rpms / python

Clone
Source Code
GIT

Blame SOURCES/00317-CVE-2019-5010-ssl-crl.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c7-sig-altarch-armhfp
  1.   f350fcaea2b604e7cfb454abe8e54fe792ea8bf9
  2.   SOURCES
  3.   00317-CVE-2019-5010-ssl-crl.patch
Blob History Raw
cb219e 
commit 88a31ffeccce13192a474f4981b9cf6cfdfe065e
cb219e 
Author: Victor Stinner <vstinner@redhat.com>
cb219e 
Date:   Wed Mar 20 17:43:20 2019 +0100
cb219e
cb219e 
    bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
cb219e
cb219e 
    Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
cb219e 
    distribution points with empty DP or URI correctly. A malicious or buggy
cb219e 
    certificate can result into segfault.
cb219e
cb219e 
    Signed-off-by: Christian Heimes <christian@python.org>
cb219e
cb219e 
    https://bugs.python.org/issue35746
cb219e 
    (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
cb219e
cb219e 
    Co-authored-by: Christian Heimes <christian@python.org>
cb219e
cb219e 
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
cb219e 
new file mode 100644
cb219e 
index 0000000..13b95a7
cb219e 
--- /dev/null
cb219e 
+++ b/Lib/test/talos-2019-0758.pem
cb219e 
@@ -0,0 +1,22 @@
cb219e 
+-----BEGIN CERTIFICATE-----
cb219e 
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
cb219e 
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
cb219e 
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
cb219e 
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
cb219e 
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
cb219e 
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
cb219e 
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
cb219e 
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
cb219e 
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
cb219e 
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
cb219e 
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
cb219e 
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
cb219e 
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
cb219e 
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
cb219e 
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
cb219e 
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
cb219e 
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
cb219e 
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
cb219e 
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
cb219e 
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
cb219e 
+-----END CERTIFICATE-----
cb219e 
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
cb219e 
index f7a6746..31af578 100644
cb219e 
--- a/Lib/test/test_ssl.py
cb219e 
+++ b/Lib/test/test_ssl.py
cb219e 
@@ -68,6 +68,7 @@ WRONGCERT = data_file("XXXnonexisting.pem")
cb219e 
 BADKEY = data_file("badkey.pem")
cb219e 
 NOKIACERT = data_file("nokia.pem")
cb219e 
 NULLBYTECERT = data_file("nullbytecert.pem")
cb219e 
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
cb219e
cb219e 
 DHFILE = data_file("dh1024.pem")
cb219e 
 BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding())
cb219e 
@@ -238,6 +239,27 @@ class BasicSocketTests(unittest.TestCase):
cb219e 
                          ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
cb219e 
                         )
cb219e
cb219e 
+    def test_parse_cert_CVE_2019_5010(self):
cb219e 
+        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
cb219e 
+        if support.verbose:
cb219e 
+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
cb219e 
+        self.assertEqual(
cb219e 
+            p,
cb219e 
+            {
cb219e 
+                'issuer': (
cb219e 
+                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
cb219e 
+                'notAfter': 'Jun 14 18:00:58 2028 GMT',
cb219e 
+                'notBefore': 'Jun 18 18:00:58 2018 GMT',
cb219e 
+                'serialNumber': '02',
cb219e 
+                'subject': ((('countryName', 'UK'),),
cb219e 
+                            (('commonName',
cb219e 
+                              'codenomicon-vm-2.test.lal.cisco.com'),)),
cb219e 
+                'subjectAltName': (
cb219e 
+                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
cb219e 
+                'version': 3
cb219e 
+            }
cb219e 
+        )
cb219e 
+
cb219e 
     def test_parse_all_sans(self):
cb219e 
         p = ssl._ssl._test_decode_cert(ALLSANFILE)
cb219e 
         self.assertEqual(p['subjectAltName'],
cb219e 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
cb219e 
index 6220bea..baea6e1 100644
cb219e 
--- a/Modules/_ssl.c
cb219e 
+++ b/Modules/_ssl.c
cb219e 
@@ -1103,6 +1103,10 @@ _get_crl_dp(X509 *certificate) {
cb219e 
         STACK_OF(GENERAL_NAME) *gns;
cb219e
cb219e 
         dp = sk_DIST_POINT_value(dps, i);
cb219e 
+        if (dp->distpoint == NULL) {
cb219e 
+            /* Ignore empty DP value, CVE-2019-5010 */
cb219e 
+            continue;
cb219e 
+        }
cb219e 
         gns = dp->distpoint->name.fullname;
cb219e
cb219e 
         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation