1224999 – (CVE-2013-7440) CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125

Bug 1224999 (CVE-2013-7440) - CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125

Summary: CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-7440
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1023742 1035223 1230951 1230952 1230953 1230954 1231231 1231232 1231238 1231239 1304146 1304225 1304227
Blocks:	1225002
TreeView+	depends on / blocked

Reported:	2015-05-26 11:52 UTC by Martin Prpič
Modified:	2021-10-21 00:45 UTC (History)
CC List:	57 users (show)
Fixed In Version:	python 2.7.9, python 3.3.3, python 3.4.0, python-backports-ssl_match_hostname 3.4.0.2
Doc Type:	Bug Fix
Doc Text:	Multiple flaws were found in the way Python's SSL module performed matching of certificate names containing wildcards. A remote attacker able to obtain a valid certificate that contained certain names with wildcards could have them incorrectly accepted by Python SSL clients, not following the RFC 6125 recommendations.
Clone Of:
Environment:
Last Closed:	2021-10-21 00:45:32 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1166	0	normal	SHIPPED_LIVE	Moderate: python27 security, bug fix, and enhancement update	2016-05-31 14:04:55 UTC

Description Martin Prpič 2015-05-26 11:52:59 UTC

It was found that Python's SSL hostname matching rules did not conform to RFC 6125 when the hostname included wildcards.

Upstream issue:

https://bugs.python.org/issue17997#msg194950

CVE assignment:

http://seclists.org/oss-sec/2015/q2/523

Upstream patch:

https://hg.python.org/cpython/rev/10d0edadbcdd

Comment 1 Tomas Hoger 2015-06-11 08:18:19 UTC

This was fixed upstream in Python 3.3.3, and also in backports.ssl_match_hostname 3.4.0.2:

https://pypi.python.org/pypi/backports.ssl_match_hostname/3.4.0.2

Corrected version was also added to Python 2.7.9.  Python 2.7 versions before 2.7.9 did not include match_hostname() and hence were not affected.

Comment 3 Tomas Hoger 2015-06-11 20:55:07 UTC

The backports.ssl_match_hostname is bundled with urllib3 upstream sources.  Additionally, urllib3 is bundled in the requests library.  However, python-urllib3 and python-requests packages in Red Hat products and Fedora do not bundle backports.ssl_match_hostname and instead use the version in python-backports-ssl_match_hostname packages.


There are several multiple copies of match_hostname implementation in python-pip:

- pip/backwardcompat/ssl_match_hostname.py
  - this was used in pip version prior to 1.5, removed via:
    https://github.com/pypa/pip/commit/c61b5df
  - version included in pip 1.4.1 was affected by CVE-2013-7440, but not
    affected by CVE-2013-2099 (bug 963260)
  - version included in pip 1.3.4 is affected by both CVE-2013-7440 and
    CVE-2013-2099, but some Red Hat packages already include patch for
    CVE-2013-2099

- pip/_vendor/requests/packages/urllib3/packages/ssl_match_hostname/_implementation.py
  - embedded requests library with embedded urllib3 with embedded
    backports.ssl_match_hostname
  - added in pip 1.5 when requests 2.0.0 was added, using ssl_match_hostname
    version with this issue already fixed
    https://github.com/pypa/pip/commit/651a961

- pip/_vendor/distlib/compat.py
  - code was affected by both CVE-2013-2099 and CVE-2013-7440 until pip 6.0.0,
    when embedded distlib was updated to version 0.2.0:
    https://github.com/pypa/pip/commit/320a07f
  - it's unclear to me if match_hostname copy in distlib is used by pip


distlib is also packaged separately in Fedora.  The current version of python-distlib packages is 0.1.9.  CVE-2013-2099 and CVE-2013-7440 were only fixed upstream in 0.2.0 via:
https://bitbucket.org/vinay.sajip/distlib/commits/1e44690


match_hostname code is also copied in the setuptools package.

