Question: What are the fix patches for CVE-2023-52323?

[xiaoge1001]

I found 26 commits between versions 3.19.0 and 3.19.1. Which ones fix CVE-2023-52323?

My analysis should be the following commit:
afb5e27
519e7ae
0deea1b

In addition, does CVE-2023-52323 provide other information such as POC or issue? The information available is very limited.
https://nvd.nist.gov/vuln/detail/CVE-2023-52323
https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst#3191-28-december-2023
https://www.pycryptodome.org/src/changelog#december-2023

We look forward to your reply. Thanks.

[xiaoge1001]

This advisories is associated with the following patch:
0deea1b

[xiaoge1001]

https://groups.google.com/g/linux.debian.bugs.dist/c/ibzqvtwhi8M
It is also associated with the patch 0deea1b

[xiaoge1001]

https://security-tracker.debian.org/tracker/CVE-2023-52323
0deea1b

https://ubuntu.com/security/CVE-2023-52323
afb5e27
519e7ae
0deea1b

[eslerm]

[ removed, my mistake ]

[jiajia123-wind]

Hi @Legrandin,

I am facing a similar issue with WRLinux LTS23, which requires a patch on pycryptodome_3.17 to resolve CVE-2023-52323. Could you kindly provide the specific commit for this fix?

Thank you for your assistance!

[Legrandin]

The relevant commits were 0deea1b and afb5e27 , but since there were no breaking changes (see changelog) I would just update to at least version 19.1. Also, CVE score >7 is questionable ...

[jiajia123-wind]

Hi @Legrandin

Thank you very much for your response. However, we are now facing some issues and need your help. We are using pycryptodome version 3.10.1 in the OpenEmbedded-Core Hardknott branch. Since this branch is no longer maintained, we cannot resolve the issue by upgrading and have to rely on patching instead. Unfortunately, the patch from commit 0deea1b cannot be applied due to differences in the following section. Could you please take a look and help us address CVE-2023-52323 based on pycryptodome-3.10.1?

libCryptoCipherPKCS1_v1_5.py.rej.txt

Thank you in advance for your assistance.