Update to version 0.6.2

.github/workflows/main.yml

@@ -39,6 +39,7 @@ jobs:
           - "3.11"
           - "3.12"
           - "3.13"
+          - "3.14"
           - "pypy-3.8"
           - "pypy-3.9"
           - "pypy-3.10"
@@ -52,7 +53,7 @@ jobs:
           allow-prereleases: true
           cache: "pip"
       - name: "Update pip"
-        run: python -m pip install --upgrade pip setuptools wheel
+        run: python -m pip install --upgrade pip
       - name: "Install tox dependencies"
         run: python -m pip install --upgrade tox tox-gh-actions
       - name: "Run tox for ${{ matrix.python-version }}"
@@ -71,7 +72,7 @@ jobs:
           python-version: "3.x"
           cache: "pip"
       - name: "Update pip"
-        run: python -m pip install --upgrade pip setuptools wheel
+        run: python -m pip install --upgrade pip
       - name: "Install 'build'"
         run: python -m pip install --upgrade build
       - name: "Run 'build'"

.github/workflows/pypi.yml

@@ -39,7 +39,7 @@ jobs:
         with:
           python-version: "3.x"
       - name: "Update pip"
-        run: python -m pip install --upgrade pip setuptools wheel
+        run: python -m pip install --upgrade pip
       - name: "Install 'build' and 'twine'"
         run: python -m pip install --upgrade build twine
       - name: "Run 'build'"

CHANGES.rst

@@ -1,3 +1,17 @@
+Revision 0.6.2, released 16-01-2026
+---------------------------------------
+
+- CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits
+  in OID/RELATIVE-OID decoder (thanks to tsigouris007)
+- Added support for Python 3.14
+  [pr #97](https://github.com/pyasn1/pyasn1/pull/97)
+- Added SECURITY.md policy
+- Fixed unit tests failing due to missing code
+  [issue #91](https://github.com/pyasn1/pyasn1/issues/91)
+  [pr #92](https://github.com/pyasn1/pyasn1/pull/92)
+- Migrated to pyproject.toml packaging
+  [pr #90](https://github.com/pyasn1/pyasn1/pull/90)
+
 Revision 0.6.1, released 10-09-2024
 ---------------------------------------
 

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it at our [security advisory](https://github.com/pyasn1/pyasn1/security/advisories/new).
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base.

docs/source/conf.py

@@ -126,7 +126,7 @@
     'logo': 'logo.svg',
     'description': '<p align=left><i><b>Brewing free software for the greater good</i></b></p>',
     'show_powered_by': False,
-    'github_user': 'etingof',
+    'github_user': 'pyasn1',
     'github_repo': 'pyasn1',
     'fixed_sidebar': True,
 }

pyasn1/__init__.py

@@ -1,2 +1,2 @@
 # https://www.python.org/dev/peps/pep-0396/
-__version__ = '0.6.1'
+__version__ = '0.6.2'

pyasn1/codec/ber/decoder.py

@@ -33,6 +33,10 @@
 
 SubstrateUnderrunError = error.SubstrateUnderrunError
 
+# Maximum number of continuation octets (high-bit set) allowed per OID arc.
+# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
+MAX_OID_ARC_CONTINUATION_OCTETS = 20
+
 
 class AbstractPayloadDecoder(object):
     protoComponent = None
@@ -427,7 +431,14 @@ def valueDecoder(self, substrate, asn1Spec,
                 # Construct subid from a number of octets
                 nextSubId = subId
                 subId = 0
+                continuationOctetCount = 0
                 while nextSubId >= 128:
+                    continuationOctetCount += 1
+                    if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS:
+                        raise error.PyAsn1Error(
+                            'OID arc exceeds maximum continuation octets limit (%d) '
+                            'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index)
+                        )
                     subId = (subId << 7) + (nextSubId & 0x7F)
                     if index >= substrateLen:
                         raise error.SubstrateUnderrunError(
@@ -485,7 +496,14 @@ def valueDecoder(self, substrate, asn1Spec,
                 # Construct subid from a number of octets
                 nextSubId = subId
                 subId = 0
+                continuationOctetCount = 0
                 while nextSubId >= 128:
+                    continuationOctetCount += 1
+                    if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS:
+                        raise error.PyAsn1Error(
+                            'RELATIVE-OID arc exceeds maximum continuation octets limit (%d) '
+                            'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index)
+                        )
                     subId = (subId << 7) + (nextSubId & 0x7F)
                     if index >= substrateLen:
                         raise error.SubstrateUnderrunError(
@@ -1915,7 +1933,7 @@ class StreamingDecoder(object):
         :py:class:`~pyasn1.error.SubstrateUnderrunError` object indicating
         insufficient BER/CER/DER serialization on input to fully recover ASN.1
         objects from it.
-        
+
         In the latter case the caller is advised to ensure some more data in
         the input stream, then call the iterator again. The decoder will resume
         the decoding process using the newly arrived data.

pyasn1/codec/streaming.py

@@ -83,7 +83,8 @@ def asSeekableStream(substrate):
 
     Parameters
     ----------
-    substrate: :py:class:`bytes` or :py:class:`io.IOBase` or :py:class:`univ.OctetString`
+    substrate: :py:class:`bytes` or :py:class:`bytearray` or :py:class:`memoryview`
+        or :py:class:`io.IOBase` or :py:class:`univ.OctetString`
 
     Returns
     -------
@@ -97,7 +98,7 @@ def asSeekableStream(substrate):
     if isinstance(substrate, io.BytesIO):
         return substrate
 
-    elif isinstance(substrate, bytes):
+    elif isinstance(substrate, (bytes, bytearray, memoryview)):
         return io.BytesIO(substrate)
 
     elif isinstance(substrate, univ.OctetString):

pyproject.toml

@@ -3,3 +3,69 @@ requires = [
     "setuptools"
 ]
 build-backend = "setuptools.build_meta"
+
+[project]
+name = "pyasn1"
+license.text = "BSD-2-Clause"  # Replace with 'license' once Python 3.8 is dropped
+description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
+readme = "README.md"
+authors = [
+    {name = "Ilya Etingof", email = "etingof@gmail.com"}
+]
+maintainers = [
+    {name = "pyasn1 maintenance organization"},
+    {name = "Christian Heimes", email = "christian@python.org"}
+]
+requires-python = ">=3.8"
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Education",
+    "Intended Audience :: Information Technology",
+    "Intended Audience :: System Administrators",
+    "Intended Audience :: Telecommunications Industry",
+    "Natural Language :: English",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.8",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: Implementation :: CPython",
+    "Programming Language :: Python :: Implementation :: PyPy",
+    "Topic :: Communications",
+    "Topic :: Software Development :: Libraries :: Python Modules"
+]
+dynamic = ["version"]
+
+[project.urls]
+"Homepage" = "https://github.com/pyasn1/pyasn1"
+"Documentation" = "https://pyasn1.readthedocs.io"
+"Source" = "https://github.com/pyasn1/pyasn1"
+"Issues" = "https://github.com/pyasn1/pyasn1/issues"
+"Changelog" = "https://pyasn1.readthedocs.io/en/latest/changelog.html"
+
+[tool.setuptools]
+zip-safe = true
+platforms = ["any"]
+# Additional files to include in the distribution (replaces MANIFEST.in functionality)
+include-package-data = true
+license-files = ["LICENSE.rst"]  # Replace with 'project.license-files' once Python 3.8 is dropped
+
+[tool.setuptools.dynamic]
+version = {attr = "pyasn1.__version__"}
+
+[tool.setuptools.packages.find]
+include = [
+    "pyasn1*"
+]
+
+[tool.setuptools.package-data]
+"*" = [
+    "*.rst",
+    "*.md"
+]

tests/__main__.py

@@ -9,8 +9,7 @@
 suite = unittest.TestLoader().loadTestsFromNames(
     ['tests.test_debug.suite',
      'tests.type.__main__.suite',
-     'tests.codec.__main__.suite',
-     'tests.compat.__main__.suite']
+     'tests.codec.__main__.suite']
 )