Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 676700 (CVE-2019-5010)

Summary: <dev-lang/python-{2.7.16,3.5.7,3.6.9,3.7.3}: NULL pointer dereference using a specially crafted X509 certificate (CVE-2019-5010)
Product: Gentoo Security Reporter: psp <gentoo-bugzilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html
Whiteboard: A3 [glsa+ cve]
Package list:
dev-lang/python-2.7.16 dev-lang/python-3.5.7 dev-lang/python-3.6.9
 Runtime testing required: ---
Bug Depends on: 689822, 701116    
Bug Blocks:    

Description psp 2019-01-29 07:51:30 UTC 
An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010
https://bugs.python.org/file48052/TALOS-2019-0758.txt
https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html

Test:
$ wget -q https://raw.githubusercontent.com/python/cpython/master/Lib/test/talos-2019-0758.pem
$ python3
Python 3.4.8 (default, May 11 2018, 23:17:39) 
[GCC 6.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl._ssl._test_decode_cert('talos-2019-0758.pem')
Segmentation fault
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-03-21 12:50:29 UTC 
Ok, so it seems that the following versions contain a fix:

2.7: 2.7.16
3.4: 3.4.10
3.5: 3.5.7
3.6: next (no rc yet)
3.7: 3.7.3rc1 (no final yet)
Comment 2 Larry the Git Cow gentoo-dev 2019-03-21 12:53:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ece98412e59349f1f485d5bd83919eb7d3f3e58

commit 8ece98412e59349f1f485d5bd83919eb7d3f3e58
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-21 12:44:07 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-21 12:44:07 +0000

    dev-lang/python: Sec-bump to 3.5.7
    
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++
 2 files changed, 369 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-03-21 13:38:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649

commit 4eb3d2a0e9e70ef17f9b39b18b8d5e82f7d0d649
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-21 13:22:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-21 13:38:36 +0000

    dev-lang/python: Sec-bump to 3.4.10
    
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest             |   1 +
 dev-lang/python/python-3.4.10.ebuild | 363 +++++++++++++++++++++++++++++++++++
 2 files changed, 364 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6708701fec5c9f09ddf47fafefefc344e87bc98b

commit 6708701fec5c9f09ddf47fafefefc344e87bc98b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-21 12:44:07 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-21 13:38:36 +0000

    dev-lang/python: Sec-bump to 3.5.7
    
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.5.7.ebuild | 368 ++++++++++++++++++++++++++++++++++++
 2 files changed, 369 insertions(+)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 02:55:49 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-03-27 05:35:37 UTC 
Well, I don't see a reason not to stabilize the new versions but it'd probably make sense to wait for all branches to be released.
Comment 6 Larry the Git Cow gentoo-dev 2019-03-29 12:59:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e3fcda6cbf3533091102bc3c7272d0bcf357fb9

commit 1e3fcda6cbf3533091102bc3c7272d0bcf357fb9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-03-29 12:27:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-03-29 12:59:12 +0000

    dev-lang/python: Bump to 3.7.3
    
    Bug: https://bugs.gentoo.org/676700
    Bug: https://bugs.gentoo.org/680298
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   2 +
 dev-lang/python/python-3.7.3.ebuild | 325 ++++++++++++++++++++++++++++++++++++
 2 files changed, 327 insertions(+)
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 05:44:48 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 8 Larry the Git Cow gentoo-dev 2019-07-14 13:05:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cd1842cd013485101789106c7b25c8999cff9e9

commit 1cd1842cd013485101789106c7b25c8999cff9e9
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-07-14 12:46:56 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-07-14 12:48:20 +0000

    dev-lang/python: Bump to 3.6.9
    
    Bug: https://bugs.gentoo.org/689822
    Bug: https://bugs.gentoo.org/680246
    Bug: https://bugs.gentoo.org/676700
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest            |   1 +
 dev-lang/python/python-3.6.9.ebuild | 349 ++++++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 14:10:53 UTC 
We should probably wait for 2.7.17 and 3.5.8 to address all other Python bugs in one stabilization.
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-01-03 08:30:25 UTC 
All affected versions should be gone now.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:46:11 UTC 
Added to an existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-03-15 15:58:44 UTC 
This issue was resolved and addressed in
 GLSA 202003-26 at https://security.gentoo.org/glsa/202003-26
by GLSA coordinator Thomas Deutschmann (whissi).