Date: Wed, 15 May 2013 19:51:21 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Florian Weimer <fweimer@...hat.com>, Ian Weller <ianweller@...oraproject.org> Subject: Re: CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/15/2013 05:19 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > A denial of service flaw was found in the way python-backports-ssl_match_hostname, > an implementation that brings the ssl.match_hostname() function from Python 3.2 to > users of earlier versions of Python, performed matching of the certificate's name > in the case it contained many '*' wildcard characters. A remote attacker, able to > obtain valid certificate [*] with its name containing a lot of '*' wildcard characters, > could use this flaw to cause denial of service (excessive CPU time consumption) by > issuing request to validate that certificate for / in an application using the > python-backports-ssl_match_hostname functionality. > > Upstream bug report (no patch yet): >  http://bugs.python.org/issue17980 > > References: >  https://bugzilla.redhat.com/show_bug.cgi?id=963186 > > Credit: Issue was found by Florian Weimer of Red Hat Product Security Team > > Could you allocate a CVE identifier for this (it's possible that > Python 3.2 implementation is vulnerable to the same problem too, > will check that case yet)? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > -- > [*] Would be minor issue because ability to obtain such valid certificate would > mean the necessity to use some compromised CA. On the other hand though > being corner case, can't be completely excluded. > Please use CVE-2013-2098 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRlDuZAAoJEBYNRVNeJnmTrLEP/30fUBUGtPgQp/vyE8InM20c 27ctbuHVRkAFxNGgDHVXsEysEMb2IwOK2IDLFHyv9E62M83FWPrdaT+ub95wXriW jI3SzZfyVqnK3nu1fLsydOUv3+MzOo2CzSreJ0M0p7Iy4erp94iR0O3g0OeOhoVe it9a77Wgb8PAVYNGqpO0zqMyC/H4X1S+IdFS/lq2YKe+RpdV79dL1TWNMXo/spWd UZWxMdeSibNwtNw8K+g/QMdT0IbTDjNIJa5ncSjfA5tt6wmwrQ1+3VfxNBrQLrZK 0tpJIcjh8G0c6/nzXoonvTTv531THk1NZpe+7jNKA6bcI48eCRykBrTzwVwqBOpY jDu+ZeijGwaPC1r+2IRHsfpzJCHMGuirZWIusAJYU/fwHk/OUIPn+cEUSyp24zpU 6c6YCyMoHu8w9PHAeLGP1TVY5AuNKxWH56dWfCpfYo5egrdF+Hbg+Wxkc3C9dYMv eEFB/XZZ1ZQYJTcOdvrRNcP6zcw7RKjVfunAsevR72r7s2QiNiJ1u+luhp5NFw19 5YAcFlm9MUD408UigqjGzwA3DjN4+qEa+E/CPuftH+uvXAWNnG3Ngyx4eNKq8mtz QnA2aeP2OiNq92kJueNnU+z3j+HQMn5J8UnWKXuJgQcaulxAfMn+W7VG6p14T/r/ v68SLazxWV41c3I9Kl95 =DuLR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