forked from pool/python38
Accepting request 1182492 from devel:languages:python:Factory
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch fixing bsc#1226447 (CVE-2024-0397) by removing memory race condition in ssl.SSLContext certificate store methods. OBS-URL: https://build.opensuse.org/request/show/1182492 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=48
This commit is contained in:
commit
d6dfaba499
173
CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
Normal file
173
CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
Normal file
@ -0,0 +1,173 @@
|
||||
From 732c7d512e7cdf656a3f02a38c329b14a14a8573 Mon Sep 17 00:00:00 2001
|
||||
From: Seth Michael Larson <seth@python.org>
|
||||
Date: Fri, 19 Apr 2024 11:21:40 -0700
|
||||
Subject: [PATCH] [3.9] gh-114572: Fix locking in cert_store_stats and
|
||||
get_ca_certs
|
||||
|
||||
---
|
||||
Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst | 4
|
||||
Modules/_ssl.c | 91 +++++++++-
|
||||
2 files changed, 92 insertions(+), 3 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
|
||||
|
||||
Index: Python-3.8.19/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ Python-3.8.19/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+:meth:`ssl.SSLContext.cert_store_stats` and
|
||||
+:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
|
||||
+certificate store, when the :class:`ssl.SSLContext` is shared across
|
||||
+multiple threads.
|
||||
Index: Python-3.8.19/Modules/_ssl.c
|
||||
===================================================================
|
||||
--- Python-3.8.19.orig/Modules/_ssl.c
|
||||
+++ Python-3.8.19/Modules/_ssl.c
|
||||
@@ -168,6 +168,10 @@ extern const SSL_METHOD *TLSv1_2_method(
|
||||
# define PY_OPENSSL_1_1_API 1
|
||||
#endif
|
||||
|
||||
+#if (OPENSSL_VERSION_NUMBER >= 0x30300000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+# define OPENSSL_VERSION_3_3 1
|
||||
+#endif
|
||||
+
|
||||
/* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
|
||||
* This includes the SSL_set_SSL_CTX() function.
|
||||
*/
|
||||
@@ -212,6 +216,16 @@ extern const SSL_METHOD *TLSv1_2_method(
|
||||
#define HAVE_OPENSSL_CRYPTO_LOCK
|
||||
#endif
|
||||
|
||||
+/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */
|
||||
+#ifdef OPENSSL_VERSION_1_1
|
||||
+#define HAVE_OPENSSL_X509_STORE_LOCK
|
||||
+#endif
|
||||
+
|
||||
+/* OpenSSL 3.3 added the X509_STORE_get1_objects API */
|
||||
+#ifdef OPENSSL_VERSION_3_3
|
||||
+#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
|
||||
+#endif
|
||||
+
|
||||
#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
|
||||
#define OPENSSL_NO_SSL2
|
||||
#endif
|
||||
@@ -4678,6 +4692,54 @@ set_sni_callback(PySSLContext *self, PyO
|
||||
#endif
|
||||
}
|
||||
|
||||
+/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3
|
||||
+ * Only available with the X509_STORE_lock() API */
|
||||
+#if defined(HAVE_OPENSSL_X509_STORE_LOCK) && !defined(OPENSSL_VERSION_3_3)
|
||||
+#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
|
||||
+
|
||||
+static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj)
|
||||
+{
|
||||
+ int ok;
|
||||
+ X509_OBJECT *ret = X509_OBJECT_new();
|
||||
+ if (ret == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ switch (X509_OBJECT_get_type(obj)) {
|
||||
+ case X509_LU_X509:
|
||||
+ ok = X509_OBJECT_set1_X509(ret, X509_OBJECT_get0_X509(obj));
|
||||
+ break;
|
||||
+ case X509_LU_CRL:
|
||||
+ /* X509_OBJECT_get0_X509_CRL was not const-correct prior to 3.0.*/
|
||||
+ ok = X509_OBJECT_set1_X509_CRL(
|
||||
+ ret, X509_OBJECT_get0_X509_CRL((X509_OBJECT *)obj));
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* We cannot duplicate unrecognized types in a polyfill, but it is
|
||||
+ * safe to leave an empty object. The caller will ignore it. */
|
||||
+ ok = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (!ok) {
|
||||
