diff --git a/.python-backports-ssl_match_hostname.metadata b/.python-backports-ssl_match_hostname.metadata new file mode 100644 index 0000000..f56591a --- /dev/null +++ b/.python-backports-ssl_match_hostname.metadata @@ -0,0 +1 @@ +6b6abbe957cdca15050f9b026f313032f9f583c2 SOURCES/backports.ssl_match_hostname-3.2a3.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch b/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch new file mode 100644 index 0000000..7b58dc2 --- /dev/null +++ b/SOURCES/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User Antoine Pitrou +# Date 1368892602 -7200 +# Node ID c627638753e2d25a98950585b259104a025937a9 +# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d +Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). + +Index: backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py +=================================================================== +--- backports.ssl_match_hostname-3.2a3.orig/src/backports/ssl_match_hostname/__init__.py ++++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py +@@ -7,9 +7,16 @@ __version__ = '3.2.2' + class CertificateError(ValueError): + pass + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. diff --git a/SOURCES/ssl_match_hostname-issue12000.patch b/SOURCES/ssl_match_hostname-issue12000.patch new file mode 100644 index 0000000..86c18c3 --- /dev/null +++ b/SOURCES/ssl_match_hostname-issue12000.patch @@ -0,0 +1,24 @@ +diff -up backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py.orig backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py +--- backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py.orig 2010-10-15 17:40:13.000000000 -0500 ++++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py 2013-02-05 17:24:13.706427017 -0600 +@@ -2,7 +2,7 @@ + + import re + +-__version__ = '3.2a3' ++__version__ = '3.2.2' + + class CertificateError(ValueError): + pass +@@ -37,8 +37,9 @@ def match_hostname(cert, hostname): + if _dnsname_to_pat(value).match(hostname): + return + dnsnames.append(value) +- if not san: +- # The subject is only checked when subjectAltName is empty ++ if not dnsnames: ++ # The subject is only checked when there is no dNSName entry ++ # in subjectAltName + for sub in cert.get('subject', ()): + for key, value in sub: + # XXX according to RFC 2818, the most specific Common Name diff --git a/SPECS/python-backports-ssl_match_hostname.spec b/SPECS/python-backports-ssl_match_hostname.spec new file mode 100644 index 0000000..e248399 --- /dev/null +++ b/SPECS/python-backports-ssl_match_hostname.spec @@ -0,0 +1,66 @@ +%global module_name backports.ssl_match_hostname +%global alphatag a3 +%global fullversion %{version}%{alphatag} + +Name: python-backports-ssl_match_hostname +Version: 3.2 +Release: 0.3.%{alphatag}%{?dist} +Summary: The ssl.match_hostname() function from Python 3.2 + +# Webpages claim MIT but the code is cut-and-paste from Python source code +License: Python +URL: https://bitbucket.org/brandon/backports.ssl_match_hostname +Source0: http://pypi.python.org/packages/source/b/backports.ssl_match_hostname/backports.ssl_match_hostname-%{fullversion}.tar.gz +# From the upstream scm +Patch0: ssl_match_hostname-issue12000.patch +# Slightly modified version of patch against python3.2+ +# http://bugs.python.org/issue17980#msg189525 +Patch1: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch + +BuildArch: noarch +BuildRequires: python2-devel +BuildRequires: python-setuptools + +%description +The Secure Sockets layer is only actually secure if you check the hostname in +the certificate returned by the server to which you are connecting, and verify +that it matches to hostname that you are trying to reach. + +But the matching logic, defined in RFC2818, can be a bit tricky to implement on +your own. So the ssl package in the Standard Library of Python 3.2 now includes +a match_hostname() function for performing this check instead of requiring +every application to implement the check separately. + +This backport brings match_hostname() to users of earlier versions of Python. +The actual code inside comes verbatim from Python 3.2. + + +%prep +%setup -qn %{module_name}-%{fullversion} +%patch0 -p1 +%patch1 -p1 +mv src/backports/ssl_match_hostname/README.txt ./ + + +%build +python setup.py build + + +%install +python setup.py install --skip-build --root %{buildroot} + + +%files +%doc README.txt +%{python_sitelib}/* + + +%changelog +* Mon May 20 2013 Toshio Kuratomi - 3.2-0.3.a3 +- Add patch for CVE 2013-2099 https://bugzilla.redhat.com/show_bug.cgi?id=963260 + +* Tue Feb 05 2013 Ian Weller - 3.2-0.2.a3 +- Fix Python issue 12000 + +* Fri Dec 07 2012 Ian Weller - 3.2-0.1.a3 +- Initial package build