Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484032 (CVE-2013-4314) - <dev-python/pyopenssl-0.13.1: hostname check bypassing vulnerability (CVE-2013-4314)
Summary: <dev-python/pyopenssl-0.13.1: hostname check bypassing vulnerability (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2013-4314
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-06 18:45 UTC by Agostino Sarubbo
Modified: 2013-12-03 19:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-06 18:45:32 UTC
From ${URL} :

The pyOpenSSL module implements hostname identity checks but it did not properly handle hostnames 
in the certificate that contain null bytes.  In all releases prior to 0.13.1, the string formatting 
of subjectAltName X509Extension instances incorrectly truncated fields of the name when 
encountering the null byte.

When a CA than an SSL client trusts issues a server certificate that has a null byte in the 
subjectAltName, remote attackers can obtain a certifcate for 'www.foo.org\0.example.com' from the 
CA to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the pyOpenSSL-using client 
and SSL servers.

[1] https://mail.python.org/pipermail/pyopenssl-users/2013-September/000478.html



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-10-02 04:15:07 UTC
CVE-2013-4314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4314):
  The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0'
  character in a domain name in the Subject Alternative Name field of an X.509
  certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
  servers via a crafted certificate issued by a legitimate Certification
  Authority.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-02 04:18:07 UTC
Upstream patch at http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169?start_revid=169
Comment 3 Dirkjan Ochtman (RETIRED) gentoo-dev 2013-10-02 06:26:25 UTC
Arches, please stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2013-10-02 12:07:40 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-02 12:08:52 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-02 12:57:46 UTC
Arch teams, please test and mark stable:
=dev-python/pyopenssl-0.13.1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-02 13:05:57 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-06 10:11:52 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-06 15:18:34 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-07 19:29:09 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-09 11:16:33 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-09 11:18:01 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-10-09 17:09:08 UTC
sparc stable
Comment 14 Sergey Popov (RETIRED) gentoo-dev 2013-10-10 06:48:53 UTC
GLSA vote: no
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 19:28:44 UTC
GLSA vote: no. Closing noglsa.