Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2024-33664. JWE limited to 250K #352

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix for CVE-2024-33664. JWE limited to 250K #352

wants to merge 1 commit into from

Conversation

alistairwatts
Copy link

This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.

There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.

@alistairwatts alistairwatts mentioned this pull request May 7, 2024
Open
@omufeed
Copy link

omufeed commented May 8, 2024

Is this repository still maintained? Would be great to check and merge this PR.

@Shinnnyshinshin
Copy link

Thank you for this work @alistairwatts. Would love to see this PR go in.

@CharlesPerrotMinotHCHB
Copy link

Let's try pinging @asherf and @mpdavis

alistairwatts
alistairwatts commented May 15, 2024
View reviewed changes
jose/jwe.py
# data could lead to large memory usage. This helps address This addresses
# CVE-2024-33664. Also see _decompress()
if len(jwe_str) > JWE_SIZE_LIMIT:
raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be an f-string.

This was referenced May 21, 2024
Closed
Merged
Open
@alistairwatts alistairwatts mentioned this pull request May 21, 2024
Closed
@smittysmee
Copy link

@mpdavis

@maciejstromich
Copy link

if @mpdavis does not work maybe @michaeldavis-wf will?

@Natim Natim mentioned this pull request May 28, 2024
Open
libo
libo reviewed May 29, 2024
View reviewed changes
Copy link

@libo libo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the missing f-string. @alistairwatts

jose/jwe.py
# data could lead to large memory usage. This helps address This addresses
# CVE-2024-33664. Also see _decompress()
if len(jwe_str) > JWE_SIZE_LIMIT:
raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
raise JWEError("JWE string exceeds {JWE_SIZE_LIMIT} bytes")
raise JWEError(f"JWE string exceeds {JWE_SIZE_LIMIT} bytes")

@twwildey
Copy link
Collaborator

Can you rebase your changes onto the latest master branch and force-update your branch for this PR?

@nicholas-quirk-mass-gov
Copy link

@alistairwatts

bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jun 3, 2024
@bmwiedemann
Update python-python-jose to version 3.3.0 / rev 9 via SR 1178245
4b9828d 
https://build.opensuse.org/request/show/1178245
by user dgarcia + anag+factory
- Update CVE-2024-33664.patch with upstream
  mpdavis/python-jose#352
  bsc#1223422
@CharlesPerrotMinotHCHB
Copy link

@twwildey

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@libo libo libo left review comments

@Shinnnyshinshin Shinnnyshinshin Shinnnyshinshin approved these changes

@kpqdap kpqdap kpqdap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@alistairwatts @omufeed @Shinnnyshinshin @CharlesPerrotMinotHCHB @smittysmee @maciejstromich @twwildey @nicholas-quirk-mass-gov @libo @kpqdap