public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/python3.11] f43: Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
@ 2026-07-02 14:01
0 siblings, 0 replies; only message in thread
From: @ 2026-07-02 14:01 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/python3.11
Branch : f43
Commit : fc0070dafaf1808177871ad44712aa711cd6cd62
Author : Miro Hrončok <miro@hroncok.cz>
Date : 2026-07-02T10:54:53+02:00
Stats : +91/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/python3.11/c/fc0070dafaf1808177871ad44712aa711cd6cd62?branch=f43
Log:
Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
---
diff --git a/00489-openssl-3.5.7.patch b/00489-openssl-3.5.7.patch
new file mode 100644
index 0000000..5ba5e8b
--- /dev/null
+++ b/00489-openssl-3.5.7.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben@google.com>
+Date: Fri, 24 Mar 2023 09:04:30 -0400
+Subject: 00489: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
+
+In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
+
+Instead, check `BIO_eof` early and stop the loop that way.
+
+This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
+
+(cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
+---
+ Lib/test/test_ssl.py | 2 ++
+ .../2022-12-20-10-55-14.gh-issue-100372.utfP65.rst | 2 ++
+ Modules/_ssl.c | 10 ++++++----
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 921c41bd0d..61cde99753 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -1559,6 +1559,8 @@ def test_load_verify_cadata(self):
+ "not enough data: cadata does not contain a certificate"
+ ):
+ ctx.load_verify_locations(cadata=b"broken")
++ with self.assertRaises(ssl.SSLError):
++ ctx.load_verify_locations(cadata=cacert_der + b"A")
+
+ @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
+ def test_load_dh_params(self):
+diff --git a/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+new file mode 100644
+index 0000000000..ec37aff509
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+@@ -0,0 +1,2 @@
++:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
++some cases of trailing data when parsing DER.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index ee7b131920..174e5dfce5 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -3966,7 +3966,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+ {
+ BIO *biobuf = NULL;
+ X509_STORE *store;
+- int retval = -1, err, loaded = 0;
++ int retval = -1, err, loaded = 0, was_bio_eof = 0;
+
+ assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
+
+@@ -3994,6 +3994,10 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+ int r;
+
+ if (filetype == SSL_FILETYPE_ASN1) {
++ if (BIO_eof(biobuf)) {
++ was_bio_eof = 1;
++ break;
++ }
+ cert = d2i_X509_bio(biobuf, NULL);
+ } else {
+ cert = PEM_read_bio_X509(biobuf, NULL,
+@@ -4029,9 +4033,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+ }
+ _setSSLError(get_state_ctx(self), msg, 0, __FILE__, __LINE__);
+ retval = -1;
+- } else if ((filetype == SSL_FILETYPE_ASN1) &&
+- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
++ } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
+ /* EOF ASN1 file, not an error */
+ ERR_clear_error();
+ retval = 0;
diff --git a/python3.11.spec b/python3.11.spec
index a9b6bcd..08ed8b2 100644
--- a/python3.11.spec
+++ b/python3.11.spec
@@ -17,7 +17,7 @@ URL: https://www.python.org/
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 4%{?dist}
+Release: 5%{?dist}
License: Python-2.0.1
@@ -409,6 +409,18 @@ Patch484: 00484-cve-2026-3644.patch
# Stack overflow parsing XML with deeply nested DTD content models
Patch485: 00485-cve-2026-4224.patch
+# 00489 # 008af720a5f6f98ed3feb8ebdbf88ab9dea4db22
+# Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
+#
+# In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
+#
+# Instead, check `BIO_eof` early and stop the loop that way.
+#
+# This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
+#
+# (cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
+Patch489: 00489-openssl-3.5.7.patch
+
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1741,6 +1753,9 @@ CheckPython optimized
# ======================================================
%changelog
+* Thu Jul 02 2026 Miro Hrončok <mhroncok@redhat.com> - 3.11.15-5
+- Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
+
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.11.15-4
- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE 2026-3644, CVE-2026-4224
Resolves: rhbz#2457941, rhbz#2458221, rhbz#2458013, rhbz#2444704, rhbz#2448188, rhbz#2448204
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-02 14:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-02 14:01 [rpms/python3.11] f43: Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox