Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 469988 (CVE-2013-2099)

Summary: <dev-lang/python:{3.2.5-r1,3.3.2-r1}: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns (CVE-2013-2099)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=963260
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-05-15 18:42:05 UTC
From ${URL} :

A denial of service flaw was found in the way SSL module implementation of Python3, version 3 of 
the Python programming language (aka Python 3000), performed matching of the certificate's name in 
the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid 
certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause 
denial of service (excessive CPU consumption) by issuing request to validate such a certificate for 
/ to an application using the Python's ssl.match_hostname() functionality.

Upstream bug report:
[1] http://bugs.python.org/issue17980

CVE request:
[2] http://www.openwall.com/lists/oss-security/2013/05/15/6 (is for 
python-backports-ssl_match_hostname, but that code comes from Python 3.2 ssl module implementation)
[3] http://www.openwall.com/lists/oss-security/2013/05/15/7

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security Team


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-05-15 20:15:56 UTC
Don't know who inserted the Python 3000 mention here, but that codename is long gone and certainly doesn't make sense in this kind of message. </grumpy>
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-02 21:50:21 UTC
Upstream patches available for 3.2 [1] and 3.3 [2].

[1] http://hg.python.org/cpython/rev/b9b521efeba3
[2] http://hg.python.org/cpython/rev/c627638753e2
Comment 3 Mike Gilbert gentoo-dev 2013-07-02 23:07:51 UTC
Thanks. I'll work on backporting them.
Comment 4 Mike Gilbert gentoo-dev 2013-07-03 00:23:47 UTC
+*python-3.2.5-r1 (03 Jul 2013)
+*python-3.3.2-r1 (03 Jul 2013)
+
+  03 Jul 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/python-3.2-CVE-2013-2099.patch, +files/python-3.3-CVE-2013-2099.patch,
+  +python-3.2.5-r1.ebuild, +python-3.3.2-r1.ebuild:
+  Add patch to fix CVE-2013-2099, bug 469988.

We can stabilize python-3.2.5-r1.

python-3.3* is not stable yet, so skip it.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-03 00:45:41 UTC
Sounds good to me. Arches, please stable =dev-lang/python-3.2.5-r1, target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86. Thanks!
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-03 10:30:47 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-07-03 10:31:19 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-04 13:04:38 UTC
ppc stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-04 13:55:03 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-07-04 14:13:41 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-06 17:08:16 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-07 12:06:50 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-07-07 15:20:39 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-07-21 17:40:20 UTC
sh stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-07-22 08:52:50 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-08-06 12:32:33 UTC
s390 stable
Comment 17 Mike Gilbert gentoo-dev 2013-08-18 18:36:18 UTC
+*python-3.3.2-r2 (18 Aug 2013)
+
+  18 Aug 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild:
+  Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856.
Comment 18 Mike Gilbert gentoo-dev 2013-08-18 18:36:55 UTC
(In reply to Mike Gilbert from comment #17)

Sorry, wrong bug.
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-18 03:34:23 UTC
m68k timeout. @maintainers: please clean up affected versions, but leave the latest stable m68k version, drop all other keywords. GLSA request filed.
Comment 20 Arfrever Frehtes Taifersar Arahesis 2013-09-19 08:53:04 UTC
(In reply to Chris Reffett from comment #19)

Gentoo Council on 2013-09-17 destabilized whole m68k architecture.
Comment 21 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:24:32 UTC
Okay then. @maintainers: cleanup.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-10-15 03:27:58 UTC
CVE-2013-2099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2099):
  Algorithmic complexity vulnerability in the ssl.match_hostname function in
  Python 3.2.x, 3.3.x, and earlier, and unspecified versions of
  python-backports-ssl_match_hostname as used for older Python versions,
  allows remote attackers to cause a denial of service (CPU consumption) via
  multiple wildcard characters in the common name in a certificate.
Comment 23 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 06:54:26 UTC
Maintainer(s), Thank you for your work!

Added to existing GLSA draft.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 21:28:16 UTC
This issue was resolved and addressed in
 GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).