Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 480856 (CVE-2013-4238) - <dev-lang/python-{2.6.8-r3,2.7.5-r2,3.2.5-r2}: Hostname check bypassing vulnerability in SSL module (CVE-2013-4238)
Summary: <dev-lang/python-{2.6.8-r3,2.7.5-r2,3.2.5-r2}: Hostname check bypassing vulne...
Status: RESOLVED FIXED
Alias: CVE-2013-4238
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-13 08:42 UTC by Agostino Sarubbo
Modified: 2013-09-29 15:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-13 08:42:32 UTC
From ${URL} :

A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL 
bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to 
obtain a carefully-crafted certificate signed by an authority that the client trusts.

References:

http://bugs.python.org/issue18709
http://bugs.python.org/file31241/CVE-2013-4073_py34.patch
http://bugs.python.org/file31242/CVE-2013-4073_py33.patch
http://bugs.python.org/file31243/CVE-2013-4073_py27.patch


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Mike Gilbert gentoo-dev 2013-08-18 18:37:18 UTC
+*python-3.3.2-r2 (18 Aug 2013)
+
+  18 Aug 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/CVE-2013-4073_py33.patch, +python-3.3.2-r2.ebuild:
+  Use Arfrever's patchset, bug 354877. Apply fix for CVS-2013-4238, bug 480856.
Comment 2 Mike Gilbert gentoo-dev 2013-08-18 19:28:54 UTC
+*python-2.7.5-r2 (18 Aug 2013)
+*python-3.2.5-r2 (18 Aug 2013)
+*python-2.6.8-r3 (18 Aug 2013)
+
+  18 Aug 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/CVE-2013-4238_py26.patch, +files/CVE-2013-4238_py27.patch,
+  +files/CVE-2013-4238_py32.patch, +files/CVE-2013-4238_py33.patch,
+  +python-2.6.8-r3.ebuild, +python-2.7.5-r2.ebuild, +python-3.2.5-r2.ebuild,
+  -files/CVE-2013-4073_py33.patch, python-3.3.2-r2.ebuild:
+  Apply fix for CVE-2013-4238, bug 480856.
+
Comment 3 Mike Gilbert gentoo-dev 2013-08-18 19:30:22 UTC
It should be ok to stabilize these.

=dev-lang/python-2.6.8-r3
=dev-lang/python-2.7.5-r2
=dev-lang/python-3.2.5-r2
Comment 4 Chris Reffett gentoo-dev Security 2013-08-20 00:46:42 UTC
Okay then. Arches, please stabilize the following:

=dev-lang/python-2.6.8-r3 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
=dev-lang/python-2.7.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
=dev-lang/python-3.2.5-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86

(Python team, please correct me if I have any of the stable targets wrong)
Comment 5 Jeroen Roovers gentoo-dev 2013-08-20 14:25:32 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-22 20:05:49 UTC
I guess the evaluation is A here.
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-23 09:01:45 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-23 09:12:10 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-08-23 09:15:11 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-23 09:15:26 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-23 09:15:43 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-23 09:15:58 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-23 09:16:14 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-08-23 09:16:28 UTC
s390 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-08-23 09:16:43 UTC
sh stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-08-23 09:16:58 UTC
sparc stable
Comment 17 Chris Reffett gentoo-dev Security 2013-08-27 02:23:53 UTC
m68k isn't a supported security arch, so we can vote while waiting on it. GLSA vote: no (requires too specific circumstances with the crafted certificate)
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:26:04 UTC
CVE-2013-4238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4238):
  The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4
  does not properly handle a '\0' character in a domain name in the Subject
  Alternative Name field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
  certificate issued by a legitimate Certification Authority, a related issue
  to CVE-2009-2408.
Comment 19 Sergey Popov gentoo-dev Security 2013-09-04 05:54:26 UTC
GLSA vote: no

Setting noglsa, waiting for m68k stabilization to close this...
Comment 20 Agostino Sarubbo gentoo-dev 2013-09-28 20:56:29 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 21 Sean Amoss gentoo-dev Security 2013-09-29 15:47:37 UTC
The "no's" have it. Closing noglsa.