Skip to content

bpo-35746: Fix segfault in ssl's cert parser #11569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miss-islington merged 1 commit into from
Jan 15, 2019
Merged

bpo-35746: Fix segfault in ssl's cert parser #11569

miss-islington merged 1 commit into from
Jan 15, 2019

Conversation

@tiran
Copy link
Member

@tiran tiran commented Jan 15, 2019
edited by bedevere-bot
Loading

Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes [email protected]

https://bugs.python.org/issue35746

@tiran tiran requested a review from alex January 15, 2019 17:22
vstinner
vstinner reviewed Jan 15, 2019
View reviewed changes
alex
alex reviewed Jan 15, 2019
View reviewed changes
@tiran tiran force-pushed the bpo-35746-crldp-segfault branch 2 times, most recently from 70326d8 to 9b00d25 Compare January 15, 2019 17:42
@tiran
bpo-35746: Fix segfault in ssl's cert parser
c660deb 
CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
not handle CRL distribution points with empty DP or URI correctly. A
malicious or buggy certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>
@tiran tiran force-pushed the bpo-35746-crldp-segfault branch from 9b00d25 to c660deb Compare January 15, 2019 17:56
vstinner
vstinner approved these changes Jan 15, 2019
View reviewed changes
Copy link
Member

@vstinner vstinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I would prefer to get double check from @alex.

ned-deily
ned-deily approved these changes Jan 15, 2019
View reviewed changes
Copy link
Member

@ned-deily ned-deily left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified that the new test causes segfaults on 3.7 and 3.6 and that the fix to _ssl.c when cherry-picked to 3.7 and 3.6 prevents those segfaults.

@miss-islington miss-islington merged commit a37f524 into python:master Jan 15, 2019
@miss-islington
Copy link
Contributor

miss-islington commented Jan 15, 2019

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6, 3.7.
🐍🍒⛏🤖

@bedevere-bot
Copy link

bedevere-bot commented Jan 15, 2019

GH-11572 is a backport of this pull request to the 3.7 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jan 15, 2019
@tiran @miss-islington
bpo-35746: Fix segfault in ssl's cert parser (pythonGH-11569)
bc947d7 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
@bedevere-bot
Copy link

bedevere-bot commented Jan 15, 2019

GH-11573 is a backport of this pull request to the 3.6 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jan 15, 2019
@tiran @miss-islington
bpo-35746: Fix segfault in ssl's cert parser (pythonGH-11569)
e1f8e92 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
@bedevere-bot
Copy link

bedevere-bot commented Jan 15, 2019

GH-11574 is a backport of this pull request to the 2.7 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jan 15, 2019
@tiran @miss-islington
bpo-35746: Fix segfault in ssl's cert parser (pythonGH-11569)
2809178 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
miss-islington added a commit that referenced this pull request Jan 15, 2019
@miss-islington @tiran
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
be5de95 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
miss-islington added a commit that referenced this pull request Jan 15, 2019
@miss-islington @tiran
bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
06b1542 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
ned-deily pushed a commit that referenced this pull request Jan 16, 2019
@miss-islington @tiran @ned-deily
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)
216a4d8 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <[email protected]>

https://bugs.python.org/issue35746
(cherry picked from commit a37f524)

Co-authored-by: Christian Heimes <[email protected]>
larryhastings pushed a commit that referenced this pull request Feb 25, 2019
@vstinner @larryhastings
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11868)
6c655ce 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.

Signed-off-by: Christian Heimes <[email protected]>

(cherry picked from commit a37f524)
larryhastings pushed a commit that referenced this pull request Feb 26, 2019
@vstinner @larryhastings
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)
efec763 
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.

Signed-off-by: Christian Heimes <[email protected]>

(cherry picked from commit a37f524)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex approved these changes

@vstinner vstinner vstinner approved these changes

@ned-deily ned-deily ned-deily approved these changes

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@tiran @miss-islington @bedevere-bot @alex @vstinner @ned-deily @the-knights-who-say-ni