From b35ad89d9cf40546c57174090cdba7152d1820be Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 7 Feb 2023 11:34:18 -0500
Subject: [PATCH 1/5] Don't allow update_into to mutate immutable objects
 (#8230)

---
 src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
 tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index fd2b6612f046..e5c2b6fd8453 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         data_processed = 0
         total_out = 0
         outlen = self._backend._ffi.new("int *")
-        baseoutbuf = self._backend._ffi.from_buffer(buf)
+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
         baseinbuf = self._backend._ffi.from_buffer(data)
 
         while data_processed != total_data_len:
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index 02127dd9cab5..bf3b047dec25 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
         with pytest.raises(ValueError):
             encryptor.update_into(b"testing", buf)
 
+    def test_update_into_immutable(self, backend):
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        buf = b"\x00" * 32
+        with pytest.raises((TypeError, BufferError)):
+            encryptor.update_into(b"testing", buf)
+
     @pytest.mark.supported(
         only_if=lambda backend: backend.cipher_supported(
             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)

From 8754e0209a4a8f9b4dbbb1070b4f42eb1ae26650 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 7 Feb 2023 11:55:22 -0600
Subject: [PATCH 2/5] add changelog for 39.0.1

---
 CHANGELOG.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index bd70b9bc7b34..d048ea6954cf 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,12 @@
 Changelog
 =========
 
+.. _v39-0-1:
+
+* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
+  buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
+
 .. _v39-0-0:
 
 39.0.0 - 2023-01-01

From 3706b2bdba2ac965bc6167792181f3764d16ff3e Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 7 Feb 2023 11:56:51 -0600
Subject: [PATCH 3/5] oops

---
 CHANGELOG.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index d048ea6954cf..3742c6ac945c 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -3,6 +3,9 @@ Changelog
 
 .. _v39-0-1:
 
+39.0.1 - 2023-02-07
+~~~~~~~~~~~~~~~~~~~
+
 * **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
   buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
 * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

From c586659188f1ab0a11e6587074eb095340680805 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 7 Feb 2023 11:57:33 -0600
Subject: [PATCH 4/5] bump versions

---
 src/cryptography/__about__.py             | 2 +-
 vectors/cryptography_vectors/__about__.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
index 83439a962dd3..bd0b15c14657 100644
--- a/src/cryptography/__about__.py
+++ b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
index 9b607dd65f03..9452a5c1e801 100644
--- a/vectors/cryptography_vectors/__about__.py
+++ b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"

From d972ad6a7d835c272f5f19dc94660b70f980e8d8 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Tue, 7 Feb 2023 12:05:55 -0600
Subject: [PATCH 5/5] remove circle

---
 .circleci/build-wheel.sh |  35 ------------
 .circleci/config.yml     | 112 ---------------------------------------
 2 files changed, 147 deletions(-)
 delete mode 100755 .circleci/build-wheel.sh
 delete mode 100644 .circleci/config.yml

