Add patch for CVE-2013-2099 (rhbz#963261).

2013-05-20 09:12:45 +02:00 · 2013-05-20 09:12:45 +02:00 · 20822507e4
commit 20822507e4
parent fda6bedf04 22e1cc9fb8
2 changed files with 61 additions and 2 deletions
--- a/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
+++ b/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
@ -0,0 +1,49 @@
 # HG changeset patch
 # User Antoine Pitrou <solipsis@pitrou.net>
 # Date 1368892602 -7200
 # Node ID c627638753e2d25a98950585b259104a025937a9
 # Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
 Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
 diff --git a/Lib/ssl.py b/Lib/ssl.py
 --- a/Lib/ssl.py
 +++ b/Lib/ssl.py
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
     pass
 -def _dnsname_to_pat(dn):
 +def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
 +        if frag.count('*') > max_wildcards:
 +            # Issue #17980: avoid denials of service by refusing more
 +            # than one wildcard per fragment.  A survery of established
 +            # policy among SSL implementations showed it to be a
 +            # reasonable choice.
 +            raise CertificateError(
 +                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 +        # Issue #17980: avoid denials of service by refusing more than one
 +        # wildcard per fragment.
 +        cert = {'subject': ((('commonName', 'a*b.com'),),)}
 +        ok(cert, 'axxb.com')
 +        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
 +        ok(cert, 'axxb.com')
 +        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
 +        with self.assertRaises(ssl.CertificateError) as cm:
 +            ssl.match_hostname(cert, 'axxbxxc.com')
 +        self.assertIn("too many wildcards", str(cm.exception))
 +
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
--- a/python3.spec
+++ b/python3.spec
@ -126,7 +126,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 Group: Development/Languages
@ -584,10 +584,16 @@ Patch180: 00180-python-add-support-for-ppc64p7.patch
 #  Patch181: 00181-allow-arbitrary-timeout-in-condition-wait.patch
 # Does not affect python3
-# 00181 #
+# 00182 #
 # Fixed upstream as of Python 3.3.2
 #  Patch182: 00182-fix-test_gdb-test_threads.patch
 # 00183 #
 # Upstream fix for CVE-2013-2099 (ssl.match_hostname DOS)
 # http://bugs.python.org/issue17980
 # http://hg.python.org/cpython/rev/c627638753e2
 Patch183: 00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
 # (New patches go here ^^^)
 #
@ -844,6 +850,7 @@ done
 %patch180 -p1
 # 00181: not for python3
 # 00182: upstream as of Python 3.3.2
 %patch183 -p1
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1684,6 +1691,9 @@ rm -fr %{buildroot}
 # ======================================================
 %changelog
 * Mon May 20 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.2-2
 - Add patch for CVE-2013-2099 (rhbz#963261).
 * Thu May 16 2013 Bohuslav Kabrda <bkabrda@redhat.com> - 3.3.2-1
 - Updated to Python 3.3.2.
 - Refreshed patches: 153 (gdb test noise)