Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 May 2013 19:51:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Ian Weller <ianweller@...oraproject.org>
Subject: Re: CVE Request (minor) -- Python 3.2: DoS when matching
 certificate with many '*' wildcard characters {was: CVE Request
 (minor) --  python-backports-ssl_match_hostname: Denial of service when matching
 certificate with many '*' wildcard characters }

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:
> ----- Original Message -----
>> From: "Jan Lieskovsky" <jlieskov@...hat.com> To:
>> oss-security@...ts.openwall.com Cc: "Steven M. Christey"
>> <coley@...us.mitre.org>, "Florian Weimer" <fweimer@...hat.com>,
>> "Ian Weller" <ianweller@...oraproject.org> Sent: Wednesday, May
>> 15, 2013 1:19:33 PM Subject: [oss-security] CVE Request (minor)
>> --  python-backports-ssl_match_hostname: Denial of service when
>> matching certificate with many '*' wildcard characters
>> 
>> Hello Kurt, Steve, vendors,
>> 
>> A denial of service flaw was found in the way 
>> python-backports-ssl_match_hostname, an implementation that
>> brings the ssl.match_hostname() function from Python 3.2 to users
>> of earlier versions of Python, performed matching of the
>> certificate's name in the case it contained many '*' wildcard
>> characters. A remote attacker, able to obtain valid certificate
>> [*] with its name containing a lot of '*' wildcard characters, 
>> could use this flaw to cause denial of service (excessive CPU
>> time consumption) by issuing request to validate that certificate
>> for / in an application using the 
>> python-backports-ssl_match_hostname functionality.
>> 
>> Upstream bug report (no patch yet): [1]
>> http://bugs.python.org/issue17980
>> 
>> References: [2]
>> https://bugzilla.redhat.com/show_bug.cgi?id=963186
>> 
>> Credit: Issue was found by Florian Weimer of Red Hat Product
>> Security Team
>> 
>> Could you allocate a CVE identifier for this (it's possible that 
>> Python 3.2 implementation is vulnerable to the same problem too, 
>> will check that case yet)?
> 
> Replying to myself here. Issue is present in Python 3.2 code too -
> so the CVE should be allocated for the original (Python 3.2) code,
> rather than to python-backports-ssl_match_hostname package.
> 
> Updated subject of the request to reflect this.
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
>> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
>> Security Response Team -- [*] Would be minor issue because
>> ability to obtain such valid certificate would mean the necessity
>> to use some compromised CA. On the other hand though being corner
>> case, can't be completely excluded.
>> 

Please use CVE-2013-2099 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlDupAAoJEBYNRVNeJnmTR4QQAJigfFc7LqZbJJ2zKAZrNJNe
uXTXrhsNYGLWXXjInanJbDLgTtcuJp+xwhgBT/2GPLkZpapIrzmusysLnXXOh3mr
FAktSJEMqIj8SMf2Zccb1mLmWUVACSHq5uTA6rvU6BErv2/0sHvmjMDulNlVhkYs
vLf8i1D/yoE1hYef2xj6pkTcu7bRQQ9VbJWsiNwNU59MePMgIR78504HzmCkenYH
oK4Uv3P0a566FtX2wkgpPKkkYS4wTakaUrbqt7HeSArQ8NSlPc8FKelzn2H2qgje
YzzjZL0psOfpXsaj3wy8QLfRyVDAVdSXiLLMR8tFgA1KyXvmT+OJI05UAySe/NjY
huMxIc8Gy9rrEjQcpDEz9KgQXsNmIrUAasZcYXCmAM5309Pn0m3uSMHC6WX8kVlu
p2ikwjiVQc3iubBo2tVhgOuPshZ84tDrNz6CArtXpfBleYZ1Gk6qhRhngQCAPW6W
TQhQ85KycnOzQZmkHeVme7Z1EgdpFF1fkw8xXu4mU+6aqYSgXdOVVf9oGNW5brd2
27SVJj7eaYZyklqAnTKrIGpnLyg9e/GPr1T7q6L2I5QbX+8dls5U/0m0tw8COxLF
vzjDQHgkg4C/vNLP9032b083Cgm56/ypGXOXQHFaz1b9yTS9HB6Biaix2R/6ieOJ
RleZ90iLyFQKiUV9M/ua
=M2WT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