From a37f52436f9aa4b9292878b72f3ff1480e2606c3 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 15 Jan 2019 23:47:42 +0100 Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes https://bugs.python.org/issue35746 --- Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ Lib/test/test_ssl.py | 22 +++++++++++++++++++ .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ Modules/_ssl.c | 4 ++++ 4 files changed, 51 insertions(+) create mode 100644 Lib/test/talos-2019-0758.pem create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -467,6 +467,27 @@ class BasicSocketTests(unittest.TestCase } ) + def test_parse_cert_CVE_2019_5010(self): + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) + if support.verbose: + sys.stdout.write("\n" + pprint.pformat(p) + "\n") + self.assertEqual( + p, + { + 'issuer': ( + (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), + 'notAfter': 'Jun 14 18:00:58 2028 GMT', + 'notBefore': 'Jun 18 18:00:58 2018 GMT', + 'serialNumber': '02', + 'subject': ((('countryName', 'UK'),), + (('commonName', + 'codenomicon-vm-2.test.lal.cisco.com'),)), + 'subjectAltName': ( + ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), + 'version': 3 + } + ) + def test_parse_cert_CVE_2013_4238(self): p = ssl._ssl._test_decode_cert(NULLBYTECERT) if support.verbose: --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst @@ -0,0 +1,3 @@ +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did +not handle CRL distribution points with empty DP or URI correctly. A +malicious or buggy certificate can result into segfault.