
Copy link
Author

danigm commented May 31, 2024

Can you rebase your changes onto the latest master branch and force-update your branch for this PR?

Would you mind collapsing your commits to a single commit as well?

Done

@CharlesPerrotMinot
Copy link

CharlesPerrotMinot commented Jun 3, 2024

@twwildey

@chrisribe
Copy link

chrisribe commented Jun 20, 2024

When can we expect an official release for this ?

@milliesolem
Copy link

milliesolem commented Jun 20, 2024

@chrisribe seeing as the library has not seen a release for three years, I wouldn't hold my breath. Switch to PyJWT if you have a project affected by this.

@twwildey
Copy link
Collaborator

twwildey commented Jun 20, 2024

I believe this GitHub repo has been effectively abandoned in favor of https://authlib.org/. I would recommend everyone migrate their projects to use Authlib directly.

@Aisuko Aisuko mentioned this pull request Jul 13, 2024
Closed
@Xu-Justin
Copy link

Xu-Justin commented Feb 24, 2025

Fixed at #369

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@junoriosity junoriosity junoriosity approved these changes

@smittysmee smittysmee smittysmee approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@danigm @milliesolem @CharlesPerrotMinot @smittysmee @twwildey @chrisribe @Xu-Justin @junoriosity