From f97fada74b1a1e58594cdd2d3baede96e0b3236a Mon Sep 17 00:00:00 2001
From: "deepin-community-bot[bot]"
 <156989552+deepin-community-bot[bot]@users.noreply.github.com>
Date: Wed, 25 Mar 2026 09:36:58 +0000
Subject: [PATCH] feat: update python-cryptography to 43.0.0-3+deb13u1

---
 debian/changelog                         |  20 ++++
 debian/control                           |   9 +-
 debian/gbp.conf                          |   1 +
 debian/patches/0006-CVE-2026-26007.patch | 141 +++++++++++++++++++++++
 debian/patches/series                    |   1 +
 debian/salsa-ci.yml                      |   6 +
 6 files changed, 172 insertions(+), 6 deletions(-)
 create mode 100644 debian/patches/0006-CVE-2026-26007.patch
 create mode 100644 debian/salsa-ci.yml

diff --git a/debian/changelog b/debian/changelog
index 8234f57..c6cea68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+python-cryptography (43.0.0-3+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-26007: Missing validation in EC public key creation.
+    (Closes: #1127926)
+
+ -- Arnaud Rebillout <arnaudr@debian.org>  Wed, 04 Mar 2026 14:17:04 +0700
+
+python-cryptography (43.0.0-3) unstable; urgency=medium
+
+  [ Peter Michael Green ]
+  * Fix overly strict build-dependency for cc crate (Closes: #1104046).
+
+  [ Andrey Rakhmatullin ]
+  * Bump Standards-Version to 4.7.2.
+  * Remove Rules-Requires-Root.
+  * Remove no longer needed Python 3 mentions from the package description.
+
+ -- Andrey Rakhmatullin <wrar@debian.org>  Fri, 25 Apr 2025 11:17:42 +0500
+
 python-cryptography (43.0.0-2) unstable; urgency=medium
 
   * Restore B-D: python3-setuptools (Closes: #1100262).
diff --git a/debian/control b/debian/control
index e2544fe..4ab5c1c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: cargo,
                debhelper-compat (= 13),
                dh-sequence-python3,
                librust-asn1-0.20-dev,
-               librust-cc-1.1-dev,
+               librust-cc-1-dev (>= 1.1.6~),
                librust-cfg-if-dev,
                librust-foreign-types-0.3-dev,
                librust-foreign-types-shared-0.1-dev,
@@ -36,11 +36,10 @@ Build-Depends-Indep: dh-sequence-sphinxdoc <!nodoc>,
                      python3-doc <!nodoc>,
                      python3-sphinx <!nodoc>,
                      python3-sphinx-rtd-theme <!nodoc>,
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Vcs-Browser: https://salsa.debian.org/python-team/packages/python-cryptography
 Vcs-Git: https://salsa.debian.org/python-team/packages/python-cryptography.git
 Homepage: https://cryptography.io/
-Rules-Requires-Root: no
 Testsuite: autopkgtest-pkg-pybuild
 
 Package: python3-cryptography
@@ -51,7 +50,7 @@ Depends: python3-bcrypt,
          ${shlibs:Depends},
 Suggests: python-cryptography-doc,
           python3-cryptography-vectors,
-Description: Python library exposing cryptographic recipes and primitives (Python 3)
+Description: Python library exposing cryptographic recipes and primitives
  The cryptography library is designed to be a "one-stop-shop" for
  all your cryptographic needs in Python.
  .
@@ -65,8 +64,6 @@ Description: Python library exposing cryptographic recipes and primitives (Pytho
   - Absence of algorithms such as AES-GCM.
   - Poor introspectability, and thus poor testability.
   - Extremely error prone APIs, and bad defaults.
- .
- This package contains the Python 3 version of cryptography.
 
