[arch-commits] Commit in python/trunk (PKGBUILD python-3.3.2-CVE-2013-2099.patch)
Stéphane Gaudreault
stephane at nymeria.archlinux.org
Tue May 21 16:50:15 UTC 2013
Date: Tuesday, May 21, 2013 @ 18:50:15
Author: stephane
Revision: 186171
upgpkg: python 3.3.2-1
upstream update + fix for CVE-2013-2099
Added:
python/trunk/python-3.3.2-CVE-2013-2099.patch
Modified:
python/trunk/PKGBUILD
----------------------------------+
PKGBUILD | 13 +++++----
python-3.3.2-CVE-2013-2099.patch | 50 +++++++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+), 5 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-05-21 16:12:01 UTC (rev 186170)
+++ PKGBUILD 2013-05-21 16:50:15 UTC (rev 186171)
@@ -4,7 +4,7 @@
# Contributor: Jason Chu <jason at archlinux.org>
pkgname=python
-pkgver=3.3.1
+pkgver=3.3.2
pkgrel=1
_pybasever=3.3
pkgdesc="Next generation of the python high-level scripting language"
@@ -17,8 +17,10 @@
provides=('python3')
replaces=('python3')
options=('!makeflags')
-source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz)
-sha1sums=('393d7302c48bc911cd7faa7fa9b5fbcb9919bddc')
+source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz
+ python-3.3.2-CVE-2013-2099.patch)
+sha1sums=('87009d0c156c6e1354dfec5c98c328cae93950ad'
+ 'b7a386b2e2f0811b344898500860ec31ba81ed4d')
build() {
cd "${srcdir}/Python-${pkgver}"
@@ -32,6 +34,8 @@
rm -r Modules/zlib
rm -r Modules/_ctypes/{darwin,libffi}*
+ patch -Np1 -i ../python-3.3.2-CVE-2013-2099.patch
+
./configure --prefix=/usr \
--enable-shared \
--with-threads \
@@ -48,8 +52,7 @@
check() {
cd "${srcdir}/Python-${pkgver}"
LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
- "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site \
- test_urllib test_uuid test_pydoc test_logging
+ "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_posixpath test_logging
}
package() {
Added: python-3.3.2-CVE-2013-2099.patch
===================================================================
--- python-3.3.2-CVE-2013-2099.patch (rev 0)
+++ python-3.3.2-CVE-2013-2099.patch 2013-05-21 16:50:15 UTC (rev 186171)
@@ -0,0 +1,50 @@
+
+# HG changeset patch
+# User Antoine Pitrou <solipsis at pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -129,9 +129,16 @@ class CertificateError(ValueError):
+ pass
+
+
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+ pats = []
+ for frag in dn.split(r'.'):
++ if frag.count('*') > max_wildcards:
++ # Issue #17980: avoid denials of service by refusing more
++ # than one wildcard per fragment. A survery of established
++ # policy among SSL implementations showed it to be a
++ # reasonable choice.
++ raise CertificateError(
++ "too many wildcards in certificate DNS name: " + repr(dn))
+ if frag == '*':
+ # When '*' is a fragment by itself, it matches a non-empty dotless
+ # fragment.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
+ self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
+ self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+
++ # Issue #17980: avoid denials of service by refusing more than one
++ # wildcard per fragment.
++ cert = {'subject': ((('commonName', 'a*b.com'),),)}
++ ok(cert, 'axxb.com')
++ cert = {'subject': ((('commonName', 'a*b.co*'),),)}
++ ok(cert, 'axxb.com')
++ cert = {'subject': ((('commonName', 'a*b*.com'),),)}
++ with self.assertRaises(ssl.CertificateError) as cm:
++ ssl.match_hostname(cert, 'axxbxxc.com')
++ self.assertIn("too many wildcards", str(cm.exception))
++
+ def test_server_side(self):
+ # server_hostname doesn't work for server sockets
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
More information about the arch-commits
mailing list