diff --git a/.circleci/build-wheel.sh b/.circleci/build-wheel.sh
deleted file mode 100755
index d69e8c9213fe..000000000000
--- a/.circleci/build-wheel.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash -ex
-
-cd /test
-
-echo "Building for ${PLATFORM}"
-
-PYBIN="/opt/python/${PYTHON}/bin"
-
-mkdir -p /test/wheelhouse.final
-
-"${PYBIN}"/python -m venv .venv
-
-.venv/bin/pip install -U pip wheel cffi setuptools-rust
-
-.venv/bin/python setup.py sdist
-cd dist
-tar zxf cryptography*.tar.gz
-rm -rf cryptograph*.tar.gz
-cd cryptography*
-
-REGEX="cp3([0-9])*"
-if [[ "${PYBIN}" =~ $REGEX ]]; then
-    PY_LIMITED_API="--py-limited-api=cp3${BASH_REMATCH[1]}"
-fi
-
-LDFLAGS="-L/opt/pyca/cryptography/openssl/lib" \
-       CFLAGS="-I/opt/pyca/cryptography/openssl/include -Wl,--exclude-libs,ALL" \
-       ../../.venv/bin/python setup.py bdist_wheel "$PY_LIMITED_API"
-
-auditwheel repair --plat "${PLATFORM}" -w wheelhouse/ dist/cryptography*.whl
-
-../../.venv/bin/pip install cryptography --no-index -f wheelhouse/
-../../.venv/bin/python -c "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))"
-
-mv wheelhouse/* /test/wheelhouse.final
diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index ceb2a7ee28e5..000000000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,112 +0,0 @@
-version: 2.1
-
-commands:
-  docker-pull:
-    parameters:
-      image:
-        type: string
-    steps:
-      - run: docker pull <<parameters.image>> || docker pull <<parameters.image>>
-  docker-run:
-    parameters:
-      image:
-        type: string
-      command:
-        type: string
-    steps:
-      - run: docker run -e PLATFORM -e PYTHON -v $(pwd):/test <<parameters.image>>  /bin/bash -c 'cd /test;<<parameters.command>>'
-
-jobs:
-  linux-arm64:
-    machine:
-      image: ubuntu-2004:current
-    resource_class: arm.medium
-    parameters:
-      image:
-        type: string
-      toxenv:
-        type: string
-    steps:
-      - checkout
-      - docker-pull:
-          image: <<parameters.image>>
-      - docker-run:
-          image: <<parameters.image>>
-          command: /venv/bin/tox -e <<parameters.toxenv>>
-  linux-arm64-wheel:
-    machine:
-      image: ubuntu-2004:current
-    resource_class: arm.medium
-    parameters:
-      image:
-        type: string
-      platform:
-        type: string
-      python:
-        type: string
-    environment:
-        PLATFORM: <<parameters.platform>>
-        PYTHON: <<parameters.python>>
-    steps:
-      - checkout
-      - docker-pull:
-          image: <<parameters.image>>
-      - docker-run:
-          image: <<parameters.image>>
-          command: /test/.circleci/build-wheel.sh
-      - store_artifacts:
-          path: wheelhouse.final
-
-workflows:
-  ci:
-    jobs:
-      - linux-arm64:
-          # Changing this name should only be done in conjunction with updating
-          # the required checks on GH
-          name: linux-arm64-ci
-          image: ghcr.io/pyca/cryptography-runner-ubuntu-focal:aarch64
-          toxenv: py38
-          # This makes sure it runs on all tags in addition to PRs/branches.
-          # By default CircleCI ignores tags.
-          filters:
-            tags:
-              only: /.*/
-      - linux-arm64:
-          name: linux-arm64-alpine-ci
-          image: ghcr.io/pyca/cryptography-runner-alpine:aarch64
-          toxenv: py310
-          filters:
-            tags:
-              only: /.*/
-      - linux-arm64-wheel:
-          name: manylinux2014_aarch64-wheel
-          image: ghcr.io/pyca/cryptography-manylinux2014_aarch64:latest
-          python: cp36-cp36m
-          platform: manylinux2014_aarch64
-          filters:
-            tags:
-              only: /.*/
-      - linux-arm64-wheel:
-          name: manylinux_2_24_aarch64-wheel
-          image: ghcr.io/pyca/cryptography-manylinux_2_24:aarch64
-          python: cp36-cp36m
-          platform: manylinux_2_24_aarch64
-          filters:
-            tags:
-              only: /.*/
-      - linux-arm64-wheel:
-          name: manylinux_2_28_aarch64-wheel
-          image: ghcr.io/pyca/cryptography-manylinux_2_28:aarch64
-          python: cp36-cp36m
-          platform: manylinux_2_28_aarch64
-          filters:
-            tags:
-              only: /.*/
-      - linux-arm64-wheel:
-          name: musllinux_1_1_aarch64-wheel
-          image: ghcr.io/pyca/cryptography-musllinux_1_1:aarch64
-          python: cp36-cp36m
-          platform: musllinux_1_1_aarch64
-          filters:
-            tags:
-              only: /.*/