[python-backports-ssl_match_hostname] Add patch for CVE 2013-2099 https://bugzilla.redhat.com/show_bug.cgi?id=963260

Toshio くらとみ toshio at fedoraproject.org
Mon May 20 16:04:26 UTC 2013 

commit db504a7dc0a0baf72abc325ac90fd30afbd83059
Author: Toshio Kuratomi <toshio at fedoraproject.org>
Date:   Mon May 20 09:04:17 2013 -0700

    Add patch for CVE 2013-2099 https://bugzilla.redhat.com/show_bug.cgi?id=963260

 ...-cve-2013-2099-fix-ssl-match_hostname-dos.patch |   29 ++++++++++++++++++++
 1 files changed, 29 insertions(+), 0 deletions(-)
---
diff --git a/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch b/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
new file mode 100644
index 0000000..7b58dc2
--- /dev/null
+++ b/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch
@@ -0,0 +1,29 @@
+# HG changeset patch
+# User Antoine Pitrou <solipsis at pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+Index: backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py
+===================================================================
+--- backports.ssl_match_hostname-3.2a3.orig/src/backports/ssl_match_hostname/__init__.py
++++ backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py
+@@ -7,9 +7,16 @@ __version__ = '3.2.2'
+ class CertificateError(ValueError):
+     pass
+ 
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
++        if frag.count('*') > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survery of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.

More information about the scm-commits mailing list