| |
@@ -0,0 +1,111 @@
|
| |
+ From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
|
| |
+ From: Christian Heimes <christian@python.org>
|
| |
+ Date: Tue, 15 Jan 2019 18:16:30 +0100
|
| |
+ Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser
|
| |
+
|
| |
+ CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
|
| |
+ not handle CRL distribution points with empty DP or URI correctly. A
|
| |
+ malicious or buggy certificate can result into segfault.
|
| |
+
|
| |
+ Signed-off-by: Christian Heimes <christian@python.org>
|
| |
+ ---
|
| |
+ Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
|
| |
+ Lib/test/test_ssl.py | 22 +++++++++++++++++++
|
| |
+ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
|
| |
+ Modules/_ssl.c | 4 ++++
|
| |
+ 4 files changed, 51 insertions(+)
|
| |
+ create mode 100644 Lib/test/talos-2019-0758.pem
|
| |
+ create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
| |
+
|
| |
+ diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
|
| |
+ new file mode 100644
|
| |
+ index 000000000000..13b95a77fd8a
|
| |
+ --- /dev/null
|
| |
+ +++ b/Lib/test/talos-2019-0758.pem
|
| |
+ @@ -0,0 +1,22 @@
|
| |
+ +-----BEGIN CERTIFICATE-----
|
| |
+ +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
|
| |
+ +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
|
| |
+ +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
|
| |
+ +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
|
| |
+ +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
|
| |
+ +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
|
| |
+ +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
|
| |
+ +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
|
| |
+ +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
|
| |
+ +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
|
| |
+ +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
|
| |
+ +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
|
| |
+ +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
|
| |
+ +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
|
| |
+ +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
|
| |
+ +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
|
| |
+ +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
|
| |
+ +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
|
| |
+ +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
|
| |
+ +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
|
| |
+ +-----END CERTIFICATE-----
|
| |
+ diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
| |
+ index 7f6b93148f45..1fc657f4d867 100644
|
| |
+ --- a/Lib/test/test_ssl.py
|
| |
+ +++ b/Lib/test/test_ssl.py
|
| |
+ @@ -115,6 +115,7 @@ def data_file(*name):
|
| |
+ BADKEY = data_file("badkey.pem")
|
| |
+ NOKIACERT = data_file("nokia.pem")
|
| |
+ NULLBYTECERT = data_file("nullbytecert.pem")
|
| |
+ +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
|
| |
+
|
| |
+ DHFILE = data_file("ffdh3072.pem")
|
| |
+ BYTES_DHFILE = os.fsencode(DHFILE)
|
| |
+ @@ -348,6 +349,27 @@ def test_parse_cert(self):
|
| |
+ self.assertEqual(p['crlDistributionPoints'],
|
| |
+ ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
|
| |
+
|
| |
+ + def test_parse_cert_CVE_2019_5010(self):
|
| |
+ + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
|
| |
+ + if support.verbose:
|
| |
+ + sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
| |
+ + self.assertEqual(
|
| |
+ + p,
|
| |
+ + {
|
| |
+ + 'issuer': (
|
| |
+ + (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
|
| |
+ + 'notAfter': 'Jun 14 18:00:58 2028 GMT',
|
| |
+ + 'notBefore': 'Jun 18 18:00:58 2018 GMT',
|
| |
+ + 'serialNumber': '02',
|
| |
+ + 'subject': ((('countryName', 'UK'),),
|
| |
+ + (('commonName',
|
| |
+ + 'codenomicon-vm-2.test.lal.cisco.com'),)),
|
| |
+ + 'subjectAltName': (
|
| |
+ + ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
|
| |
+ + 'version': 3
|
| |
+ + }
|
| |
+ + )
|
| |
+ +
|
| |
+ def test_parse_cert_CVE_2013_4238(self):
|
| |
+ p = ssl._ssl._test_decode_cert(NULLBYTECERT)
|
| |
+ if support.verbose:
|
| |
+ diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
| |
+ new file mode 100644
|
| |
+ index 000000000000..dffe347eec84
|
| |
+ --- /dev/null
|
| |
+ +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
| |
+ @@ -0,0 +1,3 @@
|
| |
+ +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
|
| |
+ +not handle CRL distribution points with empty DP or URI correctly. A
|
| |
+ +malicious or buggy certificate can result into segfault.
|
| |
+ diff --git a/Modules/_ssl.c b/Modules/_ssl.c
|
| |
+ index 4e3352d9e661..0e720e268d93 100644
|
| |
+ --- a/Modules/_ssl.c
|
| |
+ +++ b/Modules/_ssl.c
|
| |
+ @@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
|
| |
+ STACK_OF(GENERAL_NAME) *gns;
|
| |
+
|
| |
+ dp = sk_DIST_POINT_value(dps, i);
|
| |
+ + if (dp->distpoint == NULL) {
|
| |
+ + /* Ignore empty DP value, CVE-2019-5010 */
|
| |
+ + continue;
|
| |
+ + }
|
| |
+ gns = dp->distpoint->name.fullname;
|
| |
+
|
| |
+ for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
|
| |
https://bugs.python.org/issue35746
https://bugzilla.redhat.com/show_bug.cgi?id=1666519
https://bugzilla.redhat.com/show_bug.cgi?id=1666522
(untested, opening for the CI)