Summary: | CVE-2013-4314 pyOpenSSL: hostname check bypassing vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aavati, abaron, amarecek, aortega, apevec, ayoung, btotty, chrisw, dallan, gkotton, henri, jkurik, jlieskov, jruzicka, lhh, markmc, mcepl, nlevinki, pfrields, rbryant, rfortier, rhos-maint, rhs-bugs, sclewis, ssaha, tmraz, vbellur, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pyOpenSSL 0.13.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-04-24 10:07:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Bug Depends On: | 1005428, 1006138 | ||
Bug Blocks: | 1005327 |
Description
Vincent Danen
2013-09-06 16:24:39 UTC
Created pyOpenSSL tracking bugs for this issue: Affects: fedora-all [bug 1005428] Please use CVE-2013-4314 for this issue. CVE assignment: http://www.openwall.com/lists/oss-security/2013/09/06/2 The underlying problem exists in pyOpenSSL versions shipped in Red Hat Enterprise Linux 5 and 6. However, it is not exposed in those versions. Upstream pyOpenSSL version 0.12 added get_extension() method for the X509 type, which allows reading certificate extensions (as X509Extension) from certificates, for example a certificate presented by remote SSL/TLS connection peer. This functionality is not available in earlier versions. In older versions, it is only possible to construct X509Extension object in the code by specifying its type, whether it's critical, and its value. The intended use of this functionality is during certificate creation. However, it is not possible to create X509Extension with value containing NUL byte. Parameter to the X509Extension constructor is parsed using python's PyArg_ParseTupleAndKeywords() using 's' format for the value parameter, which does not allow strings with embedded NUL bytes. https://docs.python.org/2/c-api/arg.html Note that get_extension() available in newer pyOpenSSL versions does not seem to be used often - no component in upcoming Red Hat Enterprise Linux 7 uses that functionality. Additionally, string representation of subjectAltName X509Extension would require further parsing before it can be used in any hostname identity check. pyOpenSSL does not implement such checks. Statement: Not vulnerable. This issue did not affect the versions of pyOpenSSL as shipped with Red Hat Enterprise Linux 5 and 6. |