This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 1023742 - ssl.match_hostname(): sub string wildcard should not match IDNA prefix
ssl.match_hostname(): sub string wildcard should not match IDNA prefix
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: python3 (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matej Stuchlik
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: CVE-2013-7440
  Show dependency treegraph
 
Reported: 2013-10-27 11:00 EDT by Toshio Ernie Kuratomi
Modified: 2016-01-31 21:15 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-29 05:36:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Python 17997 None None None Never

  None (edit)
Description Toshio Ernie Kuratomi 2013-10-27 11:00:36 EDT
Description of problem:

http://bugs.python.org/issue17997#msg194950

This was recently fixed upstream and applied to the python3.3.3 and python3.4 branches (neither is released yet.)  There does not appear to be a CVE for this upstream update but there are apparently security implications.

The problem will affect other packages which copy the pair of functions that implement that functionality just like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=963261

As I now have upstream commit rights to fix things like this in python-backports-ssl_match_hostname we should also update packages which copy the code to use the version in the python-backports-ssl_match_hostname package as well.

Something like:

try:
    from backports.ssl_match_hostname import CertificateError, match_hostname
except ImportError:
    CertificateError = None
    match_hostname = None

if not CertificateError:
    # Use the upstream's copied code to define CertificateError

if not match_hostname:
    # Use the upstream's copied code to define match_hostname


Version-Release number of selected component (if applicable):

* All current python3 packages.
* Packages which bundle the applicable code -- an old list is what blocks https://bugzilla.redhat.com/show_bug.cgi?id=963261 there could be new more since then.
Comment 2 Toshio Ernie Kuratomi 2013-10-28 15:54:07 EDT
(In reply to Toshio Ernie Kuratomi from comment #0)
> Something like:
> 
If the upstream code supports python3 as well then the code would be like this:

try:
    # Python3.2+
    from ssl import CertificateError, match_hostname
except ImportError:
    try:
        # backports.ssl_match_hostname from pypi installed
        from backports.ssl_match_hostname import CertificateError, match_hostname
    except ImportError:
        CertificateError = None
        match_hostname = None

if not CertificateError:
    # Use the upstream's copied code to define CertificateError

if not match_hostname:
    # Use the upstream's copied code to define match_hostname
Comment 3 Toshio Ernie Kuratomi 2013-10-28 17:12:09 EDT
Updates for python-setuptools:

* https://admin.fedoraproject.org/updates/python-setuptools-0.9.8-2.fc20 
* (rawhide) http://koji.fedoraproject.org/koji/buildinfo?buildID=474369
Comment 5 Toshio Ernie Kuratomi 2013-12-02 12:02:02 EST
@security team, any word on what we're going to do with this issue for packages which bundle ssl.match_hostname() ?
Comment 6 Philippe Makowski 2013-12-04 13:45:46 EST
(In reply to Toshio Ernie Kuratomi from comment #5)
> @security team, any word on what we're going to do with this issue for
> packages which bundle ssl.match_hostname() ?

Just for information and if need , here the list of packages we patched under Mageia :
https://bugs.mageia.org/show_bug.cgi?id=11785#c17
python3-3.3.0-4.5.mga3.src
python-virtualenv-1.10.1-1.2.mga3.src 
python-requests-0.13.5-2.2.mga3.src
bzr-2.5.1-3.2.mga3.src
python-pip-1.3.1-2.2.mga3.src
python-tornado-2.3-2.2.mga3.src
python-urllib3-1.7.1-1.1.mga3.src
python-setuptools-0.9.8-2.2.mga3.src

python-virtualenv is really painfull, we should work with upstream to work on the fact that it is bundling setuptools and pip (https://bugzilla.redhat.com/show_bug.cgi?id=749378)

Note You need to log in before you can comment on or make changes to this bug.