[python-pip] Fix for CVE 2013-2099
Toshio くらとみ
toshio at fedoraproject.org
Tue Jul 16 20:33:35 UTC 2013
commit 1009eb3e5182b663ccec81caf435f8f21ddb49fc
Author: Toshio Kuratomi <toshio at fedoraproject.org>
Date: Tue Jul 16 13:33:11 2013 -0700
Fix for CVE 2013-2099
...p-bugs.python.org-issue17980-in-code-back.patch | 36 ++++++++++++++++++++
1 files changed, 36 insertions(+), 0 deletions(-)
---
diff --git a/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch b/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch
new file mode 100644
index 0000000..5f928ef
--- /dev/null
+++ b/0001-fix-for-http-bugs.python.org-issue17980-in-code-back.patch
@@ -0,0 +1,36 @@
+From ca207acb4fdea344bb3a775d44aa0d9f59ad31a1 Mon Sep 17 00:00:00 2001
+From: Toshio Kuratomi <toshio at fedoraproject.org>
+Date: Mon, 15 Jul 2013 10:58:20 -0700
+Subject: [PATCH] fix for http://bugs.python.org/issue17980 in code backported
+ from the python3 stdlib
+
+---
+ pip/backwardcompat/ssl_match_hostname.py | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/pip/backwardcompat/ssl_match_hostname.py b/pip/backwardcompat/ssl_match_hostname.py
+index 5707649..a6fadf4 100644
+--- a/pip/backwardcompat/ssl_match_hostname.py
++++ b/pip/backwardcompat/ssl_match_hostname.py
+@@ -7,9 +7,17 @@ __version__ = '3.2a3'
+ class CertificateError(ValueError):
+ pass
+
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+ pats = []
+ for frag in dn.split(r'.'):
++ if frag.count('*') > max_wildcards:
++ # Issue #17980: avoid denials of service by refusing more
++ # than one wildcard per fragment. A survery of established
++ # policy among SSL implementations showed it to be a
++ # reasonable choice.
++ raise CertificateError(
++ "too many wildcards in certificate DNS name: " + repr(dn))
++
+ if frag == '*':
+ # When '*' is a fragment by itself, it matches a non-empty dotless
+ # fragment.
+--
+1.7.11.7
+
More information about the scm-commits
mailing list