- 0.7 introduced the code when it add support for SSL certificate verification
  https://bitbucket.org/pypa/setuptools/commits/8dc5794
- 0.9.5 corrected CVE-2013-2099
  https://bitbucket.org/pypa/setuptools/commits/4b0fb61
- 1.3 corrected CVE-2013-7440
  https://bitbucket.org/pypa/setuptools/commits/7eeb678

python-setuptools in Red Hat Enterprise Linux 6 and earlier are based on upstream versions prior to 0.7 and hence do not contain match_hostname.  The version in Red Hat Enterprise Linux 7 is 0.9.8.  However, it does not contain match_hostname, as it was patched to use implementation from the python-backports-ssl_match_hostname package.  Version 0.9.8 is also used in python-setuptools packages in python27 and python33 collections in Red Hat Software Collections.  Those packages already include a patch for CVE-2013-7440.  The rh-python34 collections contains newer upstream setuptools versions (11.3.1).

Comment 4 Tomas Hoger 2015-06-11 21:08:40 UTC

Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1230953]
Affects: epel-all [bug 1230954]

Comment 5 Tomas Hoger 2015-06-11 21:08:48 UTC

Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 1230951]

Comment 6 Tomas Hoger 2015-06-11 21:08:54 UTC

Created python-distlib tracking bugs for this issue:

Affects: fedora-all [bug 1230952]

Comment 7 Tomas Hoger 2015-06-12 12:29:18 UTC

pip and setuptools are bundled with virtualenv.  The following provides a quick overview of versions bundled with virtualenv versions as found in Red Hat products and Fedora:

- virtualenv 1.7.2 - includes distribute-0.6.27 and setuptools-0.6c11 - not affected
- virtualenv 1.10.1 - includes pip-1.4.1 and setuptools-0.9.8 - affected
- virtualenv 1.11.6 - includes pip-1.5.6 and setuptools-3.6 - only pip/distlib affected
- virtualenv 12.0.7 - includes pip-6.0.8 and setuptools-12.0.5 - not affected

Comment 8 Tomas Hoger 2015-06-12 12:45:51 UTC

match_hostname is also embedded in pymongo:

- it was introduced in 2.5:
  https://jira.mongodb.org/browse/PYTHON-466
  https://github.com/mongodb/mongo-python-driver/commit/48046b2e
- CVE-2013-2099 was corrected in 2.6:
  https://jira.mongodb.org/browse/PYTHON-522
  https://github.com/mongodb/mongo-python-driver/commit/e4f6e4f7
- CVE-2013-7440 was corrected in 2.7
  https://jira.mongodb.org/browse/PYTHON-650
  https://github.com/mongodb/mongo-python-driver/commit/9b0e542a

Comment 9 Tomas Hoger 2015-06-12 13:13:39 UTC

Created python-pymongo tracking bugs for this issue:

Affects: fedora-all [bug 1231231]
Affects: epel-all [bug 1231232]

Comment 10 Tomas Hoger 2015-06-12 13:23:18 UTC

Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 1231238]
Affects: epel-6 [bug 1231239]

Comment 15 Fedora Update System 2015-07-20 19:47:26 UTC

python-pip-7.1.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-07-20 19:47:43 UTC

python-pip-7.1.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-08-15 02:23:13 UTC

bzr-2.6.0-8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-08-15 02:23:44 UTC

bzr-2.6.0-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-02-12 11:51:56 UTC

python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2016-02-12 12:19:45 UTC

python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2016-02-20 22:58:34 UTC

python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2016-02-20 23:55:27 UTC

python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 errata-xmlrpc 2016-05-31 10:24:13 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166

Comment 25 Andrej Nemec 2017-09-08 12:21:34 UTC

Statement:

This issue affects the versions of python27-python-pip, python-pymongo and python-virtualenv as shipped with Red Hat OpenShift 2.x and Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.

abaron
amcnabb
apevec
bkearney
bleanhar
ccoleman
ceph-eng-bugs
chrisw
cpelland
cperry
dallan
dmcphers
donald
fschwarz
gkotton
gmollett
henrik
infra-sig
jal233
jialiu
joelsmith
jokerman
jorton
katello-bugs
lewk
lhh
lmeyer
lpeer
markmc
metherid
mhroncok
mmaslano
mmccomas
mmccune
moez.roy
mrunge
nlevinki
ohadlevy
orion
ovasik
p
pstodulk
pviktori
python-maint
python-sig
rbean
rbryant
rfortier
rhs-bugs
sagarun
sardella
sclewis
shahms
slawomir
smilner
srevivo
tomspur