Bug 963260 - (CVE-2013-2099) CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns
CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with speciall...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
Petr Šplíchal
impact=low,public=20130515,reported=2...
: Security
: 963186 (view as bug list)
Depends On: 1231232 963187 963188 963261 966269 966270 966271 966272 966273 966274 966275 970110 970112 996711 999900 1111139 1139101 1148406 1149999 1230952 1231231 1304146 1304225 1304227
Blocks: 1000472 1078778 1225002
  Show dependency treegraph
 
Reported: 2013-05-15 10:02 EDT by Jan Lieskovsky
Modified: 2016-05-31 21:44 EDT (History)
58 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-13 19:08:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-05-15 10:02:27 EDT
A denial of service flaw was found in the way SSL module implementation of Python3, version 3 of the Python programming language (aka Python 3000), performed matching of the certificate's name in the case it contained many '*' wildcard characters. A remote attacker, able to obtain valid certificate with its name containing a lot of '*' wildcard characters could use this flaw to cause denial of service (excessive CPU consumption) by issuing request to validate such a certificate for / to an application using the Python's ssl.match_hostname() functionality.

Upstream bug report:
[1] http://bugs.python.org/issue17980

CVE request:
[2] http://www.openwall.com/lists/oss-security/2013/05/15/6 (is for python-backports-ssl_match_hostname, but that code comes from Python 3.2 ssl module implementation)
[3] http://www.openwall.com/lists/oss-security/2013/05/15/7

Acknowledgements:

Name: Florian Weimer (Red Hat Product Security)
Comment 1 Jan Lieskovsky 2013-05-15 10:03:50 EDT
This issue affects the versions of the python3 package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is final upstream patch available).
Comment 2 Jan Lieskovsky 2013-05-15 10:04:54 EDT
Created python3 tracking bugs for this issue

Affects: fedora-all [bug 963261]
Comment 3 Jan Lieskovsky 2013-05-15 10:13:07 EDT
This issue did NOT affect the versions of the python package, as shipped with Red Hat Enterprise Linux 5 and 6 (as the SSL module of that Python language version did not implement the match_hostname() routine yet).

--

This issue did NOT affect the versions of the python package, as shipped with Fedora release of 17 and 18 (as the SSL module of that Python language version did not implement the match_hostname() routine yet).
Comment 4 Jan Lieskovsky 2013-05-15 10:15:23 EDT
Statement:

Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5 and 6 as the SSL module there did not implement the match_hostname() routine yet.
Comment 5 Toshio Ernie Kuratomi 2013-05-15 10:22:49 EDT
This would appear to also apply to the python-backports-ssl_match_hostname package which is present in epel6, Fedora 17, 18, 19, and rawhide.
Comment 6 Jan Lieskovsky 2013-05-15 10:43:09 EDT
(In reply to comment #5)
> This would appear to also apply to the python-backports-ssl_match_hostname
> package which is present in epel6, Fedora 17, 18, 19, and rawhide.

Thank you, Toshio. Original bug for python-backports-ssl_match_hostname case was bug #963186 (but i will merge them this not to be confusing).
Comment 7 Jan Lieskovsky 2013-05-15 10:49:46 EDT
Created python-backports-ssl_match_hostname tracking bugs for this issue

Affects: fedora-all [bug 963187]
Affects: epel-6 [bug 963188]
Comment 8 Jan Lieskovsky 2013-05-15 10:50:18 EDT
*** Bug 963186 has been marked as a duplicate of this bug. ***
Comment 9 Jan Lieskovsky 2013-05-16 06:00:31 EDT
The CVE identifier of CVE-2013-2098 has been assigned:
  http://www.openwall.com/lists/oss-security/2013/05/16/5

to the python-backports-ssl_match_hostname package case, and

identifier of CVE-2013-2099 has been assigned:
  http://www.openwall.com/lists/oss-security/2013/05/16/6

to the python3 package case.
Comment 10 Ian Weller 2013-05-16 15:56:02 EDT
Issue submitted upstream on backports.ssl_match_hostname: https://bitbucket.org/brandon/backports.ssl_match_hostname/issue/1/cve-2013-2098-denial-of-service-when
Comment 11 Vincent Danen 2013-05-22 17:55:21 EDT
This is embedded in a few other packages:

bzr-2.5.1-2.fc18: (source) bzr-2.5.1.tar.gz
        Found matching function in bzr-2.5.1/bzrlib/transport/http/_urllib2_wrappers.py:402: def _dnsname_to_pat(dn):
python-requests-0.14.1-1.fc18: (source) requests-0.14.1.tar.gz
        Found matching function in requests-0.14.1/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py:10: def _dnsname_to_pat(dn):
python-tornado-2.2.1-3.fc18: (source) tornado-2.2.1.tar.gz
        Found matching function in tornado-2.2.1/tornado/simple_httpclient.py:455: def _dnsname_to_pat(dn):
zeroinstall-injector-1.13-1.fc18: (source) 0install-1.13.tar.bz2
        Found matching function in 0install-1.13/zeroinstall/support/ssl_match_hostname.py:15: def _dnsname_to_pat(dn):

