[CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Bug #1182124 reported by Andrew Starr-Bochicchio on 2013-05-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Medium
Andrew Starr-Bochicchio
Python
Fix Released
Unknown
bzr (Debian)
Fix Released
Unknown
bzr (Ubuntu)
Medium
Andrew Starr-Bochicchio

Bug Description

/bzrlib/transport/http/_urllib2_wrappers.py contains code from Python 3.2's ssl module for which there has been a security issue found.

Python Bug: http://bugs.python.org/issue17980
CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
Probable fix: http://hg.python.org/cpython/rev/fafd33db6ff6/

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: bzr 2.6.0~bzr6571-4ubuntu2
ProcVersionSignature: Ubuntu 3.8.0-21.32-generic 3.8.8
Uname: Linux 3.8.0-21-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Mon May 20 11:36:23 2013
InstallationDate: Installed on 2013-03-16 (64 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130316)
MarkForUpload: True
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

CVE References

Changed in bzr (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in bzr:
status: New → Triaged
importance: Undecided → Medium
Changed in bzr:
status: Triaged → In Progress
assignee: nobody → Andrew Starr-Bochicchio (andrewsomething)
Changed in bzr (Debian):
status: Unknown → Confirmed
Changed in python:
status: Unknown → Fix Released
Changed in bzr (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andrew Starr-Bochicchio (andrewsomething)
Changed in bzr:
status: In Progress → Fix Committed
milestone: none → 2.6b3

Fixed both upstream and Debian. Attached debdiff merges the fix from Debian.

(I've dropped the Ubuntu change to Vcs fields as the UDD bzr imports for both Debian and Ubuntu are out of date. So that branch isn't very helpful. Yes, I realize that is a bit ironic...)

Changes since last Ubuntu version:

 bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low
 .
   * Merge from Debian unstable. Remaining Ubuntu changes:
    - Drop build dependencies on python-{meliae,lzma,medusa},
      which are not in main.
   * Drop changes to Vcs fields. The UDD imports are out of date.
 .
 bzr (2.6.0~bzr6574-1) unstable; urgency=low
 .
   * New upstream snapshot.
    - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
      SSL cert hostname segment (Closes: #709068, LP: #1182124).
 .
 bzr (2.6.0~bzr6573-1) unstable; urgency=low
 .
   * Upload to unstable.
   * New upstream snapshot.
   * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
     (LP: #1116079, #1160572).
   * Drop debian/patches/04_revert_ui_changes, fixed upstream.
   * Drop deprecated Dm-Upload-Allowed field.
   * Bump Standards-Version to 3.9.4, no changes needed.
   * Drop un-needed Build-Conflicts on python-gpgme.

Changed in bzr (Ubuntu):
status: In Progress → Triaged
Changed in bzr (Debian):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Merge in comment #2 looks good. Thanks!
Uploaded to saucy.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.6.0~bzr6574-1ubuntu1

---------------
bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining Ubuntu changes:
   - Drop build dependencies on python-{meliae,lzma,medusa},
     which are not in main.
  * Drop changes to Vcs fields. The UDD imports are out of date.

bzr (2.6.0~bzr6574-1) unstable; urgency=low

  * New upstream snapshot.
   - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
     SSL cert hostname segment (Closes: #709068, LP: #1182124).

bzr (2.6.0~bzr6573-1) unstable; urgency=low

  * Upload to unstable.
  * New upstream snapshot.
  * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
    (LP: #1116079, #1160572).
  * Drop debian/patches/04_revert_ui_changes, fixed upstream.
  * Drop deprecated Dm-Upload-Allowed field.
  * Bump Standards-Version to 3.9.4, no changes needed.
  * Drop un-needed Build-Conflicts on python-gpgme.
 -- Andrew Starr-Bochicchio <email address hidden> Mon, 20 May 2013 20:55:13 -0400

Changed in bzr (Ubuntu):
status: Triaged → Fix Released
Toshio Kuratomi (toshio) wrote :

Note: there's now a backports module on pypi for this function: https://pypi.python.org/pypi/backports.ssl_match_hostname/

However, it hasn't fixed this CVE upstream as fast as you have :-)

Vincent Ladeuil (vila) on 2013-05-27
Changed in bzr:
status: Fix Committed → Fix Released
Vincent Ladeuil (vila) on 2013-07-27
Changed in bzr:
milestone: 2.6b3 → 2.6.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.