Bug 10391 - python3 new security issue CVE-2013-2099
: python3 new security issue CVE-2013-2099
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
:
: MGA2TOO has_procedure mga2-64-ok mga2...
: validated_update
:
: 9395 10989
  Show dependency treegraph
 
Reported: 2013-06-02 00:18 CEST by David Walser
Modified: 2013-08-26 21:15 CEST (History)
6 users (show)

See Also:
Source RPM: python3-3.3.0-4.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-06-02 00:18:57 CEST
A security issue in Python3 was announced on May 15:
http://www.openwall.com/lists/oss-security/2013/05/15/6

The description above talks about python-backports-ssl_match_hostname (which we don't have AFAIK), but it also affects python3 upstream.

Thierry fixed it in Cauldron here:
http://svnweb.mageia.org/packages?view=revision&revision=433777

According to RedHat, it sounds like a really low severity issue:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099

We probably don't need to issue an update for this now, but should put the patch in SVN so it gets included in any future updates.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-07 19:02:25 CEST
As noted here:
https://bugzilla.redhat.com/show_bug.cgi?id=963260#c11

bzr, python-requests, and python-tornado are also affected by this.

Fedora has issued an advisory for bzr on May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html

from http://lwn.net/Vulnerabilities/553295/

So again, we should at least fix this in Cauldron and patch it in SVN.
Comment 2 Philippe Makowski 2013-06-07 22:50:36 CEST
for python-tornado :
python-tornado-2.3-2.1.mga3.noarch
python-tornado-2.3-2.1.mga3.src
python-tornado-doc-2.3-2.1.mga3.noarch 

python-tornado-doc-2.2.1-1.1.mga2.noarch
python-tornado-2.2.1-1.1.mga2.src
python-tornado-2.2.1-1.1.mga2.noarch

and Cauldron patched too, but the issue will be solved with next mainstream
Comment 3 Philippe Makowski 2013-06-08 11:54:20 CEST
for bzr :

bzr-2.5.1-3.1.mga3.src
bzr-debuginfo-2.5.1-3.1.mga3.x86_64
bzr-2.5.1-3.1.mga3.x86_64
bzr-debuginfo-2.5.1-3.1.mga3.i586
bzr-2.5.1-3.1.mga3.i586

bzr-2.5.1-1.1.mga2.src
bzr-debuginfo-2.5.1-1.1.mga2.x86_64
bzr-2.5.1-1.1.mga2.x86_64
bzr-debuginfo-2.5.1-1.1.mga2.i586
bzr-2.5.1-1.1.mga2.i586

Cauldron patched too
Comment 4 Philippe Makowski 2013-06-08 12:48:51 CEST
for python-requests (don't exist in mga2)

python-requests-0.13.5-2.1.mga3.noarch
python-requests-0.13.5-2.1.mga3.src

Cauldron patched too
Comment 5 David Walser 2013-06-28 00:28:11 CEST
Patch added in Mageia 2 and Mageia 3 SVN for the python3 package.
Comment 6 David Walser 2013-07-26 18:41:54 CEST
python-pip is apparently affected too.  Fedora has just issued updates for that citing this CVE.
Comment 7 Philippe Makowski 2013-07-26 23:23:18 CEST
python-pip patched in Cauldron and in mga3 :

python3-pip-1.3.1-2.1.mga3.noarch.rpm
python-pip-1.3.1-2.1.mga3.noarch.rpm
python-pip-1.3.1-2.1.mga3.src.rpm

python3-pip-1.3.1-3.mga4.noarch.rpm
python-pip-1.3.1-3.mga4.noarch.rpm
python-pip-1.3.1-3.mga4.src.rpm
Comment 8 David Walser 2013-08-15 17:08:42 CEST
Advisory:
========================

Updated python3 packages fix security vulnerabilities:

A denial of service flaw was found in the way SSL module implementation of
Python 3 performed matching of the certificate's name in the case it contained
many '*' wildcard characters. A remote attacker, able to obtain valid
certificate with its name containing a lot of '*' wildcard characters could use
this flaw to cause denial of service (excessive CPU consumption) by issuing
request to validate such a certificate for / to an application using the
Python's ssl.match_hostname() functionality (CVE-2013-2099).

Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
module doesn't handle NULL bytes inside subjectAltNames general names. This
could lead to a breach when an application uses ssl.match_hostname() to match
the hostname againt the certificate's subjectAltName's dNSName general names.
(CVE-2013-4328).

Additionally, a linking issue when compiling C extensions for Python 3 has been
fixed in Mageia 3 (mga#9395).

The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado,
and python-pip, and those have been updated as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099
http://bugs.python.org/issue18709
https://bugs.mageia.org/show_bug.cgi?id=9395
https://bugs.mageia.org/show_bug.cgi?id=10391
https://bugs.mageia.org/show_bug.cgi?id=10989
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html
========================

Updated packages in core/updates_testing:
========================
python3-3.2.3-1.5.mga2
python3-docs-3.2.3-1.5.mga2
libpython3.2-3.2.3-1.5.mga2
libpython3-devel-3.2.3-1.5.mga2
tkinter3-3.2.3-1.5.mga2
tkinter3-apps-3.2.3-1.5.mga2
python-tornado-2.2.1-1.1.mga2
python-tornado-doc-2.2.1-1.1.mga2
bzr-2.5.1-1.1.mga2
python3-3.3.0-4.3.mga3
python3-docs-3.3.0-4.3.mga3
libpython3.3-3.3.0-4.3.mga3
libpython3-devel-3.3.0-4.3.mga3
tkinter3-3.3.0-4.3.mga3
tkinter3-apps-3.3.0-4.3.mga3
python-pip-1.3.1-2.1.mga3
python3-pip-1.3.1-2.1.mga3
python-tornado-2.3-2.1.mga3
python-tornado-doc-2.3-2.1.mga3
bzr-2.5.1-3.1.mga3
python-requests-0.13.5-2.1.mga3

from SRPMS:
python3-3.2.3-1.5.mga2.src.rpm
python-tornado-2.2.1-1.1.mga2.src.rpm
bzr-2.5.1-1.1.mga2.src.rpm
python3-3.3.0-4.3.mga3.src.rpm
python-pip-1.3.1-2.1.mga3.src.rpm
python-tornado-2.3-2.1.mga3.src.rpm
bzr-2.5.1-3.1.mga3.src.rpm
python-requests-0.13.5-2.1.mga3.src.rpm
Comment 9 Oden Eriksson 2013-08-16 10:56:25 CEST
python-virtualenv-1.9.1 is affected by the CVE-2013-2099 flaw as it bundles the pip-1.3.1.tar.gz tar ball.

python-virtualenv:/usr/lib/python2.7/site-packages/virtualenv_support/pip-1.3.1.tar.gz
Comment 10 Oden Eriksson 2013-08-16 11:35:39 CEST
(In reply to Oden Eriksson from comment #9)
> python-virtualenv-1.9.1 is affected by the CVE-2013-2099 flaw as it bundles
> the pip-1.3.1.tar.gz tar ball.
> 
> python-virtualenv:/usr/lib/python2.7/site-packages/virtualenv_support/pip-1.
> 3.1.tar.gz

Fixed with python-virtualenv-1.9.1-1.2.mga3, but needs testing.

http://svnweb.mageia.org/packages?view=revision&revision=466815
Comment 11 David Walser 2013-08-16 12:50:21 CEST
Thanks, updating the advisory.

Advisory:
========================

Updated python3 packages fix security vulnerabilities:

A denial of service flaw was found in the way SSL module implementation of
Python 3 performed matching of the certificate's name in the case it contained
many '*' wildcard characters. A remote attacker, able to obtain valid
certificate with its name containing a lot of '*' wildcard characters could use
this flaw to cause denial of service (excessive CPU consumption) by issuing
request to validate such a certificate for / to an application using the
Python's ssl.match_hostname() functionality (CVE-2013-2099).

Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL
module doesn't handle NULL bytes inside subjectAltNames general names. This
could lead to a breach when an application uses ssl.match_hostname() to match
the hostname againt the certificate's subjectAltName's dNSName general names.
(CVE-2013-4328).

Additionally, a linking issue when compiling C extensions for Python 3 has been
fixed in Mageia 3 (mga#9395).

