Bug 996381 (CVE-2013-4238)

Summary: CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, amcnabb, aortega, apevec, ayoung, bgollahe, bkabrda, briang, chrisw, derks, dmalcolm, drieden, edewata, gkotton, henrik, ian, ionut, ivazqueznet, jberan, jeffrey.ness, jkurik, jonathansteffan, katzj, markmc, metherid, michel, ovasik, python-maint, rbean, rbryant, rhos-maint, sagarun, sclewis, shahms, srevivo, tflink, tomspur, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130812,reported=20130812,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/python=notaffected,rhel-6/python=affected,rhel-7/python=notaffected,fedora-all/python=affected,fedora-all/python3=affected,epel-5/python26=affected,rhscl-1/python33-python=affected,rhscl-1/python=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 996399, 996400, 996401, 996733, 997768, 998430, 998781, 998783, 998784    
Bug Blocks: 974906, 996394    
Attachments:
Description Flags
Minimal test case
none
certs with nulls (taken from upstream commit) none

Description Murray McAllister 2013-08-13 01:39:04 EDT
A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

References:

http://bugs.python.org/issue18709
http://bugs.python.org/file31241/CVE-2013-4073_py34.patch
http://bugs.python.org/file31242/CVE-2013-4073_py33.patch
http://bugs.python.org/file31243/CVE-2013-4073_py27.patch
Comment 1 Murray McAllister 2013-08-13 01:43:12 EDT
This flaw is similar to CVE-2013-4073, which affected Ruby: https://bugzilla.redhat.com/show_bug.cgi?id=979251
Comment 3 Murray McAllister 2013-08-13 02:40:04 EDT
Created python-backports-ssl_match_hostname tracking bugs for this issue:

Affects: fedora-all [bug 996400]
Affects: epel-6 [bug 996401]
Comment 6 Murray McAllister 2013-08-13 02:44:27 EDT
Created python-tornado tracking bugs for this issue:

Affects: fedora-all [bug 996403]
Affects: epel-6 [bug 996405]
Comment 7 Murray McAllister 2013-08-13 02:44:43 EDT
Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 996408]
Comment 8 Murray McAllister 2013-08-13 02:45:00 EDT
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 996409]
Affects: epel-all [bug 996410]
Comment 9 Murray McAllister 2013-08-13 02:45:31 EDT
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 996402]
Affects: epel-6 [bug 996404]
Comment 10 Murray McAllister 2013-08-13 02:45:50 EDT
Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 996406]
Affects: epel-6 [bug 996407]
Comment 11 Murray McAllister 2013-08-13 02:46:10 EDT
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 996399]
Comment 13 Huzaifa S. Sidhpurwala 2013-08-19 06:04:56 EDT
Created python tracking bugs for this issue:

Affects: fedora-all [bug 998430]
Comment 14 Huzaifa S. Sidhpurwala 2013-08-20 00:43:38 EDT
Created attachment 788301 [details]
Minimal test case
Comment 15 Huzaifa S. Sidhpurwala 2013-08-20 00:44:27 EDT
Created attachment 788302 [details]
certs with nulls (taken from upstream commit)
Comment 17 Huzaifa S. Sidhpurwala 2013-08-20 00:47:20 EDT
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 998783]
Comment 19 Huzaifa S. Sidhpurwala 2013-08-22 02:36:57 EDT
Statement:

This issue does not affect the version of python as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.
Comment 20 Fedora Update System 2013-08-24 18:27:03 EDT
python-2.7.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2013-08-27 19:35:34 EDT
python3-3.3.2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2013-11-21 04:15:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1582 https://rhn.redhat.com/errata/RHSA-2013-1582.html
Comment 23 errata-xmlrpc 2013-11-21 19:36:27 EST
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html