Security fix for CVE-2019-5010

https://bugs.python.org/issue35746 https://bugzilla.redhat.com/show_bug.cgi?id=1666519 https://bugzilla.redhat.com/show_bug.cgi?id=1666522
2019-01-16 09:13:16 +01:00 · 2019-01-16 09:13:16 +01:00 · 4e7015b153
commit 4e7015b153
parent 053863ab41
2 changed files with 121 additions and 1 deletions
--- a/00317-CVE-2019-5010.patch
+++ b/00317-CVE-2019-5010.patch
@ -0,0 +1,111 @@
 From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Tue, 15 Jan 2019 18:16:30 +0100
 Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser
 CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
 not handle CRL distribution points with empty DP or URI correctly. A
 malicious or buggy certificate can result into segfault.
 Signed-off-by: Christian Heimes <christian@python.org>
 ---
 Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
 Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
 .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
 Modules/_ssl.c                                |  4 ++++
 4 files changed, 51 insertions(+)
 create mode 100644 Lib/test/talos-2019-0758.pem
 create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
 diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
 new file mode 100644
 index 000000000000..13b95a77fd8a
 --- /dev/null
 +++ b/Lib/test/talos-2019-0758.pem
@@ -0,0 +1,22 @@
 +-----BEGIN CERTIFICATE-----
 +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
 +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
 +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
 +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
 +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
 +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
 +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
 +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
 +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
 +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
 +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
 +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
 +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
 +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
 +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
 +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
 +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
 +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
 +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
 +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
 +-----END CERTIFICATE-----
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
 index 7f6b93148f45..1fc657f4d867 100644
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
@@ -115,6 +115,7 @@ def data_file(*name):
 BADKEY = data_file("badkey.pem")
 NOKIACERT = data_file("nokia.pem")
 NULLBYTECERT = data_file("nullbytecert.pem")
 +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
 DHFILE = data_file("ffdh3072.pem")
 BYTES_DHFILE = os.fsencode(DHFILE)
@@ -348,6 +349,27 @@ def test_parse_cert(self):
         self.assertEqual(p['crlDistributionPoints'],
                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
 +    def test_parse_cert_CVE_2019_5010(self):
 +        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
 +        if support.verbose:
 +            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
 +        self.assertEqual(
 +            p,
 +            {
 +                'issuer': (
 +                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
 +                'notAfter': 'Jun 14 18:00:58 2028 GMT',
 +                'notBefore': 'Jun 18 18:00:58 2018 GMT',
 +                'serialNumber': '02',
 +                'subject': ((('countryName', 'UK'),),
 +                            (('commonName',
 +                              'codenomicon-vm-2.test.lal.cisco.com'),)),
 +                'subjectAltName': (
 +                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
 +                'version': 3
 +            }
 +        )
 +
     def test_parse_cert_CVE_2013_4238(self):
         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
         if support.verbose:
 diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
 new file mode 100644
 index 000000000000..dffe347eec84
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
@@ -0,0 +1,3 @@
 +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
 +not handle CRL distribution points with empty DP or URI correctly. A
 +malicious or buggy certificate can result into segfault.
 diff --git a/Modules/_ssl.c b/Modules/_ssl.c
 index 4e3352d9e661..0e720e268d93 100644
 --- a/Modules/_ssl.c
 +++ b/Modules/_ssl.c
@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
         STACK_OF(GENERAL_NAME) *gns;
         dp = sk_DIST_POINT_value(dps, i);
 +        if (dp->distpoint == NULL) {
 +            /* Ignore empty DP value, CVE-2019-5010 */
 +            continue;
 +        }
         gns = dp->distpoint->name.fullname;
         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
--- a/python3.spec
+++ b/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Python
@ -305,6 +305,11 @@ Patch274: 00274-fix-arch-names.patch
 # So we mark the command as unsupported - and the tests are skipped
 Patch316: 00316-mark-bdist_wininst-unsupported.patch
 # 00317 #
 # Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser
 # Fixed upstream https://bugs.python.org/issue35746
 Patch317: 00317-CVE-2019-5010.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -640,6 +645,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch251 -p1
 %patch274 -p1
 %patch316 -p1
 %patch317 -p1
 # Remove files that should be generated by the build
@ -1555,6 +1561,9 @@ CheckPython optimized
 # ======================================================
 %changelog
 * Wed Jan 16 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.2-4
 - Security fix for CVE-2019-5010 (#1666519, #1666522)
 * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.7.2-3
 - Rebuilt for libcrypt.so.2 (#1666033)