+ X509_OBJECT_free(ret);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static STACK_OF(X509_OBJECT) *
|
||||
+X509_STORE_get1_objects(X509_STORE *store)
|
||||
+{
|
||||
+ STACK_OF(X509_OBJECT) *ret;
|
||||
+ if (!X509_STORE_lock(store)) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ ret = sk_X509_OBJECT_deep_copy(X509_STORE_get0_objects(store),
|
||||
+ x509_object_dup, X509_OBJECT_free);
|
||||
+ X509_STORE_unlock(store);
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
PyDoc_STRVAR(PySSLContext_sni_callback_doc,
|
||||
"Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.\n\
|
||||
\n\
|
||||
@@ -4707,7 +4769,15 @@ _ssl__SSLContext_cert_store_stats_impl(P
|
||||
int x509 = 0, crl = 0, ca = 0, i;
|
||||
|
||||
store = SSL_CTX_get_cert_store(self->ctx);
|
||||
+#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
|
||||
+ objs = X509_STORE_get1_objects(store);
|
||||
+ if (objs == NULL) {
|
||||
+ PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+#else
|
||||
objs = X509_STORE_get0_objects(store);
|
||||
+#endif
|
||||
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||
obj = sk_X509_OBJECT_value(objs, i);
|
||||
switch (X509_OBJECT_get_type(obj)) {
|
||||
@@ -4721,12 +4791,13 @@ _ssl__SSLContext_cert_store_stats_impl(P
|
||||
crl++;
|
||||
break;
|
||||
default:
|
||||
- /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
|
||||
- * As far as I can tell they are internal states and never
|
||||
- * stored in a cert store */
|
||||
+ /* Ignore unrecognized types. */
|
||||
break;
|
||||
}
|
||||
}
|
||||
+#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
|
||||
+ sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
||||
+#endif
|
||||
return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
|
||||
"x509_ca", ca);
|
||||
}
|
||||
@@ -4758,7 +4829,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL
|
||||
}
|
||||
|
||||
store = SSL_CTX_get_cert_store(self->ctx);
|
||||
+#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
|
||||
+ objs = X509_STORE_get1_objects(store);
|
||||
+ if (objs == NULL) {
|
||||
+ PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+#else
|
||||
objs = X509_STORE_get0_objects(store);
|
||||
+#endif
|
||||
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||
X509_OBJECT *obj;
|
||||
X509 *cert;
|
||||
@@ -4786,9 +4865,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL
|
||||
}
|
||||
Py_CLEAR(ci);
|
||||
}
|
||||
+#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
|
||||
+ sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
||||
+#endif
|
||||
return rlist;
|
||||
|
||||
error:
|
||||
+#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
|
||||
+ sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
||||
+#endif
|
||||
Py_XDECREF(ci);
|
||||
Py_XDECREF(rlist);
|
||||
return NULL;
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 21 09:44:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
|
||||
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
|
||||
condition in ssl.SSLContext certificate store methods.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Mar 24 00:43:14 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||
|
||||
|
@ -186,6 +186,9 @@ Patch42: CVE-2023-27043-email-parsing-errors.patch
|
||||
# PATCH-FIX-UPSTREAM old-libexpat.patch gh#python/cpython#117187 mcepl@suse.com
|
||||
# Make the test suite work with libexpat < 2.6.0
|
||||
Patch43: old-libexpat.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch bsc#1226447 mcepl@suse.com
|
||||
# removes memory race condition in ssl.SSLContext certificate store methods
|
||||
Patch44: CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: fdupes
|
||||
@ -459,6 +462,7 @@ other applications.
|
||||
%patch -P 41 -p1
|
||||
%patch -P 42 -p1
|
||||
%patch -P 43 -p1
|
||||
%patch -P 44 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||
|
Loading…
Reference in New Issue
Block a user