 Package: python-cryptography-doc
 Architecture: all
diff --git a/debian/gbp.conf b/debian/gbp.conf
index cec628c..41f8c87 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,2 +1,3 @@
 [DEFAULT]
+debian-branch = debian/trixie
 pristine-tar = True
diff --git a/debian/patches/0006-CVE-2026-26007.patch b/debian/patches/0006-CVE-2026-26007.patch
new file mode 100644
index 0000000..d45b202
--- /dev/null
+++ b/debian/patches/0006-CVE-2026-26007.patch
@@ -0,0 +1,141 @@
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Tue, 10 Feb 2026 12:32:06 -0600
+Subject: EC check key on cofactor > 1
+
+An attacker could create a malicious public key that reveals portions of
+your private key when using certain uncommon elliptic curves (binary
+curves).  This version now includes additional security checks to
+prevent this attack.  This issue only affects binary elliptic curves,
+which are rarely used in real-world applications. Credit to **XlabAI
+Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
+Engine** for reporting the issue.  **CVE-2026-26007**
+
+Debian note: this is a partial backport of upstream commit
+0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
+relevant for CVE-2026-26007.
+
+Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
+---
+ src/rust/src/backend/ec.rs         | 41 ++++++++++++++++++++++++++------------
+ tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 65 insertions(+), 13 deletions(-)
+
+diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
+index 1573545..0ba36dc 100644
+--- a/src/rust/src/backend/ec.rs
++++ b/src/rust/src/backend/ec.rs
+@@ -148,12 +148,10 @@ pub(crate) fn public_key_from_pkey(
+ ) -> CryptographyResult<ECPublicKey> {
+     let ec = pkey.ec_key()?;
+     let curve = py_curve_from_curve(py, ec.group())?;
+-    check_key_infinity(&ec)?;
+-    Ok(ECPublicKey {
+-        pkey: pkey.to_owned(),
+-        curve: curve.into(),
+-    })
++
++    ECPublicKey::new(pkey.to_owned(), curve.into())
+ }
++
+ #[pyo3::pyfunction]
+ #[pyo3(signature = (curve, backend=None))]
+ fn generate_private_key(
+@@ -209,10 +207,7 @@ fn from_public_bytes(
+     let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
+     let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
+ 
+-    Ok(ECPublicKey {
+-        pkey,
+-        curve: py_curve.into(),
+-    })
++    ECPublicKey::new(pkey, py_curve.into())
+ }
+ 
+ #[pyo3::pymethods]
+@@ -374,6 +369,29 @@ impl ECPrivateKey {
+     }
+ }
+ 
++impl ECPublicKey {
++    fn new(
++        pkey: openssl::pkey::PKey<openssl::pkey::Public>,
++        curve: pyo3::Py<pyo3::PyAny>,
++    ) -> CryptographyResult<ECPublicKey> {
++        let ec = pkey.ec_key()?;
++        check_key_infinity(&ec)?;
++        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
++        let mut cofactor = openssl::bn::BigNum::new()?;
++        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
++        let one = openssl::bn::BigNum::from_u32(1)?;
++        if cofactor != one {
++            ec.check_key().map_err(|_| {
++                pyo3::exceptions::PyValueError::new_err(
++                    "Invalid EC key (key out of range, infinity, etc.)",
++                )
++            })?;
++        }
++
++        Ok(ECPublicKey { pkey, curve })
++    }
++}
++
+ #[pyo3::pymethods]
+ impl ECPublicKey {
+     #[getter]
+@@ -615,10 +633,7 @@ impl EllipticCurvePublicNumbers {
+ 
+         let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
+ 
+-        Ok(ECPublicKey {
+-            pkey,
+-            curve: self.curve.clone_ref(py),
+-        })
++        ECPublicKey::new(pkey, self.curve.clone_ref(py))
+     }
+ 
+     fn __eq__(
+diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
+index d33fd10..1689b8b 100644
+--- a/tests/hazmat/primitives/test_ec.py
++++ b/tests/hazmat/primitives/test_ec.py
+@@ -1447,3 +1447,40 @@ class TestECDH:
+ 
+         with pytest.raises(ValueError):
+             key.exchange(ec.ECDH(), public_key)
++
++
++def test_invalid_sect_public_keys(backend):
++    _skip_curve_unsupported(backend, ec.SECT571K1())
++    public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
++    with pytest.raises(ValueError):
++        public_numbers.public_key()
++
++    point = binascii.unhexlify(
++        b"0400000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000010000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000001"
++    )
++    with pytest.raises(ValueError):
++        ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
++
++    der = binascii.unhexlify(
++        b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000100000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"00001"
++    )
++    with pytest.raises(ValueError):
++        serialization.load_der_public_key(der)
++
++    pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
++    MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
++    -----END PUBLIC KEY-----""").encode()
++    with pytest.raises(ValueError):
++        serialization.load_pem_public_key(pem)
diff --git a/debian/patches/series b/debian/patches/series
index c13a974..d61022d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ drop-cffi-dep.patch
 downgrade-deps.patch
 0004-update-to-asn1-0.19-and-use-X509GeneralizedTime.patch
 0005-Support-128-bit-OID-arcs-11820.patch
+0006-CVE-2026-26007.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000..96db271
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,6 @@
+---
+include: 
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'trixie'