+ From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001

+ From: Christian Heimes <christian@python.org>

+ Date: Tue, 15 Jan 2019 18:16:30 +0100

+ Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser

+ 

+ CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did

+ not handle CRL distribution points with empty DP or URI correctly. A

+ malicious or buggy certificate can result into segfault.

+ 

+ Signed-off-by: Christian Heimes <christian@python.org>

+ ---

+  Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++

+  Lib/test/test_ssl.py                          | 22 +++++++++++++++++++

+  .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++

+  Modules/_ssl.c                                |  4 ++++

+  4 files changed, 51 insertions(+)

+  create mode 100644 Lib/test/talos-2019-0758.pem

+  create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

+ 

+ diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem

+ new file mode 100644

+ index 000000000000..13b95a77fd8a

+ --- /dev/null

+ +++ b/Lib/test/talos-2019-0758.pem

+ @@ -0,0 +1,22 @@

+ +-----BEGIN CERTIFICATE-----

+ +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO

+ +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7

+ +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh

+ +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB

+ +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES

+ +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD

+ +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C

+ +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP

+ +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF

+ +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp

+ +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io

+ +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7

+ +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu

+ +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG

+ +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p

+ +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr

+ +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit

+ +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV

+ +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+

+ +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==

+ +-----END CERTIFICATE-----

+ diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

+ index 7f6b93148f45..1fc657f4d867 100644

+ --- a/Lib/test/test_ssl.py

+ +++ b/Lib/test/test_ssl.py

+ @@ -115,6 +115,7 @@ def data_file(*name):

+  BADKEY = data_file("badkey.pem")

+  NOKIACERT = data_file("nokia.pem")

+  NULLBYTECERT = data_file("nullbytecert.pem")

+ +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")

+  

+  DHFILE = data_file("ffdh3072.pem")

+  BYTES_DHFILE = os.fsencode(DHFILE)

+ @@ -348,6 +349,27 @@ def test_parse_cert(self):

+          self.assertEqual(p['crlDistributionPoints'],

+                           ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

+  

+ +    def test_parse_cert_CVE_2019_5010(self):

+ +        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)

+ +        if support.verbose:

+ +            sys.stdout.write("\n" + pprint.pformat(p) + "\n")

+ +        self.assertEqual(

+ +            p,

+ +            {

+ +                'issuer': (

+ +                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),

+ +                'notAfter': 'Jun 14 18:00:58 2028 GMT',

+ +                'notBefore': 'Jun 18 18:00:58 2018 GMT',

+ +                'serialNumber': '02',

+ +                'subject': ((('countryName', 'UK'),),

+ +                            (('commonName',

+ +                              'codenomicon-vm-2.test.lal.cisco.com'),)),

+ +                'subjectAltName': (

+ +                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),

+ +                'version': 3

+ +            }

+ +        )

+ +

+      def test_parse_cert_CVE_2013_4238(self):

+          p = ssl._ssl._test_decode_cert(NULLBYTECERT)

+          if support.verbose:

+ diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

+ new file mode 100644

+ index 000000000000..dffe347eec84

+ --- /dev/null

+ +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

+ @@ -0,0 +1,3 @@

+ +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did

+ +not handle CRL distribution points with empty DP or URI correctly. A

+ +malicious or buggy certificate can result into segfault.

+ diff --git a/Modules/_ssl.c b/Modules/_ssl.c

+ index 4e3352d9e661..0e720e268d93 100644

+ --- a/Modules/_ssl.c

+ +++ b/Modules/_ssl.c

+ @@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {

+          STACK_OF(GENERAL_NAME) *gns;

+  

+          dp = sk_DIST_POINT_value(dps, i);

+ +        if (dp->distpoint == NULL) {

+ +            /* Ignore empty DP value, CVE-2019-5010 */

+ +            continue;

+ +        }

+          gns = dp->distpoint->name.fullname;

+  

+          for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

+ Release: 4%{?dist}

+ # 00317 #

+ # Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser

+ # Fixed upstream https://bugs.python.org/issue35746

+ Patch317: 00317-CVE-2019-5010.patch

+ 

+ %patch317 -p1

+ * Wed Jan 16 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.2-4

+ - Security fix for CVE-2019-5010 (#1666519, #1666522)

+