| From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001 |
| From: "Miss Islington (bot)" |
| <31488909+miss-islington@users.noreply.github.com> |
| Date: Tue, 15 Jan 2019 15:11:52 -0800 |
| Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) |
| |
| Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL |
| distribution points with empty DP or URI correctly. A malicious or buggy |
| certificate can result into segfault. |
| |
| Signed-off-by: Christian Heimes <christian@python.org> |
| |
| https://bugs.python.org/issue35746 |
| (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) |
| |
| Co-authored-by: Christian Heimes <christian@python.org> |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| Lib/test/talos-2019-0758.pem | 22 ++++++++++++++++++++++ |
| Lib/test/test_ssl.py | 22 ++++++++++++++++++++++ |
| .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ |
| Modules/_ssl.c | 4 ++++ |
| 4 files changed, 51 insertions(+) |
| create mode 100644 Lib/test/talos-2019-0758.pem |
| create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst |
| |
| diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem |
| new file mode 100644 |
| index 0000000000..13b95a77fd |
| --- /dev/null |
| +++ b/Lib/test/talos-2019-0758.pem |
| @@ -0,0 +1,22 @@ |
| +-----BEGIN CERTIFICATE----- |
| +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO |
| +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 |
| +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh |
| +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB |
| +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES |
| +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD |
| +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C |
| +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP |
| +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF |
| +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp |
| +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io |
| +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 |
| +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu |
| +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG |
| +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p |
| +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr |
| +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit |
| +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV |
| +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ |
| +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== |
| +-----END CERTIFICATE----- |
| diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py |
| index e476031702..9240184d98 100644 |
| --- a/Lib/test/test_ssl.py |
| +++ b/Lib/test/test_ssl.py |
| @@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") |
| BADKEY = data_file("badkey.pem") |
| NOKIACERT = data_file("nokia.pem") |
| NULLBYTECERT = data_file("nullbytecert.pem") |
| +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") |
| |
| DHFILE = data_file("ffdh3072.pem") |
| BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) |
| @@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase): |
| self.assertEqual(p['crlDistributionPoints'], |
| ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) |
| |
| + def test_parse_cert_CVE_2019_5010(self): |
| + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) |
| + if support.verbose: |
| + sys.stdout.write("\n" + pprint.pformat(p) + "\n") |
| + self.assertEqual( |
| + p, |
| + { |
| + 'issuer': ( |
| + (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), |
| + 'notAfter': 'Jun 14 18:00:58 2028 GMT', |
| + 'notBefore': 'Jun 18 18:00:58 2018 GMT', |
| + 'serialNumber': '02', |
| + 'subject': ((('countryName', 'UK'),), |
| + (('commonName', |
| + 'codenomicon-vm-2.test.lal.cisco.com'),)), |
| + 'subjectAltName': ( |
| + ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), |
| + 'version': 3 |
| + } |
| + ) |
| + |
| def test_parse_cert_CVE_2013_4238(self): |
| p = ssl._ssl._test_decode_cert(NULLBYTECERT) |
| if support.verbose: |
| diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst |
| new file mode 100644 |
| index 0000000000..dffe347eec |
| --- /dev/null |
| +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst |
| @@ -0,0 +1,3 @@ |
| +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did |
| +not handle CRL distribution points with empty DP or URI correctly. A |
| +malicious or buggy certificate can result into segfault. |
| diff --git a/Modules/_ssl.c b/Modules/_ssl.c |
| index a96c419260..19bb1207b4 100644 |
| --- a/Modules/_ssl.c |
| +++ b/Modules/_ssl.c |
| @@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) { |
| STACK_OF(GENERAL_NAME) *gns; |
| |
| dp = sk_DIST_POINT_value(dps, i); |
| + if (dp->distpoint == NULL) { |
| + /* Ignore empty DP value, CVE-2019-5010 */ |
| + continue; |
| + } |
| gns = dp->distpoint->name.fullname; |
| |
| for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { |
| -- |
| 2.11.0 |
| |