I've checked all of these and they are indeed affected by this.
Comment 12 Vincent Danen 2013-05-22 18:16:00 EDT
The upstream patch is here:

http://hg.python.org/cpython/rev/fafd33db6ff6
Comment 13 Vincent Danen 2013-05-22 18:24:28 EDT
Tracking bugs filed:

* python-tornado:

epel-6 affected: [bug 966272]
fedora-all affected: [bug 966270]

* bzr:

fedora-all affected: [bug 966275]

* python-requests:

epel-6 affected: [bug 966271]
fedora-all affected: [bug 966269]

* zeroinstall-injector:

epel-6 affected: [bug 966274]
fedora-all affected: [bug 966273]
Comment 14 Toshio Ernie Kuratomi 2013-05-31 10:14:49 EDT
Also affects python-pip:

./pip/backwardcompat/ssl_match_hostname.py
Comment 15 Jan Lieskovsky 2013-06-03 09:28:37 EDT
Created python-pip tracking bugs for this issue

Affects: fedora-all [bug 970110]
Affects: epel-all [bug 970112]
Comment 16 Jan Lieskovsky 2013-06-03 09:31:12 EDT
(In reply to Toshio Ernie Kuratomi from comment #14)
> Also affects python-pip:
> 
> ./pip/backwardcompat/ssl_match_hostname.py

Thank you, Toshio. Child bugs created.
Comment 17 Fedora Update System 2013-06-06 23:01:16 EDT
bzr-2.5.1-11.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2013-06-06 23:02:20 EDT
bzr-2.5.1-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-06-07 00:37:21 EDT
bzr-2.5.1-11.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Toshio Ernie Kuratomi 2013-07-15 14:33:48 EDT
Two more packages with this issue:

* python-setuptools 0.7+  -- fedora rawhide only; I'm working on a new build for this right now.
* python-virtualenv *bundles* pip: /usr/lib/python2.7/site-packages/virtualenv_support/pip-1.3.tar.gz  Therefore, it has the same code as the standalone pip (and problem) as the standalone pip.
Comment 21 Toshio Ernie Kuratomi 2013-07-16 15:29:26 EDT
I've updated setuptools in rawhide to 0.9.5 which contains my backport of the fix.
Comment 22 Fedora Update System 2013-07-25 20:26:48 EDT
python-pip-1.3.1-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2013-07-25 20:30:33 EDT
python-pip-1.3.1-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2013-07-25 20:32:23 EDT
python-pip-1.3.1-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2013-08-03 15:12:55 EDT
python-pip-1.3.1-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Vincent Danen 2013-10-09 12:48:45 EDT
CVE-2013-2098 was rejected as a dupe of CVE-2013-2099:

Name: CVE-2013-2098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2098
Assigned: 20130219

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2013-2099.  Reason:
This candidate is a duplicate of CVE-2013-2099.  Notes: All CVE users
should reference CVE-2013-2099 instead of this candidate.  All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Comment 33 Martin Prpic 2014-09-10 04:29:45 EDT
IssueDescription:

A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.
Comment 34 errata-xmlrpc 2014-09-18 14:23:16 EDT
This issue has been addressed in the following products:

  Red Hat Storage 2.1
  Red Hat Storage Console 2.1
  Native Client for RHEL 5 for Red Hat Storage
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2014:1263 https://rhn.redhat.com/errata/RHSA-2014-1263.html
Comment 36 errata-xmlrpc 2014-10-22 13:21:32 EDT
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1690 https://rhn.redhat.com/errata/RHSA-2014-1690.html
Comment 37 Fedora Update System 2014-12-16 23:48:45 EST
python-tornado-2.2.1-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 38 Fedora Update System 2014-12-19 13:27:07 EST
python-tornado-2.2.1-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 errata-xmlrpc 2015-01-13 15:25:30 EST
This issue has been addressed in the following products:

  Red Hat Common for RHEL 6

Via RHSA-2015:0042 https://rhn.redhat.com/errata/RHSA-2015-0042.html
Comment 40 Fedora Update System 2015-04-09 12:57:35 EDT
python-tornado-2.2.1-7.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 41 Tomas Hoger 2015-06-12 09:04:49 EDT
Created python-distlib tracking bugs for this issue:

Affects: fedora-all [bug 1230952]
Comment 42 Tomas Hoger 2015-06-12 09:13:04 EDT
Created python-pymongo tracking bugs for this issue:

Affects: fedora-all [bug 1231231]
Affects: epel-all [bug 1231232]
Comment 43 Fedora Update System 2016-02-12 06:52:18 EST
python-pymongo-2.5.2-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 44 Fedora Update System 2016-02-12 07:20:06 EST
python-pymongo-2.5.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 45 Fedora Update System 2016-02-20 17:58:54 EST
python-pymongo-2.5.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 46 Fedora Update System 2016-02-20 18:55:47 EST
python-pymongo-2.5.2-3.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 47 errata-xmlrpc 2016-05-31 06:23:10 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS

Via RHSA-2016:1166 https://access.redhat.com/errata/RHSA-2016:1166

Note You need to log in before you can comment on or make changes to this bug.