The CVE-2013-2099 issue also affects bzr, python-requests, python-tornado,
python-pip, and python-virtualenv, and those have been updated as well.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4328
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2099
http://bugs.python.org/issue18709
https://bugs.mageia.org/show_bug.cgi?id=9395
https://bugs.mageia.org/show_bug.cgi?id=10391
https://bugs.mageia.org/show_bug.cgi?id=10989
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107957.html
========================

Updated packages in core/updates_testing:
========================
python3-3.2.3-1.5.mga2
python3-docs-3.2.3-1.5.mga2
libpython3.2-3.2.3-1.5.mga2
libpython3-devel-3.2.3-1.5.mga2
tkinter3-3.2.3-1.5.mga2
tkinter3-apps-3.2.3-1.5.mga2
python-tornado-2.2.1-1.1.mga2
python-tornado-doc-2.2.1-1.1.mga2
bzr-2.5.1-1.1.mga2
python3-3.3.0-4.3.mga3
python3-docs-3.3.0-4.3.mga3
libpython3.3-3.3.0-4.3.mga3
libpython3-devel-3.3.0-4.3.mga3
tkinter3-3.3.0-4.3.mga3
tkinter3-apps-3.3.0-4.3.mga3
python-pip-1.3.1-2.1.mga3
python3-pip-1.3.1-2.1.mga3
python-tornado-2.3-2.1.mga3
python-tornado-doc-2.3-2.1.mga3
bzr-2.5.1-3.1.mga3
python-requests-0.13.5-2.1.mga3
python-virtualenv-1.9.1-1.2.mga3

from SRPMS:
python3-3.2.3-1.5.mga2.src.rpm
python-tornado-2.2.1-1.1.mga2.src.rpm
bzr-2.5.1-1.1.mga2.src.rpm
python3-3.3.0-4.3.mga3.src.rpm
python-pip-1.3.1-2.1.mga3.src.rpm
python-tornado-2.3-2.1.mga3.src.rpm
bzr-2.5.1-3.1.mga3.src.rpm
python-requests-0.13.5-2.1.mga3.src.rpm
python-virtualenv-1.9.1-1.2.mga3.src.rpm
Comment 12 claire robinson 2013-08-19 14:49:36 CEST
Python3 can be tested with some examples from here, can be run in idle3..
http://www.annedawson.net/Python3Programs.txt

Python tornado can be tested with Hello World from here, should be able to view it with your browser on port 8888..
http://www.tornadoweb.org/

pip..
https://pypi.python.org/pypi/pip

bzr..
http://doc.bazaar.canonical.com/bzr.2.5/en/mini-tutorial/index.html

python-requests
http://www.python-requests.org/en/latest/user/quickstart/

python-virtualenv & pip
https://bugs.mageia.org/show_bug.cgi?id=10761#c2
Comment 13 claire robinson 2013-08-19 16:21:28 CEST
Testing complete mga2 64

Tested python3 by running some of the examples in idle3

Tornado tested using the hello world, saved as helloworld.py and started with python helloworld.py then browsed to http://localhost:8888 to see the message.

bzr tested following the basic examples on bzr page..

$ bzr whoami "Mee <amail@someplace.com>"

$ bzr whoami
Mee <amail@someplace.com>

$ bzr init-repo sample
Shared repository with trees (format: 2a)
Location:
  shared repository: sample

$ ls
sample/

$ bzr init sample/trunk
Created a repository tree (format: 2a)                                                    
Using shared repository: /home/test/bzr/sample/
$ cd sample/trunk
$ nano test1.txt
Added some text

$ bzr add test1.txt 
adding test1.txt

$ bzr commit -m "Added a line of text"
Committing to: /home/test/bzr/sample/trunk/                                  
added test1.txt
Committed revision 1.                                                                     

Updated bzr and changed the file and added a new commit

$ echo test test test > test1.txt
 
$ bzr diff
=== modified file 'test1.txt'
--- test1.txt	2013-08-19 14:12:14 +0000
+++ test1.txt	2013-08-19 14:12:57 +0000
@@ -1,3 +1,1 @@
-just a test file for bzr
-line 2
-
+test test test

$ bzr commit -m "changed it"
Committing to: /home/test/bzr/sample/trunk/                                  
modified test1.txt
Committed revision 2.                                                                     

