Add patch for CVE-2013-2099 (rhbz#963261).

00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch

@@ -0,0 +1,49 @@
+# HG changeset patch
+# User Antoine Pitrou <solipsis@pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -129,9 +129,16 @@ class CertificateError(ValueError):
+     pass
+ 
+ 
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
++        if frag.count('*') > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survery of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
+         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
+         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ 
++        # Issue #17980: avoid denials of service by refusing more than one
++        # wildcard per fragment.
++        cert = {'subject': ((('commonName', 'a*b.com'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
++        with self.assertRaises(ssl.CertificateError) as cm:
++            ssl.match_hostname(cert, 'axxbxxc.com')
++        self.assertIn("too many wildcards", str(cm.exception))
++
+     def test_server_side(self):
+         # server_hostname doesn't work for server sockets
+         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

python3.spec

@@ -126,7 +126,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 Group: Development/Languages
 
@@ -496,6 +496,13 @@ Patch163: 00163-disable-parts-of-test_socket-in-rpm-build.patch
 # disable those tests so that rebuilds on PPC can continue
 Patch164: 00164-disable-interrupted_write-tests-on-ppc.patch
 
+# 00183 #
+# Upstream fix for CVE-2013-2099 (ssl.match_hostname DOS)
+# http://bugs.python.org/issue17980
+# http://hg.python.org/cpython/rev/c627638753e2
+Patch183: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
+
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora 17 onwards,
@@ -733,6 +740,7 @@ done
 %ifarch ppc %{power64}
 %patch164 -p1
 %endif
+%patch183 -p1
 
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@@ -1587,6 +1595,9 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Mon May 20 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.0-2
+- Add patch for CVE-2013-2099 (rhbz#963261).
+
 * Sat Sep 29 2012 David Malcolm <dmalcolm@redhat.com> - 3.3.0-1
 - 3.3.0rc3 -> 3.3.0; drop alphatag