[3.5] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)

[vstinner]

Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.

Signed-off-by: Christian Heimes [email protected]

(cherry picked from commit a37f524)

https://bugs.python.org/issue35746

[vstinner]

I tested manually on my Fedora 29, the test pass:

$ ./python -m test -v -m test_parse_cert_CVE_2019_5010 test_ssl
Tests result: SUCCESS

(Other tests fail because Python 3.5 isn't fully compatible with OpenSSL 1.1.1 used by Fedora 29.)

[larryhastings]

This failed the Travis CI test after updating the branch. Specifically, two tests using ftp failed with a security exception ("bad IP"), I'll paste in an example below.

I'm guessing the code is fine, and this is a temporary / race condition or CI configuration error. Regardless I don't know how to initiate running a new test. Victor, do you know how to make progress on this?

In the meantime I'll see if I can get one of your other PRs in.

--

Traceback (most recent call last):
File "/home/travis/build/python/cpython/Lib/urllib/request.py", line 1477, in ftp_open
fp, retrlen = fw.retrfile(file, type)
File "/home/travis/build/python/cpython/Lib/urllib/request.py", line 2363, in retrfile
conn, retrlen = self.ftp.ntransfercmd(cmd)
File "/home/travis/build/python/cpython/Lib/ftplib.py", line 366, in ntransfercmd
resp = self.sendcmd(cmd)
File "/home/travis/build/python/cpython/Lib/ftplib.py", line 274, in sendcmd
return self.getresp()
File "/home/travis/build/python/cpython/Lib/ftplib.py", line 245, in getresp
raise error_temp(resp)
ftplib.error_temp: 425 Security: Bad IP connecting.

[vstinner]

ftplib.error_temp: 425 Security: Bad IP connecting.

Yeah it's a known issue. I wrote PR #11874 to backport the fix. Please merge my PR #11874. Once the test fix will be backported, I will rebase this PR on top of it.

[vstinner]

I'm guessing the code is fine, and this is a temporary / race condition or CI configuration error.

The failure is unrelated to this PR. Travis CI changed their security a few months ago: https://bugs.python.org/issue35411

[larryhastings]

So what should I do? I wanna mash that big attractive "Squash and merge" button but it won't let me! It's gray and I want it to be green!

[larryhastings]

nm, I found your "skip FTP tests on Travis CI" PR. I'll merge that when I can and then the rest of the dominos will tumble and fall!

[bedevere-bot]

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!

[larryhastings]

Thanks for the backport! 3.5 is now poised to take over the world.