Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 May 2013 07:28:38 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Ian Weller <ianweller@...oraproject.org>
Subject: CVE Request (minor) -- Python 3.2: DoS when matching certificate
 with many '*' wildcard characters {was: CVE Request (minor)
 --  python-backports-ssl_match_hostname: Denial of service when matching
 certificate with many '*' wildcard characters }

----- Original Message -----
> From: "Jan Lieskovsky" <jlieskov@...hat.com>
> To: oss-security@...ts.openwall.com
> Cc: "Steven M. Christey" <coley@...us.mitre.org>, "Florian Weimer" <fweimer@...hat.com>, "Ian Weller"
> <ianweller@...oraproject.org>
> Sent: Wednesday, May 15, 2013 1:19:33 PM
> Subject: [oss-security] CVE Request (minor) --  python-backports-ssl_match_hostname: Denial of service when matching
> certificate with many '*' wildcard characters
> 
> Hello Kurt, Steve, vendors,
> 
>   A denial of service flaw was found in the way
>   python-backports-ssl_match_hostname,
> an implementation that brings the ssl.match_hostname() function from Python
> 3.2 to
> users of earlier versions of Python, performed matching of the certificate's
> name
> in the case it contained many '*' wildcard characters. A remote attacker,
> able to
> obtain valid certificate [*] with its name containing a lot of '*' wildcard
> characters,
> could use this flaw to cause denial of service (excessive CPU time
> consumption) by
> issuing request to validate that certificate for / in an application using
> the
> python-backports-ssl_match_hostname functionality.
> 
> Upstream bug report (no patch yet):
> [1] http://bugs.python.org/issue17980
> 
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=963186
> 
> Credit: Issue was found by Florian Weimer of Red Hat Product Security Team
> 
> Could you allocate a CVE identifier for this (it's possible that
> Python 3.2 implementation is vulnerable to the same problem too,
> will check that case yet)?

Replying to myself here. Issue is present in Python 3.2 code too - so
the CVE should be allocated for the original (Python 3.2) code, rather
than to python-backports-ssl_match_hostname package.

Updated subject of the request to reflect this.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> --
> [*] Would be minor issue because ability to obtain such valid certificate
> would
>     mean the necessity to use some compromised CA. On the other hand though
>     being corner case, can't be completely excluded.
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