Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2019-02-26 22:13:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Tue Feb 26 22:13:27 2019 rev:136 rq:677944 version:2.7.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2018-12-24 11:36:16.473724650 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.28833/python-base.changes 2019-02-26 22:13:42.594246870 +0100 @@ -1,0 +2,12 @@ +Sat Jan 19 16:19:38 CET 2019 - [email protected] + +- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch + fixing bpo-35746. + An exploitable denial-of-service vulnerability exists in the + X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. + A specially crafted X509 certificate can cause a NULL pointer + dereference, resulting in a denial of service. An attacker can + initiate or accept TLS connections using crafted certificates + to trigger this vulnerability. + +------------------------------------------------------------------- python.changes: same change New: ---- CVE-2019-5010-null-defer-x509-cert-DOS.patch python-base-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.6QhtAb/_old 2019-02-26 22:13:44.850246078 +0100 +++ /var/tmp/diff_new_pack.6QhtAb/_new 2019-02-26 22:13:44.854246076 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-base # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,6 +32,7 @@ Source2: baselibs.conf Source3: README.SUSE Source5: local.pth +Source99: python-base-rpmlintrc # COMMON-PATCH-BEGIN Patch1: python-2.7-dirs.patch Patch2: python-distutils-rpm-8.patch @@ -69,6 +70,10 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch +# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] +# https://github.com/python/cpython/pull/11569 +# Fix segfault in ssl's cert parser +Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -180,6 +185,7 @@ %patch43 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.6QhtAb/_old 2019-02-26 22:13:44.870246070 +0100 +++ /var/tmp/diff_new_pack.6QhtAb/_new 2019-02-26 22:13:44.874246069 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-doc # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -70,6 +70,10 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch +# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] +# https://github.com/python/cpython/pull/11569 +# Fix segfault in ssl's cert parser +Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -127,6 +131,7 @@ %patch43 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.6QhtAb/_old 2019-02-26 22:13:44.890246064 +0100 +++ /var/tmp/diff_new_pack.6QhtAb/_new 2019-02-26 22:13:44.890246064 +0100 @@ -1,7 +1,7 @@ # # spec file for package python # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -75,6 +75,10 @@ Patch47: openssl-111-middlebox-compat.patch # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE Patch48: openssl-111-ssl_options.patch +# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] +# https://github.com/python/cpython/pull/11569 +# Fix segfault in ssl's cert parser +Patch49: CVE-2019-5010-null-defer-x509-cert-DOS.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -233,6 +237,7 @@ %patch43 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2019-5010-null-defer-x509-cert-DOS.patch ++++++ >From 280917872027ee991416d2623fc16ff1eed48f50 Mon Sep 17 00:00:00 2001 From: Christian Heimes <[email protected]> Date: Tue, 15 Jan 2019 23:47:42 +0100 Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <[email protected]> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <[email protected]> --- Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ Lib/test/test_ssl.py | 22 +++++++++++++++++++ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ Modules/_ssl.c | 4 ++++ 4 files changed, 51 insertions(+) create mode 100644 Lib/test/talos-2019-0758.pem create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst --- /dev/null +++ b/Lib/test/talos-2019-0758.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== +-----END CERTIFICATE----- --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexist BADKEY = data_file("badkey.pem") NOKIACERT = data_file("nokia.pem") NULLBYTECERT = data_file("nullbytecert.pem") +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") DHFILE = data_file("dh1024.pem") BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) @@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase self.assertEqual(p['crlDistributionPoints'], ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + def test_parse_cert_CVE_2019_5010(self): + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) + if support.verbose: + sys.stdout.write("\n" + pprint.pformat(p) + "\n") + self.assertEqual( + p, + { + 'issuer': ( + (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), + 'notAfter': 'Jun 14 18:00:58 2028 GMT', + 'notBefore': 'Jun 18 18:00:58 2018 GMT', + 'serialNumber': '02', + 'subject': ((('countryName', 'UK'),), + (('commonName', + 'codenomicon-vm-2.test.lal.cisco.com'),)), + 'subjectAltName': ( + ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), + 'version': 3 + } + ) + def test_parse_cert_CVE_2013_4238(self): p = ssl._ssl._test_decode_cert(NULLBYTECERT) if support.verbose: --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst @@ -0,0 +1,3 @@ +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did +not handle CRL distribution points with empty DP or URI correctly. A +malicious or buggy certificate can result into segfault. --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1222,6 +1222,10 @@ _get_crl_dp(X509 *certificate) { STACK_OF(GENERAL_NAME) *gns; dp = sk_DIST_POINT_value(dps, i); + if (dp->distpoint == NULL) { + /* Ignore empty DP value, CVE-2019-5010 */ + continue; + } gns = dp->distpoint->name.fullname; for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { ++++++ python-base-rpmlintrc ++++++ addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/distutils/tests/xxmodule.c") addFilter("devel-file-in-non-devel-package.*/usr/include/python.*/pyconfig.h")
