Browse Source

Merge pull request #8196 from commodo/python-batch-updates

python,python3: batch updates
lilik-openwrt-22.03
Hannu Nyman 6 years ago
committed by GitHub
parent
commit
4eb0c6b2ab
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 282 additions and 60 deletions
  1. +2
    -2
      lang/python/python-cryptography/Makefile
  2. +0
    -23
      lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch
  3. +2
    -2
      lang/python/python-lxml/Makefile
  4. +24
    -13
      lang/python/python-package-install.sh
  5. +0
    -2
      lang/python/python-package.mk
  6. +2
    -2
      lang/python/python-pyasn1-modules/Makefile
  7. +2
    -2
      lang/python/python-pyopenssl/Makefile
  8. +1
    -1
      lang/python/python/Makefile
  9. +0
    -2
      lang/python/python/files/python-package-pip.mk
  10. +0
    -2
      lang/python/python/files/python-package-setuptools.mk
  11. +120
    -0
      lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch
  12. +0
    -2
      lang/python/python3-package.mk
  13. +1
    -1
      lang/python/python3/Makefile
  14. +4
    -3
      lang/python/python3/files/python3-package-pip.mk
  15. +4
    -3
      lang/python/python3/files/python3-package-setuptools.mk
  16. +120
    -0
      lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch

+ 2
- 2
lang/python/python-cryptography/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-cryptography
PKG_VERSION:=2.4.2
PKG_VERSION:=2.5
PKG_RELEASE:=1
PKG_SOURCE:=cryptography-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= https://files.pythonhosted.org/packages/source/c/cryptography
PKG_HASH:=05a6052c6a9f17ff78ba78f8e6eb1d777d25db3b763343a1ae89a7a8670386dd
PKG_HASH:=4946b67235b9d2ea7d31307be9d5ad5959d6c4a8f98f900157b47abddf698401
PKG_LICENSE:=Apache-2.0 BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD


+ 0
- 23
lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch View File

@ -1,23 +0,0 @@
From e7a6229b332969d621aaf25f3fc5cdd99e3c9072 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Sun, 18 Nov 2018 18:04:01 -0800
Subject: [PATCH] Adjust DTLS check (#4593)
OpenSSL defines these even with OPENSSL_NO_DTLS.
---
src/_cffi_src/openssl/ssl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index c921dbee..f0b8939c 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -709,7 +709,7 @@ static const long TLS_ST_BEFORE = 0;
static const long TLS_ST_OK = 0;
#endif
-#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
const SSL_METHOD *(*DTLS_method)(void) = NULL;
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;

+ 2
- 2
lang/python/python-lxml/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-lxml
PKG_VERSION:=4.3.0
PKG_VERSION:=4.3.1
PKG_RELEASE:=1
PKG_SOURCE:=lxml-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/l/lxml
PKG_HASH:=d1e111b3ab98613115a208c1017f266478b0ab224a67bc8eac670fa0bad7d488
PKG_HASH:=da5e7e941d6e71c9c9a717c93725cda0708c2474f532e3680ac5e39ec57d224d
PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)-lxml-$(PKG_VERSION)
PKG_UNPACK=$(HOST_TAR) -C $(PKG_BUILD_DIR) --strip-components=1 -xzf $(DL_DIR)/$(PKG_SOURCE)


+ 24
- 13
lang/python/python-package-install.sh View File

@ -40,6 +40,17 @@ process_filespec() {
)
}
delete_empty_dirs() {
local dst_dir="$1"
if [ -d "$dst_dir/usr" ] ; then
for _ in $(seq 1 10) ; do
find "$dst_dir/usr" -empty -type d -exec rmdir {} \; || continue
break
done
rmdir "$dst_dir/usr" || true
fi
}
ver="$1"
src_dir="$2"
dst_dir="$3"
@ -47,20 +58,24 @@ python="$4"
mode="$5"
filespec="$6"
find "$src_dir" -name "*\.exe" -exec rm -f {} \;
process_filespec "$src_dir" "$dst_dir" "$filespec" || {
echo "process filespec error-ed"
exit 1
}
usr_bin_dir="$dst_dir/usr/bin"
if [ -d "$usr_bin_dir" ] ; then
sed "1"'!'"b;s,^#"'!'".*python.*,#"'!'"/usr/bin/python${ver}," -i $usr_bin_dir/*
fi
if [ "$mode" == "sources" ] ; then
# Copy only python source files
find $dst_dir -not -type d -not -name "*\.py" | xargs rm -f
find "$dst_dir" -not -type d -not -name "*\.py" -exec rm -f {} \;
# Delete empty folders (if the case)
if [ -d "$dst_dir/usr" ] ; then
find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty
rmdir --ignore-fail-on-non-empty $dst_dir/usr
fi
delete_empty_dirs "$dst_dir"
exit 0
fi
@ -73,19 +88,15 @@ legacy=
# So, we just stuck to un-optimized byte-codes,
# which is still way better/faster than running
# Python sources all the time.
$python -m compileall $legacy -d '/' $dst_dir || {
$python -m compileall $legacy -d '/' "$dst_dir" || {
echo "python -m compileall err-ed"
exit 1
}
# Delete source files and pyc [ un-optimized bytecode files ]
# We may want to make this optimization thing configurable later, but not sure atm
find $dst_dir -type f -name "*\.py" | xargs rm -f
find "$dst_dir" -type f -name "*\.py" -exec rm -f {} \;
# Delete empty folders (if the case)
if [ -d "$dst_dir/usr" ] ; then
find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty
rmdir --ignore-fail-on-non-empty $dst_dir/usr
fi
delete_empty_dirs "$dst_dir"
exit 0

+ 0
- 2
lang/python/python-package.mk View File

@ -69,7 +69,6 @@ define PyPackage
define Package/$(1)/install
$(call PyPackage/$(1)/install,$$(1))
find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
$(SHELL) $(python_mk_path)python-package-install.sh "2" \
"$(PKG_INSTALL_DIR)" "$$(1)" \
"$(HOST_PYTHON_BIN)" "$$(2)" \
@ -113,7 +112,6 @@ define Build/Compile/PyMod
cd $(PKG_BUILD_DIR)/$(strip $(1)), \
./setup.py $(2), \
$(3))
find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
endef
PYTHON_PKG_SETUP_ARGS:=--single-version-externally-managed


+ 2
- 2
lang/python/python-pyasn1-modules/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-pyasn1-modules
PKG_VERSION:=0.2.3
PKG_VERSION:=0.2.4
PKG_RELEASE:=1
PKG_SOURCE:=pyasn1-modules-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/pyasn1-modules
PKG_HASH:=d14fcb29dabecba3d7b360bf72327c26c385248a5d603cf6be5f566ce999b261
PKG_HASH:=a52090e8c5841ebbf08ae455146792d9ef3e8445b21055d3a3b7ed9c712b7c7c
PKG_LICENSE:=BSD-2-Clause
PKG_LICENSE_FILES:=LICENSE.txt


+ 2
- 2
lang/python/python-pyopenssl/Makefile View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-pyopenssl
PKG_VERSION:=18.0.0
PKG_VERSION:=19.0.0
PKG_RELEASE:=1
PKG_SOURCE:=pyOpenSSL-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://pypi.io/packages/source/p/pyOpenSSL
PKG_HASH:=6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580
PKG_HASH:=aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE


+ 1
- 1
lang/python/python/Makefile View File

@ -12,7 +12,7 @@ include ../python-version.mk
PKG_NAME:=python
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION)


+ 0
- 2
lang/python/python/files/python-package-pip.mk View File

@ -14,8 +14,6 @@ endef
define PyPackage/python-pip/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages
# Adjust shebang to proper python location on target
sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/*
$(CP) $(PKG_BUILD_DIR)/install-pip/bin/* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON_VERSION)/site-packages/pip \


+ 0
- 2
lang/python/python/files/python-package-setuptools.mk View File

@ -14,8 +14,6 @@ endef
define PyPackage/python-setuptools/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages
# Adjust shebang to proper python location on target
sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/*
$(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON_VERSION)/site-packages/pkg_resources \


+ 120
- 0
lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch View File

@ -0,0 +1,120 @@
From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Tue, 15 Jan 2019 15:11:52 -0800
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue35746
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
Co-authored-by: Christian Heimes <christian@python.org>
---
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
Lib/test/test_ssl.py | 22 +++++++++++++++++++
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
Modules/_ssl.c | 4 ++++
4 files changed, 51 insertions(+)
create mode 100644 Lib/test/talos-2019-0758.pem
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
new file mode 100644
index 0000000000..13b95a77fd
--- /dev/null
+++ b/Lib/test/talos-2019-0758.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
+-----END CERTIFICATE-----
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index e476031702..9240184d98 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem")
BADKEY = data_file("badkey.pem")
NOKIACERT = data_file("nokia.pem")
NULLBYTECERT = data_file("nullbytecert.pem")
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
DHFILE = data_file("ffdh3072.pem")
BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding())
@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase):
self.assertEqual(p['crlDistributionPoints'],
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
+ def test_parse_cert_CVE_2019_5010(self):
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
+ if support.verbose:
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+ self.assertEqual(
+ p,
+ {
+ 'issuer': (
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
+ 'serialNumber': '02',
+ 'subject': ((('countryName', 'UK'),),
+ (('commonName',
+ 'codenomicon-vm-2.test.lal.cisco.com'),)),
+ 'subjectAltName': (
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
+ 'version': 3
+ }
+ )
+
def test_parse_cert_CVE_2013_4238(self):
p = ssl._ssl._test_decode_cert(NULLBYTECERT)
if support.verbose:
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
new file mode 100644
index 0000000000..dffe347eec
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
@@ -0,0 +1,3 @@
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
+not handle CRL distribution points with empty DP or URI correctly. A
+malicious or buggy certificate can result into segfault.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a96c419260..19bb1207b4 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) {
STACK_OF(GENERAL_NAME) *gns;
dp = sk_DIST_POINT_value(dps, i);
+ if (dp->distpoint == NULL) {
+ /* Ignore empty DP value, CVE-2019-5010 */
+ continue;
+ }
gns = dp->distpoint->name.fullname;
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
--
2.17.1

+ 0
- 2
lang/python/python3-package.mk View File

@ -68,7 +68,6 @@ define Py3Package
define Package/$(1)/install
$(call Py3Package/$(1)/install,$$(1))
find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
$(SHELL) $(python3_mk_path)python-package-install.sh "3" \
"$(PKG_INSTALL_DIR)" "$$(1)" \
"$(HOST_PYTHON3_BIN)" "$$(2)" \
@ -112,7 +111,6 @@ define Build/Compile/Py3Mod
cd $(PKG_BUILD_DIR)/$(strip $(1)), \
./setup.py $(2), \
$(3))
find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f
endef
PYTHON3_PKG_SETUP_ARGS:=--single-version-externally-managed


+ 1
- 1
lang/python/python3/Makefile View File

@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION)
PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)
PKG_NAME:=python3
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz


+ 4
- 3
lang/python/python3/files/python3-package-pip.mk View File

@ -14,14 +14,15 @@ endef
define Package/python3-pip/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
# Adjust shebang to proper python location on target
sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/*
$(CP) $(PKG_BUILD_DIR)/install-pip/bin/pip3* $(1)/usr/bin
$(CP) \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip \
$(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip-$(PYTHON3_PIP_VERSION).dist-info \
$(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/
find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf
for _ in \$(seq 1 10) ; do \
find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \
break ; \
done
endef
$(eval $(call Py3BasePackage,python3-pip, \


+ 4
- 3
lang/python/python3/files/python3-package-setuptools.mk View File

@ -14,8 +14,6 @@ endef
define Py3Package/python3-setuptools/install
$(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
# Adjust shebang to proper python location on target
sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/*
$(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/easy_install-* $(1)/usr/bin
$(LN) easy_install-$(PYTHON3_VERSION) $(1)/usr/bin/easy_install-3
$(CP) \
@ -24,7 +22,10 @@ define Py3Package/python3-setuptools/install
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/setuptools-$(PYTHON3_SETUPTOOLS_VERSION).dist-info \
$(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/easy_install.py \
$(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages
find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf
for _ in \$(seq 1 10) ; do \
find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \
break ; \
done
endef
$(eval $(call Py3BasePackage,python3-setuptools, \


+ 120
- 0
lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch View File

@ -0,0 +1,120 @@
From be5de958e9052e322b0087c6dba81cdad0c3e031 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Tue, 15 Jan 2019 15:03:36 -0800
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Signed-off-by: Christian Heimes <christian@python.org>
https://bugs.python.org/issue35746
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
Co-authored-by: Christian Heimes <christian@python.org>
---
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
Lib/test/test_ssl.py | 22 +++++++++++++++++++
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
Modules/_ssl.c | 4 ++++
4 files changed, 51 insertions(+)
create mode 100644 Lib/test/talos-2019-0758.pem
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
new file mode 100644
index 0000000000..13b95a77fd
--- /dev/null
+++ b/Lib/test/talos-2019-0758.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
+-----END CERTIFICATE-----
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index f1b9565c8d..b6794ce3a8 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem")
BADKEY = data_file("badkey.pem")
NOKIACERT = data_file("nokia.pem")
NULLBYTECERT = data_file("nullbytecert.pem")
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
DHFILE = data_file("ffdh3072.pem")
BYTES_DHFILE = os.fsencode(DHFILE)
@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase):
self.assertEqual(p['crlDistributionPoints'],
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
+ def test_parse_cert_CVE_2019_5010(self):
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
+ if support.verbose:
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+ self.assertEqual(
+ p,
+ {
+ 'issuer': (
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
+ 'serialNumber': '02',
+ 'subject': ((('countryName', 'UK'),),
+ (('commonName',
+ 'codenomicon-vm-2.test.lal.cisco.com'),)),
+ 'subjectAltName': (
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
+ 'version': 3
+ }
+ )
+
def test_parse_cert_CVE_2013_4238(self):
p = ssl._ssl._test_decode_cert(NULLBYTECERT)
if support.verbose:
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
new file mode 100644
index 0000000000..dffe347eec
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
@@ -0,0 +1,3 @@
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
+not handle CRL distribution points with empty DP or URI correctly. A
+malicious or buggy certificate can result into segfault.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 9894ad821d..9baec8a9bc 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) {
STACK_OF(GENERAL_NAME) *gns;
dp = sk_DIST_POINT_value(dps, i);
+ if (dp->distpoint == NULL) {
+ /* Ignore empty DP value, CVE-2019-5010 */
+ continue;
+ }
gns = dp->distpoint->name.fullname;
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
--
2.17.1

Loading…
Cancel
Save