Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
(cherry picked from Fedora commit 25de62e0679f67c5d244465a869314334bf71c1d) Resolves: RHEL-191730
This commit is contained in:
parent
49157f095c
commit
c4822c6e4e
75
00489-openssl-3.5.7.patch
Normal file
75
00489-openssl-3.5.7.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Benjamin <davidben@google.com>
|
||||||
|
Date: Fri, 24 Mar 2023 09:04:30 -0400
|
||||||
|
Subject: 00489: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
|
||||||
|
|
||||||
|
In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
|
||||||
|
|
||||||
|
Instead, check `BIO_eof` early and stop the loop that way.
|
||||||
|
|
||||||
|
This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
|
||||||
|
|
||||||
|
(cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
|
||||||
|
---
|
||||||
|
Lib/test/test_ssl.py | 2 ++
|
||||||
|
.../2022-12-20-10-55-14.gh-issue-100372.utfP65.rst | 2 ++
|
||||||
|
Modules/_ssl.c | 10 ++++++----
|
||||||
|
3 files changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||||
|
index a2e771ed7f..8eaf9bf22f 100644
|
||||||
|
--- a/Lib/test/test_ssl.py
|
||||||
|
+++ b/Lib/test/test_ssl.py
|
||||||
|
@@ -1512,6 +1512,8 @@ class ContextTests(unittest.TestCase):
|
||||||
|
"not enough data: cadata does not contain a certificate"
|
||||||
|
):
|
||||||
|
ctx.load_verify_locations(cadata=b"broken")
|
||||||
|
+ with self.assertRaises(ssl.SSLError):
|
||||||
|
+ ctx.load_verify_locations(cadata=cacert_der + b"A")
|
||||||
|
|
||||||
|
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
|
||||||
|
def test_load_dh_params(self):
|
||||||
|
diff --git a/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..ec37aff509
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
|
||||||
|
+some cases of trailing data when parsing DER.
|
||||||
|
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
|
||||||
|
index 5e0be34d6f..a6d72056b0 100644
|
||||||
|
--- a/Modules/_ssl.c
|
||||||
|
+++ b/Modules/_ssl.c
|
||||||
|
@@ -4113,7 +4113,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
|
||||||
|
{
|
||||||
|
BIO *biobuf = NULL;
|
||||||
|
X509_STORE *store;
|
||||||
|
- int retval = -1, err, loaded = 0;
|
||||||
|
+ int retval = -1, err, loaded = 0, was_bio_eof = 0;
|
||||||
|
|
||||||
|
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
|
||||||
|
|
||||||
|
@@ -4141,6 +4141,10 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
|
||||||
|
int r;
|
||||||
|
|
||||||
|
if (filetype == SSL_FILETYPE_ASN1) {
|
||||||
|
+ if (BIO_eof(biobuf)) {
|
||||||
|
+ was_bio_eof = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
cert = d2i_X509_bio(biobuf, NULL);
|
||||||
|
} else {
|
||||||
|
cert = PEM_read_bio_X509(biobuf, NULL,
|
||||||
|
@@ -4176,9 +4180,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
|
||||||
|
}
|
||||||
|
_setSSLError(msg, 0, __FILE__, __LINE__);
|
||||||
|
retval = -1;
|
||||||
|
- } else if ((filetype == SSL_FILETYPE_ASN1) &&
|
||||||
|
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
|
||||||
|
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
|
||||||
|
+ } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
|
||||||
|
/* EOF ASN1 file, not an error */
|
||||||
|
ERR_clear_error();
|
||||||
|
retval = 0;
|
||||||
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
|||||||
#global prerel ...
|
#global prerel ...
|
||||||
%global upstream_version %{general_version}%{?prerel}
|
%global upstream_version %{general_version}%{?prerel}
|
||||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
|
|
||||||
@ -496,6 +496,18 @@ Patch480: 00480-cve-2026-4786.patch
|
|||||||
# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
|
# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
|
||||||
Patch482: 00482-cve-2026-6100.patch
|
Patch482: 00482-cve-2026-6100.patch
|
||||||
|
|
||||||
|
# 00489 # 67185f85f0bd506e1814a2a2f5580bad5b95ce45
|
||||||
|
# Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
|
||||||
|
#
|
||||||
|
# In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
|
||||||
|
#
|
||||||
|
# Instead, check `BIO_eof` early and stop the loop that way.
|
||||||
|
#
|
||||||
|
# This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
|
||||||
|
#
|
||||||
|
# (cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
|
||||||
|
Patch489: 00489-openssl-3.5.7.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
@ -1907,6 +1919,10 @@ CheckPython optimized
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 02 2026 Miro Hrončok <mhroncok@redhat.com> - 3.9.25-8
|
||||||
|
- Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
|
||||||
|
Resolves: RHEL-191730
|
||||||
|
|
||||||
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.9.25-7
|
* Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.9.25-7
|
||||||
- Security fixes for CVE-2026-4786 and CVE-2026-6100
|
- Security fixes for CVE-2026-4786 and CVE-2026-6100
|
||||||
Resolves: RHEL-167919, RHEL-168161
|
Resolves: RHEL-167919, RHEL-168161
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user