From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001

From: Christian Heimes <christian@python.org>

Date: Tue, 15 Jan 2019 18:16:30 +0100

Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser

CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did

not handle CRL distribution points with empty DP or URI correctly. A

malicious or buggy certificate can result into segfault.

Signed-off-by: Christian Heimes <christian@python.org>

---

 Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++

 Lib/test/test_ssl.py                          | 22 +++++++++++++++++++

 .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++

 Modules/_ssl.c                                |  4 ++++

 4 files changed, 51 insertions(+)

 create mode 100644 Lib/test/talos-2019-0758.pem

 create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem

new file mode 100644

index 000000000000..13b95a77fd8a

--- /dev/null

+++ b/Lib/test/talos-2019-0758.pem

@@ -0,0 +1,22 @@

+-----BEGIN CERTIFICATE-----

+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO

+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7

+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh

+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB

+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES

+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD

+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C

+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP

+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF

+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp

+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io

+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7

+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu

+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG

+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p

+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr

+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit

+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV

+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+

+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==

+-----END CERTIFICATE-----

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

index 7f6b93148f45..1fc657f4d867 100644

--- a/Lib/test/test_ssl.py

+++ b/Lib/test/test_ssl.py

@@ -115,6 +115,7 @@ def data_file(*name):

 BADKEY = data_file("badkey.pem")

 NOKIACERT = data_file("nokia.pem")

 NULLBYTECERT = data_file("nullbytecert.pem")

+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")

 DHFILE = data_file("ffdh3072.pem")

 BYTES_DHFILE = os.fsencode(DHFILE)

@@ -348,6 +349,27 @@ def test_parse_cert(self):

         self.assertEqual(p['crlDistributionPoints'],

                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

+    def test_parse_cert_CVE_2019_5010(self):

+        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)

+        if support.verbose:

+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")

+        self.assertEqual(

+            p,

+            {

+                'issuer': (

+                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),

+                'notAfter': 'Jun 14 18:00:58 2028 GMT',

+                'notBefore': 'Jun 18 18:00:58 2018 GMT',

+                'serialNumber': '02',

+                'subject': ((('countryName', 'UK'),),

+                            (('commonName',

+                              'codenomicon-vm-2.test.lal.cisco.com'),)),

+                'subjectAltName': (

+                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),

+                'version': 3

+            }

+        )

+

     def test_parse_cert_CVE_2013_4238(self):

         p = ssl._ssl._test_decode_cert(NULLBYTECERT)

         if support.verbose:

diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

new file mode 100644

index 000000000000..dffe347eec84

--- /dev/null

+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

@@ -0,0 +1,3 @@

+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did

+not handle CRL distribution points with empty DP or URI correctly. A

+malicious or buggy certificate can result into segfault.

diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index 4e3352d9e661..0e720e268d93 100644

--- a/Modules/_ssl.c

+++ b/Modules/_ssl.c

@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {

         STACK_OF(GENERAL_NAME) *gns;

         dp = sk_DIST_POINT_value(dps, i);

+        if (dp->distpoint == NULL) {

+            /* Ignore empty DP value, CVE-2019-5010 */

+            continue;

+        }

         gns = dp->distpoint->name.fullname;

         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {