This patch addresses issue: [ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service Link to Python issue: https://bugs.python.org/issue35746 Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>lilik-openwrt-22.03
@ -0,0 +1,120 @@ | |||
From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001 | |||
From: "Miss Islington (bot)" | |||
<31488909+miss-islington@users.noreply.github.com> | |||
Date: Tue, 15 Jan 2019 15:11:52 -0800 | |||
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) | |||
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL | |||
distribution points with empty DP or URI correctly. A malicious or buggy | |||
certificate can result into segfault. | |||
Signed-off-by: Christian Heimes <christian@python.org> | |||
https://bugs.python.org/issue35746 | |||
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) | |||
Co-authored-by: Christian Heimes <christian@python.org> | |||
--- | |||
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ | |||
Lib/test/test_ssl.py | 22 +++++++++++++++++++ | |||
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ | |||
Modules/_ssl.c | 4 ++++ | |||
4 files changed, 51 insertions(+) | |||
create mode 100644 Lib/test/talos-2019-0758.pem | |||
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem | |||
new file mode 100644 | |||
index 0000000000..13b95a77fd | |||
--- /dev/null | |||
+++ b/Lib/test/talos-2019-0758.pem | |||
@@ -0,0 +1,22 @@ | |||
+-----BEGIN CERTIFICATE----- | |||
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO | |||
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 | |||
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh | |||
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB | |||
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES | |||
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD | |||
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C | |||
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP | |||
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF | |||
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp | |||
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io | |||
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 | |||
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu | |||
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG | |||
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p | |||
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr | |||
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit | |||
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV | |||
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ | |||
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== | |||
+-----END CERTIFICATE----- | |||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | |||
index e476031702..9240184d98 100644 | |||
--- a/Lib/test/test_ssl.py | |||
+++ b/Lib/test/test_ssl.py | |||
@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") | |||
BADKEY = data_file("badkey.pem") | |||
NOKIACERT = data_file("nokia.pem") | |||
NULLBYTECERT = data_file("nullbytecert.pem") | |||
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") | |||
DHFILE = data_file("ffdh3072.pem") | |||
BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) | |||
@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase): | |||
self.assertEqual(p['crlDistributionPoints'], | |||
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) | |||
+ def test_parse_cert_CVE_2019_5010(self): | |||
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) | |||
+ if support.verbose: | |||
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n") | |||
+ self.assertEqual( | |||
+ p, | |||
+ { | |||
+ 'issuer': ( | |||
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), | |||
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT', | |||
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT', | |||
+ 'serialNumber': '02', | |||
+ 'subject': ((('countryName', 'UK'),), | |||
+ (('commonName', | |||
+ 'codenomicon-vm-2.test.lal.cisco.com'),)), | |||
+ 'subjectAltName': ( | |||
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), | |||
+ 'version': 3 | |||
+ } | |||
+ ) | |||
+ | |||
def test_parse_cert_CVE_2013_4238(self): | |||
p = ssl._ssl._test_decode_cert(NULLBYTECERT) | |||
if support.verbose: | |||
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
new file mode 100644 | |||
index 0000000000..dffe347eec | |||
--- /dev/null | |||
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
@@ -0,0 +1,3 @@ | |||
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did | |||
+not handle CRL distribution points with empty DP or URI correctly. A | |||
+malicious or buggy certificate can result into segfault. | |||
diff --git a/Modules/_ssl.c b/Modules/_ssl.c | |||
index a96c419260..19bb1207b4 100644 | |||
--- a/Modules/_ssl.c | |||
+++ b/Modules/_ssl.c | |||
@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) { | |||
STACK_OF(GENERAL_NAME) *gns; | |||
dp = sk_DIST_POINT_value(dps, i); | |||
+ if (dp->distpoint == NULL) { | |||
+ /* Ignore empty DP value, CVE-2019-5010 */ | |||
+ continue; | |||
+ } | |||
gns = dp->distpoint->name.fullname; | |||
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { | |||
-- | |||
2.17.1 | |||
@ -0,0 +1,120 @@ | |||
From be5de958e9052e322b0087c6dba81cdad0c3e031 Mon Sep 17 00:00:00 2001 | |||
From: "Miss Islington (bot)" | |||
<31488909+miss-islington@users.noreply.github.com> | |||
Date: Tue, 15 Jan 2019 15:03:36 -0800 | |||
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) | |||
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL | |||
distribution points with empty DP or URI correctly. A malicious or buggy | |||
certificate can result into segfault. | |||
Signed-off-by: Christian Heimes <christian@python.org> | |||
https://bugs.python.org/issue35746 | |||
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) | |||
Co-authored-by: Christian Heimes <christian@python.org> | |||
--- | |||
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ | |||
Lib/test/test_ssl.py | 22 +++++++++++++++++++ | |||
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ | |||
Modules/_ssl.c | 4 ++++ | |||
4 files changed, 51 insertions(+) | |||
create mode 100644 Lib/test/talos-2019-0758.pem | |||
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem | |||
new file mode 100644 | |||
index 0000000000..13b95a77fd | |||
--- /dev/null | |||
+++ b/Lib/test/talos-2019-0758.pem | |||
@@ -0,0 +1,22 @@ | |||
+-----BEGIN CERTIFICATE----- | |||
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO | |||
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 | |||
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh | |||
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB | |||
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES | |||
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD | |||
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C | |||
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP | |||
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF | |||
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp | |||
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io | |||
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 | |||
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu | |||
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG | |||
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p | |||
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr | |||
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit | |||
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV | |||
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ | |||
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== | |||
+-----END CERTIFICATE----- | |||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | |||
index f1b9565c8d..b6794ce3a8 100644 | |||
--- a/Lib/test/test_ssl.py | |||
+++ b/Lib/test/test_ssl.py | |||
@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") | |||
BADKEY = data_file("badkey.pem") | |||
NOKIACERT = data_file("nokia.pem") | |||
NULLBYTECERT = data_file("nullbytecert.pem") | |||
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") | |||
DHFILE = data_file("ffdh3072.pem") | |||
BYTES_DHFILE = os.fsencode(DHFILE) | |||
@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase): | |||
self.assertEqual(p['crlDistributionPoints'], | |||
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) | |||
+ def test_parse_cert_CVE_2019_5010(self): | |||
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) | |||
+ if support.verbose: | |||
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n") | |||
+ self.assertEqual( | |||
+ p, | |||
+ { | |||
+ 'issuer': ( | |||
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), | |||
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT', | |||
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT', | |||
+ 'serialNumber': '02', | |||
+ 'subject': ((('countryName', 'UK'),), | |||
+ (('commonName', | |||
+ 'codenomicon-vm-2.test.lal.cisco.com'),)), | |||
+ 'subjectAltName': ( | |||
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), | |||
+ 'version': 3 | |||
+ } | |||
+ ) | |||
+ | |||
def test_parse_cert_CVE_2013_4238(self): | |||
p = ssl._ssl._test_decode_cert(NULLBYTECERT) | |||
if support.verbose: | |||
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
new file mode 100644 | |||
index 0000000000..dffe347eec | |||
--- /dev/null | |||
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | |||
@@ -0,0 +1,3 @@ | |||
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did | |||
+not handle CRL distribution points with empty DP or URI correctly. A | |||
+malicious or buggy certificate can result into segfault. | |||
diff --git a/Modules/_ssl.c b/Modules/_ssl.c | |||
index 9894ad821d..9baec8a9bc 100644 | |||
--- a/Modules/_ssl.c | |||
+++ b/Modules/_ssl.c | |||
@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) { | |||
STACK_OF(GENERAL_NAME) *gns; | |||
dp = sk_DIST_POINT_value(dps, i); | |||
+ if (dp->distpoint == NULL) { | |||
+ /* Ignore empty DP value, CVE-2019-5010 */ | |||
+ continue; | |||
+ } | |||
gns = dp->distpoint->name.fullname; | |||
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { | |||
-- | |||
2.17.1 | |||