- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch

fixing bpo-35746.
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
  dereference, resulting in a denial of service. An attacker can
  initiate or accept TLS connections using crafted certificates
  to trigger this vulnerability.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=239

CVE-2019-5010-null-defer-x509-cert-DOS.patch

@@ -0,0 +1,106 @@
+From 280917872027ee991416d2623fc16ff1eed48f50 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Tue, 15 Jan 2019 23:47:42 +0100
+Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
+
+Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
+distribution points with empty DP or URI correctly. A malicious or buggy
+certificate can result into segfault.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue35746
+(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+---
+ Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
+ Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
+ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
+ Modules/_ssl.c                                |  4 ++++
+ 4 files changed, 51 insertions(+)
+ create mode 100644 Lib/test/talos-2019-0758.pem
+ create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+
+--- /dev/null
++++ b/Lib/test/talos-2019-0758.pem
+@@ -0,0 +1,22 @@
++-----BEGIN CERTIFICATE-----
++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
++-----END CERTIFICATE-----
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexist
+ BADKEY = data_file("badkey.pem")
+ NOKIACERT = data_file("nokia.pem")
+ NULLBYTECERT = data_file("nullbytecert.pem")
++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
+ 
+ DHFILE = data_file("dh1024.pem")
+ BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding())
+@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase
+         self.assertEqual(p['crlDistributionPoints'],
+                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
+ 
++    def test_parse_cert_CVE_2019_5010(self):
++        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
++        if support.verbose:
++            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
++        self.assertEqual(
++            p,
++            {
++                'issuer': (
++                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
++                'notAfter': 'Jun 14 18:00:58 2028 GMT',
++                'notBefore': 'Jun 18 18:00:58 2018 GMT',
++                'serialNumber': '02',
++                'subject': ((('countryName', 'UK'),),
++                            (('commonName',
++                              'codenomicon-vm-2.test.lal.cisco.com'),)),
++                'subjectAltName': (
++                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
++                'version': 3
++            }
++        )
++
+     def test_parse_cert_CVE_2013_4238(self):
+         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
+         if support.verbose:
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
+@@ -0,0 +1,3 @@
++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
++not handle CRL distribution points with empty DP or URI correctly. A
++malicious or buggy certificate can result into segfault.
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -1222,6 +1222,10 @@ _get_crl_dp(X509 *certificate) {
+         STACK_OF(GENERAL_NAME) *gns;
+ 
+         dp = sk_DIST_POINT_value(dps, i);
++        if (dp->distpoint == NULL) {
++            /* Ignore empty DP value, CVE-2019-5010 */
++            continue;
++        }
+         gns = dp->distpoint->name.fullname;
+ 
+         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

python-base-rpmlintrc

@@ -0,0 +1,2 @@
+addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/distutils/tests/xxmodule.c")
+addFilter("devel-file-in-non-devel-package.*/usr/include/python.*/pyconfig.h")

python-base.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
+
+- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
+  fixing bpo-35746.
+  An exploitable denial-of-service vulnerability exists in the
+  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
+  A specially crafted X509 certificate can cause a NULL pointer
+  dereference, resulting in a denial of service. An attacker can
+  initiate or accept TLS connections using crafted certificates
+  to trigger this vulnerability.
+
 -------------------------------------------------------------------
 Wed Dec 19 19:29:44 UTC 2018 - Todd R <toddrme2178@gmail.com>
 

python-base.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-base
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,7 @@ Source1:        macros.python2
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source5:        local.pth
+Source99:       python-base-rpmlintrc
 # COMMON-PATCH-BEGIN
 Patch1:         python-2.7-dirs.patch
 Patch2:         python-distutils-rpm-8.patch
@@ -69,6 +70,10 @@ Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -180,6 +185,7 @@ other applications.
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
+%patch49 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python-doc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-doc
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -70,6 +70,10 @@ Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -127,6 +131,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
+%patch49 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -75,6 +75,10 @@ Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 mcepl@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch49:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -233,6 +237,7 @@ that rely on earlier non-verification behavior.
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
+%patch49 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac