Bug 1331425 - Segmentation fault in sslwrap function
Summary: Segmentation fault in sslwrap function
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python
Version: 7.2
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Python Maintainers
QA Contact: Branislav Náter
Lenka Špačková
URL: https://github.com/ajenti/ajenti/issu...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-28 13:45 UTC by Artur Zaprzała
Modified: 2016-11-03 20:16 UTC (History)
6 users (show)

Fixed In Version: python-2.7.5-46.el7
Doc Type: Deprecated Functionality
Doc Text:
sslwrap() removed from Python The sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal (https://www.python.org/dev/peps/pep-0466/) was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream. Red Hat recommends using the ssl.wrap_socket() function instead.
Clone Of:
Environment:
Last Closed: 2016-11-03 20:16:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
First draft of patch (2.21 KB, patch)
2016-06-24 15:35 UTC, Petr Viktorin 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2586 0 normal SHIPPED_LIVE Low: python security, bug fix, and enhancement update 2016-11-03 12:09:15 UTC

Internal Links: 1565943

Description Artur Zaprzała 2016-04-28 13:45:16 UTC 
Description of problem:
Calling ssl._ssl.sslwrap function with keyfile argument other than None results in segmentation fault in load_cert_chain_args function.

Version-Release number of selected component (if applicable):
python-2.7.5-18.el7_1.1.x86_64

How reproducible:
Always

Steps to Reproduce:
python -c "import ssl, socket; ssl._ssl.sslwrap(socket.socket()._sock, 1, '', '')"

Actual results:
Segmentation fault

Additional information:
In PySSL_sslwrap() function in _ssl.c the key_file variable is declared as (PyObject*), but the format string for PyArg_ParseTuple() contains "z" instead of "O" and the (char*) value is written into the key_file.
Comment 1 Artur Zaprzała 2016-04-28 13:52:39 UTC 
The bug was introduced in python-2.7.5-34.el7.x86_64.
python-2.7.5-18.el7_1.1.x86_64 is OK.
Comment 2 Artur Zaprzała 2016-04-28 14:00:18 UTC 
This bug was probably introduced in the resolution of #1250611
Comment 4 Charalampos Stratakis 2016-05-10 09:37:19 UTC 
What is the expected output that you get with the previous release?
Comment 5 Artur Zaprzała 2016-05-10 10:07:01 UTC 
With python-2.7.5-18.el7_1.1.x86_64 the output is:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
ssl.SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

That is correct, because the test case is too minimal to do something usefull.
Comment 6 Petr Viktorin 2016-06-24 15:35:55 UTC 
Created attachment 1171986 [details]
First draft of patch
Comment 7 Petr Viktorin 2016-06-24 15:36:18 UTC 
Upstream issue about sslwrap: http://bugs.python.org/issue22438

The position of Python developers is that since ssl._ssl.sslwrap is private, undocumented API, it can be removed at any time.

Artur, due to ssl._ssl.sslwrap being private, undocumented API that is no longer used upstream, I'm struggling to find good test cases. Would you be willing to test the fix if I provide a RPM?
Comment 8 Artur Zaprzała 2016-06-24 16:08:14 UTC 
I will test this patch next week.
Comment 9 Charalampos Stratakis 2016-07-04 10:03:53 UTC 
I tested the patch however with that reproducer there is no output, I don't know though if that is the expected case, since there were also a lot of other changes in the SSL module. A better test case should be required in order to be sure.
Comment 10 Petr Viktorin 2016-07-07 13:28:49 UTC 
Since this is in RHEL 7.2, it always crashes when called, and we only got this one report about the crash, it seems it would be OK to remove _ssl.sslwrap altogether, as upstream intended.

This would reduce the maintenance effort a lot (since the backport is quite invasive), and for anyone still relying on _ssl.sslwrap there are workarounds available.
Comment 20 errata-xmlrpc 2016-11-03 20:16:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2586.html
Note You need to log in before you can comment on or make changes to this bug.