Tree - rpms/python3 - CentOS Git server

rpms / python3

Files

Commit: ca6ccbfcbee2a391fb06481fe180fbb77e47e30a

Blob Blame History Raw

 From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 15 Jan 2019 18:16:30 +0100
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser
 
CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
not handle CRL distribution points with empty DP or URI correctly. A
malicious or buggy certificate can result into segfault.
 
Signed-off-by: Christian Heimes <christian@python.org>
---
 Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
 Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
 .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
 Modules/_ssl.c                                |  4 ++++
 4 files changed, 51 insertions(+)
 create mode 100644 Lib/test/talos-2019-0758.pem
 create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
 
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
new file mode 100644
index 000000000000..13b95a77fd8a
--- /dev/null
+++ b/Lib/test/talos-2019-0758.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
+-----END CERTIFICATE-----
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 7f6b93148f45..1fc657f4d867 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -115,6 +115,7 @@ def data_file(*name):
 BADKEY = data_file("badkey.pem")
 NOKIACERT = data_file("nokia.pem")
 NULLBYTECERT = data_file("nullbytecert.pem")
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
 
 DHFILE = data_file("ffdh3072.pem")
 BYTES_DHFILE = os.fsencode(DHFILE)
@@ -348,6 +349,27 @@ def test_parse_cert(self):
         self.assertEqual(p['crlDistributionPoints'],
                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
 
+    def test_parse_cert_CVE_2019_5010(self):
+        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
+        if support.verbose:
+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+        self.assertEqual(
+            p,
+            {
+                'issuer': (
+                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
+                'notAfter': 'Jun 14 18:00:58 2028 GMT',
+                'notBefore': 'Jun 18 18:00:58 2018 GMT',
+                'serialNumber': '02',
+                'subject': ((('countryName', 'UK'),),
+                            (('commonName',
+                              'codenomicon-vm-2.test.lal.cisco.com'),)),
+                'subjectAltName': (
+                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
+                'version': 3
+            }
+        )
+
     def test_parse_cert_CVE_2013_4238(self):
         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
         if support.verbose:
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
new file mode 100644
index 000000000000..dffe347eec84
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
@@ -0,0 +1,3 @@
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
+not handle CRL distribution points with empty DP or URI correctly. A
+malicious or buggy certificate can result into segfault.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 4e3352d9e661..0e720e268d93 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
         STACK_OF(GENERAL_NAME) *gns;
 
         dp = sk_DIST_POINT_value(dps, i);
+        if (dp->distpoint == NULL) {
+            /* Ignore empty DP value, CVE-2019-5010 */
+            continue;
+        }
         gns = dp->distpoint->name.fullname;
 
         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

	From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
	From: Christian Heimes <christian@python.org>
	Date: Tue, 15 Jan 2019 18:16:30 +0100
	Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser

	CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
	not handle CRL distribution points with empty DP or URI correctly. A
	malicious or buggy certificate can result into segfault.

	Signed-off-by: Christian Heimes <christian@python.org>
	---
	Lib/test/talos-2019-0758.pem \| 22 +++++++++++++++++++
	Lib/test/test_ssl.py \| 22 +++++++++++++++++++
	.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst \| 3 +++
	Modules/_ssl.c \| 4 ++++
	4 files changed, 51 insertions(+)
	create mode 100644 Lib/test/talos-2019-0758.pem
	create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

	diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
	new file mode 100644
	index 000000000000..13b95a77fd8a
	--- /dev/null
	+++ b/Lib/test/talos-2019-0758.pem
	@@ -0,0 +1,22 @@
	+-----BEGIN CERTIFICATE-----
	+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
	+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
	+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
	+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
	+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
	+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
	+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
	+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
	+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
	+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
	+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
	+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
	+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
	+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
	+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
	+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
	+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
	+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
	+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
	+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
	+-----END CERTIFICATE-----
	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
	index 7f6b93148f45..1fc657f4d867 100644
	--- a/Lib/test/test_ssl.py
	+++ b/Lib/test/test_ssl.py
	@@ -115,6 +115,7 @@ def data_file(*name):
	BADKEY = data_file("badkey.pem")
	NOKIACERT = data_file("nokia.pem")
	NULLBYTECERT = data_file("nullbytecert.pem")
	+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")

	DHFILE = data_file("ffdh3072.pem")
	BYTES_DHFILE = os.fsencode(DHFILE)
	@@ -348,6 +349,27 @@ def test_parse_cert(self):
	self.assertEqual(p['crlDistributionPoints'],
	('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

	+ def test_parse_cert_CVE_2019_5010(self):
	+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
	+ if support.verbose:
	+ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
	+ self.assertEqual(
	+ p,
	+ {
	+ 'issuer': (
	+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
	+ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
	+ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
	+ 'serialNumber': '02',
	+ 'subject': ((('countryName', 'UK'),),
	+ (('commonName',
	+ 'codenomicon-vm-2.test.lal.cisco.com'),)),
	+ 'subjectAltName': (
	+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
	+ 'version': 3
	+ }
	+ )
	+
	def test_parse_cert_CVE_2013_4238(self):
	p = ssl._ssl._test_decode_cert(NULLBYTECERT)
	if support.verbose:
	diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
	new file mode 100644
	index 000000000000..dffe347eec84
	--- /dev/null
	+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
	@@ -0,0 +1,3 @@
	+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
	+not handle CRL distribution points with empty DP or URI correctly. A
	+malicious or buggy certificate can result into segfault.
	diff --git a/Modules/_ssl.c b/Modules/_ssl.c
	index 4e3352d9e661..0e720e268d93 100644
	--- a/Modules/_ssl.c
	+++ b/Modules/_ssl.c
	@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
	STACK_OF(GENERAL_NAME) *gns;

	dp = sk_DIST_POINT_value(dps, i);
	+ if (dp->distpoint == NULL) {
	+ /* Ignore empty DP value, CVE-2019-5010 */
	+ continue;
	+ }
	gns = dp->distpoint->name.fullname;

	for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

rpms / python3

Source Code

Files