Add patch for CVE-2013-2099 (rhbz#963261).
This commit is contained in:
parent
d4ea6cd725
commit
22e1cc9fb8
49
00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
Normal file
49
00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Antoine Pitrou <solipsis@pitrou.net>
|
||||||
|
# Date 1368892602 -7200
|
||||||
|
# Node ID c627638753e2d25a98950585b259104a025937a9
|
||||||
|
# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d
|
||||||
|
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
|
||||||
|
|
||||||
|
diff --git a/Lib/ssl.py b/Lib/ssl.py
|
||||||
|
--- a/Lib/ssl.py
|
||||||
|
+++ b/Lib/ssl.py
|
||||||
|
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
-def _dnsname_to_pat(dn):
|
||||||
|
+def _dnsname_to_pat(dn, max_wildcards=1):
|
||||||
|
pats = []
|
||||||
|
for frag in dn.split(r'.'):
|
||||||
|
+ if frag.count('*') > max_wildcards:
|
||||||
|
+ # Issue #17980: avoid denials of service by refusing more
|
||||||
|
+ # than one wildcard per fragment. A survery of established
|
||||||
|
+ # policy among SSL implementations showed it to be a
|
||||||
|
+ # reasonable choice.
|
||||||
|
+ raise CertificateError(
|
||||||
|
+ "too many wildcards in certificate DNS name: " + repr(dn))
|
||||||
|
if frag == '*':
|
||||||
|
# When '*' is a fragment by itself, it matches a non-empty dotless
|
||||||
|
# fragment.
|
||||||
|
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||||
|
--- a/Lib/test/test_ssl.py
|
||||||
|
+++ b/Lib/test/test_ssl.py
|
||||||
|
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
|
||||||
|
self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
|
||||||
|
self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
|
||||||
|
|
||||||
|
+ # Issue #17980: avoid denials of service by refusing more than one
|
||||||
|
+ # wildcard per fragment.
|
||||||
|
+ cert = {'subject': ((('commonName', 'a*b.com'),),)}
|
||||||
|
+ ok(cert, 'axxb.com')
|
||||||
|
+ cert = {'subject': ((('commonName', 'a*b.co*'),),)}
|
||||||
|
+ ok(cert, 'axxb.com')
|
||||||
|
+ cert = {'subject': ((('commonName', 'a*b*.com'),),)}
|
||||||
|
+ with self.assertRaises(ssl.CertificateError) as cm:
|
||||||
|
+ ssl.match_hostname(cert, 'axxbxxc.com')
|
||||||
|
+ self.assertIn("too many wildcards", str(cm.exception))
|
||||||
|
+
|
||||||
|
def test_server_side(self):
|
||||||
|
# server_hostname doesn't work for server sockets
|
||||||
|
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
|
14
python3.spec
14
python3.spec
@ -126,7 +126,7 @@
|
|||||||
Summary: Version 3 of the Python programming language aka Python 3000
|
Summary: Version 3 of the Python programming language aka Python 3000
|
||||||
Name: python3
|
Name: python3
|
||||||
Version: %{pybasever}.2
|
Version: %{pybasever}.2
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
|
|
||||||
@ -584,10 +584,16 @@ Patch180: 00180-python-add-support-for-ppc64p7.patch
|
|||||||
# Patch181: 00181-allow-arbitrary-timeout-in-condition-wait.patch
|
# Patch181: 00181-allow-arbitrary-timeout-in-condition-wait.patch
|
||||||
# Does not affect python3
|
# Does not affect python3
|
||||||
|
|
||||||
# 00181 #
|
# 00182 #
|
||||||
# Fixed upstream as of Python 3.3.2
|
# Fixed upstream as of Python 3.3.2
|
||||||
# Patch182: 00182-fix-test_gdb-test_threads.patch
|
# Patch182: 00182-fix-test_gdb-test_threads.patch
|
||||||
|
|
||||||
|
# 00183 #
|
||||||
|
# Upstream fix for CVE-2013-2099 (ssl.match_hostname DOS)
|
||||||
|
# http://bugs.python.org/issue17980
|
||||||
|
# http://hg.python.org/cpython/rev/c627638753e2
|
||||||
|
Patch183: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
|
||||||
|
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
@ -844,6 +850,7 @@ done
|
|||||||
%patch180 -p1
|
%patch180 -p1
|
||||||
# 00181: not for python3
|
# 00181: not for python3
|
||||||
# 00182: upstream as of Python 3.3.2
|
# 00182: upstream as of Python 3.3.2
|
||||||
|
%patch183 -p1
|
||||||
|
|
||||||
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
||||||
# are many differences between 2.6 and the Python 3 library.
|
# are many differences between 2.6 and the Python 3 library.
|
||||||
@ -1684,6 +1691,9 @@ rm -fr %{buildroot}
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 20 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.2-2
|
||||||
|
- Add patch for CVE-2013-2099 (rhbz#963261).
|
||||||
|
|
||||||
* Thu May 16 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.2-1
|
* Thu May 16 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.2-1
|
||||||
- Updated to Python 3.3.2.
|
- Updated to Python 3.3.2.
|
||||||
- Refreshed patches: 153 (gdb test noise)
|
- Refreshed patches: 153 (gdb test noise)
|
||||||
|
Loading…
Reference in New Issue
Block a user