Bug 1224999 (CVE-2013-7440) - CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125
Summary: CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125
Keywords:
Status: NEW
Alias: CVE-2013-7440
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1231239 1023742 1035223 1230951 1230952 1230953 1230954 1231231 1231232 1231238 1304146 1304225 1304227
Blocks: 1225002
TreeView+ depends on / blocked
 
Reported: 2015-05-26 11:52 UTC by Martin Prpič
Modified: 2019-09-29 13:33 UTC (History)
62 users (show)

Fixed In Version: python 2.7.9, python 3.3.3, python 3.4.0, python-backports-ssl_match_hostname 3.4.0.2
Doc Type: Bug Fix
Doc Text:
Multiple flaws were found in the way Python's SSL module performed matching of certificate names containing wildcards. A remote attacker able to obtain a valid certificate that contained certain names with wildcards could have them incorrectly accepted by Python SSL clients, not following the RFC 6125 recommendations.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1166 normal SHIPPED_LIVE Moderate: python27 security, bug fix, and enhancement update 2016-05-31 14:04:55 UTC

Description Martin Prpič 2015-05-26 11:52:59 UTC
It was found that Python's SSL hostname matching rules did not conform to RFC 6125 when the hostname included wildcards.

Upstream issue:

https://bugs.python.org/issue17997#msg194950

CVE assignment:

http://seclists.org/oss-sec/2015/q2/523

Upstream patch:

https://hg.python.org/cpython/rev/10d0edadbcdd

Comment 1 Tomas Hoger 2015-06-11 08:18:19 UTC
This was fixed upstream in Python 3.3.3, and also in backports.ssl_match_hostname 3.4.0.2:

https://pypi.python.org/pypi/backports.ssl_match_hostname/3.4.0.2

Corrected version was also added to Python 2.7.9.  Python 2.7 versions before 2.7.9 did not include match_hostname() and hence were not affected.

Comment 3 Tomas Hoger 2015-06-11 20:55:07 UTC
The backports.ssl_match_hostname is bundled with urllib3 upstream sources.  Additionally, urllib3 is bundled in the requests library.  However, python-urllib3 and python-requests packages in Red Hat products and Fedora do not bundle backports.ssl_match_hostname and instead use the version in python-backports-ssl_match_hostname packages.


There are several multiple copies of match_hostname implementation in python-pip:

- pip/backwardcompat/ssl_match_hostname.py
  - this was used in pip version prior to 1.5, removed via:
    https://github.com/pypa/pip/commit/c61b5df
  - version included in pip 1.4.1 was affected by CVE-2013-7440, but not
    affected by CVE-2013-2099 (bug 963260)
  - version included in pip 1.3.4 is affected by both CVE-2013-7440 and
    CVE-2013-2099, but some Red Hat packages already include patch for
    CVE-2013-2099

- pip/_vendor/requests/packages/urllib3/packages/ssl_match_hostname/_implementation.py
  - embedded requests library with embedded urllib3 with embedded
    backports.ssl_match_hostname
  - added in pip 1.5 when requests 2.0.0 was added, using ssl_match_hostname
    version with this issue already fixed
    https://github.com/pypa/pip/commit/651a961

- pip/_vendor/distlib/compat.py
  - code was affected by both CVE-2013-2099 and CVE-2013-7440 until pip 6.0.0,
    when embedded distlib was updated to version 0.2.0:
    https://github.com/pypa/pip/commit/320a07f
  - it's unclear to me if match_hostname copy in distlib is used by pip


distlib is also packaged separately in Fedora.  The current version of python-distlib packages is 0.1.9.  CVE-2013-2099 and CVE-2013-7440 were only fixed upstream in 0.2.0 via:
https://bitbucket.org/vinay.sajip/distlib/commits/1e44690


match_hostname code is also copied in the setuptools package.

- 0.7 introduced the code when it add support for SSL certificate verification
  https://bitbucket.org/pypa/setuptools/commits/8dc5794
- 0.9.5 corrected CVE-2013-2099
  https://bitbucket.org/pypa/setuptools/commits/4b0fb61
- 1.3 corrected CVE-2013-7440
  https://bitbucket.org/pypa/setuptools/commits/7eeb678

python-setuptools in Red Hat Enterprise Linux 6 and earlier are based on upstream versions prior to 0.7 and hence do not contain match_hostname.  The version in Red Hat Enterprise Linux 7 is 0.9.8.  However, it does not contain match_hostname, as it was patched to use implementation from the python-backports-ssl_match_hostname package.  Version 0.9.8 is also used in python-setuptools packages in python27 and python33 collections in Red Hat Software Collections.  Those packages already include a patch for CVE-2013-7440.  The rh-python34 collections contains newer upstream setuptools versions (11.3.1).

Comment 4 Tomas Hoger 2015-06-11 21:08:40 UTC
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1230953]
Affects: epel-all [bug 1230954]

Comment 5 Tomas Hoger 2015-06-11 21:08:48 UTC
Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 1230951]

Comment 6 Tomas Hoger 2015-06-11 21:08:54 UTC
Created python-distlib tracking bugs for this issue:

Affects: fedora-all [bug 1230952]

Comment 7 Tomas Hoger 2015-06-12 12:29:18 UTC
pip and setuptools are bundled with virtualenv.  The following provides a quick overview of versions bundled with virtualenv versions as found in Red Hat products and Fedora:

- virtualenv 1.7.2 - includes distribute-0.6.27 and setuptools-0.6c11 - not affected
- virtualenv 1.10.1 - includes pip-1.4.1 and setuptools-0.9.8 - affected
- virtualenv 1.11.6 - includes pip-1.5.6 and setuptools-3.6 - only pip/distlib affected
- virtualenv 12.0.7 - includes pip-6.0.8 and setuptools-12.0.5 - not affected

Comment 9 Tomas Hoger 2015-06-12 13:13:39 UTC
Created python-pymongo tracking bugs for this issue:

Affects: fedora-all [bug 1231231]
Affects: epel-all [bug 1231232]

Comment 10 Tomas Hoger 2015-06-12 13:23:18 UTC
Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 1231238]
Affects: epel-6 [bug 1231239]

Comment 15 Fedora Update System 2015-07-20 19:47:26 UTC
python-pip-7.1.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-07-20 19:47:43 UTC
python-pip-7.1.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-08-15 02:23:13 UTC
bzr-2.6.0-8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-08-15 02:23:44 UTC
bzr-2.6.0-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-02-12 11:51:56 UTC
python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2016-02-12 12:19:45 UTC
python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2016-02-20 22:58:34 UTC
python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2016-02-20 23:55:27 UTC
python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 errata-xmlrpc 2016-05-31 10:24:13 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166

Comment 25 Andrej Nemec 2017-09-08 12:21:34 UTC
Statement:

This issue affects the versions of python27-python-pip, python-pymongo and python-virtualenv as shipped with Red Hat OpenShift 2.x and Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.