From 22e1cc9fb879ab1b423c8ba939738b9e7ac6a797 Mon Sep 17 00:00:00 2001 From: Bohuslav Kabrda Date: Mon, 20 May 2013 08:04:03 +0200 Subject: [PATCH] Add patch for CVE-2013-2099 (rhbz#963261). --- ...2013-2099-fix-ssl-match_hostname-dos.patch | 49 +++++++++++++++++++ python3.spec | 14 +++++- 2 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch diff --git a/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch b/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch new file mode 100644 index 0000000..888b43b --- /dev/null +++ b/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch @@ -0,0 +1,49 @@ +# HG changeset patch +# User Antoine Pitrou +# Date 1368892602 -7200 +# Node ID c627638753e2d25a98950585b259104a025937a9 +# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d +Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). + +diff --git a/Lib/ssl.py b/Lib/ssl.py +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -129,9 +129,16 @@ class CertificateError(ValueError): + pass + + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase + self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') + self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + ++ # Issue #17980: avoid denials of service by refusing more than one ++ # wildcard per fragment. ++ cert = {'subject': ((('commonName', 'a*b.com'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b.co*'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b*.com'),),)} ++ with self.assertRaises(ssl.CertificateError) as cm: ++ ssl.match_hostname(cert, 'axxbxxc.com') ++ self.assertIn("too many wildcards", str(cm.exception)) ++ + def test_server_side(self): + # server_hostname doesn't work for server sockets + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) diff --git a/python3.spec b/python3.spec index a35ec9d..93d8ab7 100644 --- a/python3.spec +++ b/python3.spec @@ -126,7 +126,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 1%{?dist} +Release: 2%{?dist} License: Python Group: Development/Languages @@ -584,10 +584,16 @@ Patch180: 00180-python-add-support-for-ppc64p7.patch # Patch181: 00181-allow-arbitrary-timeout-in-condition-wait.patch # Does not affect python3 -# 00181 # +# 00182 # # Fixed upstream as of Python 3.3.2 # Patch182: 00182-fix-test_gdb-test_threads.patch +# 00183 # +# Upstream fix for CVE-2013-2099 (ssl.match_hostname DOS) +# http://bugs.python.org/issue17980 +# http://hg.python.org/cpython/rev/c627638753e2 +Patch183: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch + # (New patches go here ^^^) # @@ -844,6 +850,7 @@ done %patch180 -p1 # 00181: not for python3 # 00182: upstream as of Python 3.3.2 +%patch183 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1684,6 +1691,9 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Mon May 20 2013 Bohuslav Kabrda - 3.3.2-2 +- Add patch for CVE-2013-2099 (rhbz#963261). + * Thu May 16 2013 Bohuslav Kabrda - 3.3.2-1 - Updated to Python 3.3.2. - Refreshed patches: 153 (gdb test noise)