Bug 1224999 (CVE-2013-7440)

Summary: CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, amcnabb, apevec, bkearney, bleanhar, ccoleman, ceph-eng-bugs, chrisw, cpelland, cperry, dallan, dmcphers, donald, fschwarz, gkotton, gmollett, henrik, infra-sig, jal233, jialiu, joelsmith, jokerman, jorton, katello-bugs, lewk, lhh, lmeyer, lpeer, markmc, metherid, mhroncok, mmaslano, mmccomas, mmccune, moez.roy, mrunge, nlevinki, ohadlevy, orion, ovasik, p, pstodulk, pviktori, python-maint, python-sig, rbean, rbryant, rfortier, rhs-bugs, sagarun, sardella, sclewis, shahms, slawomir, smilner, srevivo, tomspur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 2.7.9, python 3.3.3, python 3.4.0, python-backports-ssl_match_hostname 3.4.0.2 Doc Type: Bug Fix
Doc Text:
Multiple flaws were found in the way Python's SSL module performed matching of certificate names containing wildcards. A remote attacker able to obtain a valid certificate that contained certain names with wildcards could have them incorrectly accepted by Python SSL clients, not following the RFC 6125 recommendations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:45:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1023742, 1035223, 1230951, 1230952, 1230953, 1230954, 1231231, 1231232, 1231238, 1231239, 1304146, 1304225, 1304227    
Bug Blocks: 1225002    

Description Martin Prpič 2015-05-26 11:52:59 UTC 
It was found that Python's SSL hostname matching rules did not conform to RFC 6125 when the hostname included wildcards.

Upstream issue:

https://bugs.python.org/issue17997#msg194950

CVE assignment:

http://seclists.org/oss-sec/2015/q2/523

Upstream patch:

https://hg.python.org/cpython/rev/10d0edadbcdd
Comment 1 Tomas Hoger 2015-06-11 08:18:19 UTC 
This was fixed upstream in Python 3.3.3, and also in backports.ssl_match_hostname 3.4.0.2:

https://pypi.python.org/pypi/backports.ssl_match_hostname/3.4.0.2

Corrected version was also added to Python 2.7.9.  Python 2.7 versions before 2.7.9 did not include match_hostname() and hence were not affected.
Comment 3 Tomas Hoger 2015-06-11 20:55:07 UTC 
The backports.ssl_match_hostname is bundled with urllib3 upstream sources.  Additionally, urllib3 is bundled in the requests library.  However, python-urllib3 and python-requests packages in Red Hat products and Fedora do not bundle backports.ssl_match_hostname and instead use the version in python-backports-ssl_match_hostname packages.


There are several multiple copies of match_hostname implementation in python-pip:

- pip/backwardcompat/ssl_match_hostname.py
  - this was used in pip version prior to 1.5, removed via:
    https://github.com/pypa/pip/commit/c61b5df
  - version included in pip 1.4.1 was affected by CVE-2013-7440, but not
    affected by CVE-2013-2099 (bug 963260)
  - version included in pip 1.3.4 is affected by both CVE-2013-7440 and
    CVE-2013-2099, but some Red Hat packages already include patch for
    CVE-2013-2099

- pip/_vendor/requests/packages/urllib3/packages/ssl_match_hostname/_implementation.py
  - embedded requests library with embedded urllib3 with embedded
    backports.ssl_match_hostname
  - added in pip 1.5 when requests 2.0.0 was added, using ssl_match_hostname
    version with this issue already fixed
    https://github.com/pypa/pip/commit/651a961

- pip/_vendor/distlib/compat.py
  - code was affected by both CVE-2013-2099 and CVE-2013-7440 until pip 6.0.0,
    when embedded distlib was updated to version 0.2.0:
    https://github.com/pypa/pip/commit/320a07f
  - it's unclear to me if match_hostname copy in distlib is used by pip


distlib is also packaged separately in Fedora.  The current version of python-distlib packages is 0.1.9.  CVE-2013-2099 and CVE-2013-7440 were only fixed upstream in 0.2.0 via:
https://bitbucket.org/vinay.sajip/distlib/commits/1e44690


match_hostname code is also copied in the setuptools package.

- 0.7 introduced the code when it add support for SSL certificate verification
  https://bitbucket.org/pypa/setuptools/commits/8dc5794
- 0.9.5 corrected CVE-2013-2099
  https://bitbucket.org/pypa/setuptools/commits/4b0fb61
- 1.3 corrected CVE-2013-7440
  https://bitbucket.org/pypa/setuptools/commits/7eeb678

python-setuptools in Red Hat Enterprise Linux 6 and earlier are based on upstream versions prior to 0.7 and hence do not contain match_hostname.  The version in Red Hat Enterprise Linux 7 is 0.9.8.  However, it does not contain match_hostname, as it was patched to use implementation from the python-backports-ssl_match_hostname package.  Version 0.9.8 is also used in python-setuptools packages in python27 and python33 collections in Red Hat Software Collections.  Those packages already include a patch for CVE-2013-7440.  The rh-python34 collections contains newer upstream setuptools versions (11.3.1).
Comment 4 Tomas Hoger 2015-06-11 21:08:40 UTC 
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1230953]
Affects: epel-all [bug 1230954]
Comment 5 Tomas Hoger 2015-06-11 21:08:48 UTC 
Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 1230951]
Comment 6 Tomas Hoger 2015-06-11 21:08:54 UTC 
Created python-distlib tracking bugs for this issue:

Affects: fedora-all [bug 1230952]
Comment 7 Tomas Hoger 2015-06-12 12:29:18 UTC 
pip and setuptools are bundled with virtualenv.  The following provides a quick overview of versions bundled with virtualenv versions as found in Red Hat products and Fedora:

- virtualenv 1.7.2 - includes distribute-0.6.27 and setuptools-0.6c11 - not affected
- virtualenv 1.10.1 - includes pip-1.4.1 and setuptools-0.9.8 - affected
- virtualenv 1.11.6 - includes pip-1.5.6 and setuptools-3.6 - only pip/distlib affected
- virtualenv 12.0.7 - includes pip-6.0.8 and setuptools-12.0.5 - not affected
Comment 8 Tomas Hoger 2015-06-12 12:45:51 UTC 
match_hostname is also embedded in pymongo:

- it was introduced in 2.5:
  https://jira.mongodb.org/browse/PYTHON-466
  https://github.com/mongodb/mongo-python-driver/commit/48046b2e
- CVE-2013-2099 was corrected in 2.6:
  https://jira.mongodb.org/browse/PYTHON-522
  https://github.com/mongodb/mongo-python-driver/commit/e4f6e4f7
- CVE-2013-7440 was corrected in 2.7
  https://jira.mongodb.org/browse/PYTHON-650
  https://github.com/mongodb/mongo-python-driver/commit/9b0e542a
Comment 9 Tomas Hoger 2015-06-12 13:13:39 UTC 
Created python-pymongo tracking bugs for this issue:

Affects: fedora-all [bug 1231231]
Affects: epel-all [bug 1231232]
Comment 10 Tomas Hoger 2015-06-12 13:23:18 UTC 
Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 1231238]
Affects: epel-6 [bug 1231239]
Comment 15 Fedora Update System 2015-07-20 19:47:26 UTC 
python-pip-7.1.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-07-20 19:47:43 UTC 
python-pip-7.1.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-08-15 02:23:13 UTC 
bzr-2.6.0-8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-08-15 02:23:44 UTC 
bzr-2.6.0-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-02-12 11:51:56 UTC 
python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2016-02-12 12:19:45 UTC 
python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2016-02-20 22:58:34 UTC 
python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2016-02-20 23:55:27 UTC 
python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 errata-xmlrpc 2016-05-31 10:24:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166
Comment 25 Andrej Nemec 2017-09-08 12:21:34 UTC 
Statement:

This issue affects the versions of python27-python-pip, python-pymongo and python-virtualenv as shipped with Red Hat OpenShift 2.x and Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.