From 3c245efba3b5b961091fc40746138e671c313876 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Mon, 27 Apr 2026 15:10:55 +0800 Subject: [PATCH] fix(python-ecdsa): CVE-2026-33936 DER validation Add quilt patch to fix CVE-2026-33936 by rejecting truncated DER lengths in octet and constructed functions. This patch: - Adds length validation in remove_constructed() - Adds length validation in remove_octet_string() - Adds corresponding unit tests Note: remove_implicit() function does not exist in this version, so only the applicable functions are patched. Upstream: https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3 Generated-By: uos/glm-5.1 Co-Authored-By: hudeng --- debian/changelog | 8 ++++++ debian/patches/CVE-2026-33936.patch | 44 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 53 insertions(+) create mode 100644 debian/patches/CVE-2026-33936.patch diff --git a/debian/changelog b/debian/changelog index 31d77b3..ebadba0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +python-ecdsa (0.19.0-2+deepin1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2026-33936: reject truncated DER lengths in + octet/constructed functions + + -- OpenClaw Security Agent Mon, 27 Apr 2026 15:10:08 +0800 + python-ecdsa (0.19.0-2) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2026-33936.patch b/debian/patches/CVE-2026-33936.patch new file mode 100644 index 0000000..bc4bcdb --- /dev/null +++ b/debian/patches/CVE-2026-33936.patch @@ -0,0 +1,44 @@ +Index: github-python-ecdsa-CVE-2026-33936/src/ecdsa/der.py +=================================================================== +--- github-python-ecdsa-CVE-2026-33936.orig/src/ecdsa/der.py ++++ github-python-ecdsa-CVE-2026-33936/src/ecdsa/der.py +@@ -138,6 +138,8 @@ def remove_constructed(string): + ) + tag = s0 & 0x1F + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return tag, body, rest +@@ -161,6 +163,8 @@ def remove_octet_string(string): + n = str_idx_as_int(string, 0) + raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n) + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return body, rest +Index: github-python-ecdsa-CVE-2026-33936/src/ecdsa/test_der.py +=================================================================== +--- github-python-ecdsa-CVE-2026-33936.orig/src/ecdsa/test_der.py ++++ github-python-ecdsa-CVE-2026-33936/src/ecdsa/test_der.py +@@ -476,3 +476,17 @@ def test_oids(ids): + decoded_oid, rest = remove_object(encoded_oid) + assert rest == b"" + assert decoded_oid == ids ++ ++def test_remove_octet_string_rejects_truncated_length(): ++ # OCTET STRING: declared length 4096, but only 3 bytes present ++ bad = b"\x04\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_octet_string(bad) ++ ++def test_remove_constructed_rejects_truncated_length(): ++ # Constructed tag: 0xA0 (context-specific constructed, tag=0) ++ # declared length 4096, but only 3 bytes present ++ bad = b"\xA0\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_constructed(bad) ++ diff --git a/debian/patches/series b/debian/patches/series index 365106f..35f57f2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 00-remove-temp-test-dir.patch remove-six.patch +CVE-2026-33936.patch