Bug 996381 (CVE-2013-4238) - CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
Summary: CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
Keywords:
Status: NEW
Alias: CVE-2013-4238
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 996399 996400 996401 996733 997768 998430 998781 998783 998784
Blocks: 974906 996394
TreeView+ depends on / blocked
 
Reported: 2013-08-13 05:39 UTC by Murray McAllister
Modified: 2020-02-18 11:23 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Minimal test case (388 bytes, text/plain)
2013-08-20 04:43 UTC, Huzaifa S. Sidhpurwala
no flags Details
certs with nulls (taken from upstream commit) (5.31 KB, text/plain)
2013-08-20 04:44 UTC, Huzaifa S. Sidhpurwala
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1527 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-11-21 09:47:11 UTC
Red Hat Product Errata RHSA-2013:1582 normal SHIPPED_LIVE Moderate: python security, bug fix, and enhancement update 2013-11-20 21:39:43 UTC

Description Murray McAllister 2013-08-13 05:39:04 UTC
A flaw was found in the way ssl.match_hostname() from the Python SSL module checked the hostname's identity when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

References:

http://bugs.python.org/issue18709
http://bugs.python.org/file31241/CVE-2013-4073_py34.patch
http://bugs.python.org/file31242/CVE-2013-4073_py33.patch
http://bugs.python.org/file31243/CVE-2013-4073_py27.patch

Comment 1 Murray McAllister 2013-08-13 05:43:12 UTC
This flaw is similar to CVE-2013-4073, which affected Ruby: https://bugzilla.redhat.com/show_bug.cgi?id=979251

Comment 3 Murray McAllister 2013-08-13 06:40:04 UTC
Created python-backports-ssl_match_hostname tracking bugs for this issue:

Affects: fedora-all [bug 996400]
Affects: epel-6 [bug 996401]

Comment 6 Murray McAllister 2013-08-13 06:44:27 UTC
Created python-tornado tracking bugs for this issue:

Affects: fedora-all [bug 996403]
Affects: epel-6 [bug 996405]

Comment 7 Murray McAllister 2013-08-13 06:44:43 UTC
Created bzr tracking bugs for this issue:

Affects: fedora-all [bug 996408]

Comment 8 Murray McAllister 2013-08-13 06:45:00 UTC
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 996409]
Affects: epel-all [bug 996410]

Comment 9 Murray McAllister 2013-08-13 06:45:31 UTC
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 996402]
Affects: epel-6 [bug 996404]

Comment 10 Murray McAllister 2013-08-13 06:45:50 UTC
Created zeroinstall-injector tracking bugs for this issue:

Affects: fedora-all [bug 996406]
Affects: epel-6 [bug 996407]

Comment 11 Murray McAllister 2013-08-13 06:46:10 UTC
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 996399]

Comment 13 Huzaifa S. Sidhpurwala 2013-08-19 10:04:56 UTC
Created python tracking bugs for this issue:

Affects: fedora-all [bug 998430]

Comment 14 Huzaifa S. Sidhpurwala 2013-08-20 04:43:38 UTC
Created attachment 788301 [details]
Minimal test case

Comment 15 Huzaifa S. Sidhpurwala 2013-08-20 04:44:27 UTC
Created attachment 788302 [details]
certs with nulls (taken from upstream commit)

Comment 17 Huzaifa S. Sidhpurwala 2013-08-20 04:47:20 UTC
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 998783]

Comment 19 Huzaifa S. Sidhpurwala 2013-08-22 06:36:57 UTC
Statement:

This issue does not affect the version of python as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.

Comment 20 Fedora Update System 2013-08-24 22:27:03 UTC
python-2.7.5-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2013-08-27 23:35:34 UTC
python3-3.3.2-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2013-11-21 09:15:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1582 https://rhn.redhat.com/errata/RHSA-2013-1582.html

Comment 23 errata-xmlrpc 2013-11-22 00:36:27 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:1527 https://rhn.redhat.com/errata/RHSA-2013-1527.html


Note You need to log in before you can comment on or make changes to this bug.