Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 May 2013 19:51:21 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Ian Weller <ianweller@...oraproject.org>
Subject: Re: CVE Request (minor) --  python-backports-ssl_match_hostname:
 Denial of service when matching certificate with many '*' wildcard characters

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2013 05:19 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
>   A denial of service flaw was found in the way python-backports-ssl_match_hostname,
> an implementation that brings the ssl.match_hostname() function from Python 3.2 to
> users of earlier versions of Python, performed matching of the certificate's name
> in the case it contained many '*' wildcard characters. A remote attacker, able to
> obtain valid certificate [*] with its name containing a lot of '*' wildcard characters,
> could use this flaw to cause denial of service (excessive CPU time consumption) by
> issuing request to validate that certificate for / in an application using the
> python-backports-ssl_match_hostname functionality.
> 
> Upstream bug report (no patch yet):
> [1] http://bugs.python.org/issue17980
> 
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=963186
> 
> Credit: Issue was found by Florian Weimer of Red Hat Product Security Team
> 
> Could you allocate a CVE identifier for this (it's possible that 
> Python 3.2 implementation is vulnerable to the same problem too,
> will check that case yet)?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> --
> [*] Would be minor issue because ability to obtain such valid certificate would
>     mean the necessity to use some compromised CA. On the other hand though
>     being corner case, can't be completely excluded.
> 

Please use CVE-2013-2098 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlDuZAAoJEBYNRVNeJnmTrLEP/30fUBUGtPgQp/vyE8InM20c
27ctbuHVRkAFxNGgDHVXsEysEMb2IwOK2IDLFHyv9E62M83FWPrdaT+ub95wXriW
jI3SzZfyVqnK3nu1fLsydOUv3+MzOo2CzSreJ0M0p7Iy4erp94iR0O3g0OeOhoVe
it9a77Wgb8PAVYNGqpO0zqMyC/H4X1S+IdFS/lq2YKe+RpdV79dL1TWNMXo/spWd
UZWxMdeSibNwtNw8K+g/QMdT0IbTDjNIJa5ncSjfA5tt6wmwrQ1+3VfxNBrQLrZK
0tpJIcjh8G0c6/nzXoonvTTv531THk1NZpe+7jNKA6bcI48eCRykBrTzwVwqBOpY
jDu+ZeijGwaPC1r+2IRHsfpzJCHMGuirZWIusAJYU/fwHk/OUIPn+cEUSyp24zpU
6c6YCyMoHu8w9PHAeLGP1TVY5AuNKxWH56dWfCpfYo5egrdF+Hbg+Wxkc3C9dYMv
eEFB/XZZ1ZQYJTcOdvrRNcP6zcw7RKjVfunAsevR72r7s2QiNiJ1u+luhp5NFw19
5YAcFlm9MUD408UigqjGzwA3DjN4+qEa+E/CPuftH+uvXAWNnG3Ngyx4eNKq8mtz
QnA2aeP2OiNq92kJueNnU+z3j+HQMn5J8UnWKXuJgQcaulxAfMn+W7VG6p14T/r/
v68SLazxWV41c3I9Kl95
=DuLR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