$ bzr log
------------------------------------------------------------
revno: 2
committer: Mee <amail@someplace.com>
branch nick: trunk
timestamp: Mon 2013-08-19 15:14:05 +0100
message:
  changed it
------------------------------------------------------------
revno: 1
committer: Mee <amail@someplace.com>
branch nick: trunk
timestamp: Mon 2013-08-19 15:12:14 +0100
message:
  Added a line of text
Comment 14 claire robinson 2013-08-20 13:00:30 CEST
Testing mga3 64
Comment 15 claire robinson 2013-08-20 13:42:42 CEST
Testing complete mga3 64

python3..
$ cd test
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ idle3 python3programs.py

Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working.


python-pip..
# pip install fabric
Downloading/unpacking fabric
  Downloading Fabric-1.7.0.tar.gz (219kB): 219kB downloaded
  Running setup.py egg_info for package fabric
...etc
Successfully installed fabric paramiko
Cleaning up...

# pip uninstall fabric
Uninstalling Fabric:
  /usr/bin/fab
  /usr/lib/python2.7/site-packages/Fabric-1.7.0-py2.7.egg-info
...etc
/usr/lib/python2.7/site-packages/fabric/utils.py
  /usr/lib/python2.7/site-packages/fabric/version.py
Proceed (y/n)? y
  Successfully uninstalled Fabric


python-tornado..
Used the Hello World from http://www.tornadoweb.org/en/stable/
$ python helloworld.py 
WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.31ms
WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.26ms

Viewed it at http://localhost:8888/ and killed it with ctrl-c


python-requests..
$ python
Python 2.7.5 (default, Aug 12 2013, 12:12:07) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https://mageia.org')
>>> r.text
u'<!DOCTYPE html>\n<html dir="ltr" lang="en">\n<head>\n    <meta charset="utf-8">\n    <meta name="viewport" content="width=device-width, initial-scale=1.0">\n    <title>Home of the Mageia project </title>\n
...etc
>>> quit()


python-virtualenv..
$ cd test
$ virtualenv .
$ source bin/activate
$ pip install fabric


bzr..
Same as comment 13
Comment 16 David GEIGER 2013-08-20 14:10:08 CEST
Testing complete mga2_32, ok for me nothing to report.


bzr :

[david@localhost ~]$ bzr whoami "Mee <geiger.davidxxxx@gmail.com>"
[david@localhost ~]$ bzr whoami
Mee <geiger.davidxxxx@gmail.com>

[david@localhost ~]$ bzr init-repo sample
Shared repository with trees (format: 2a)
Location:
  shared repository: sample
[david@localhost ~]$ ls
Bureau/     Images/   Musique/  rpmbuild/  Téléchargements/  Vidéos/
Documents/  Modèles/  mysite/   sample/    tmp/

[david@localhost ~]$ ls sample/

[david@localhost ~]$ bzr init sample/trunk
Created a repository tree (format: 2a)                                         
Using shared repository: /home/david/sample/

[david@localhost ~]$ cd sample/trunk
[david@localhost trunk]$ nano test1.txt

[david@localhost trunk]$ bzr add test1.txt
adding test1.txt

[david@localhost trunk]$ bzr commit -m "Added a line of text"
Committing to: /home/david/sample/trunk/
added test1.txt
Committed revision 1.

[david@localhost trunk]$ echo test test test > test1.txt

[david@localhost trunk]$ bzr diff
=== modified file 'test1.txt'
--- test1.txt   2013-08-20 11:24:57 +0000
+++ test1.txt   2013-08-20 11:25:21 +0000
@@ -1,2 +1,1 @@
-Added some text
-
+test test test

[david@localhost trunk]$ bzr commit -m "changed it"
Committing to: /home/david/sample/trunk/
modified test1.txt
Committed revision 2.

[david@localhost trunk]$ bzr log
------------------------------------------------------------
revno: 2
committer: Mee <geiger.davidxxxx@gmail.com>
branch nick: trunk
timestamp: Tue 2013-08-20 13:26:17 +0200
message:
  changed it
------------------------------------------------------------
revno: 1
committer: Mee <geiger.davidxxxx@gmail.com>
branch nick: trunk
timestamp: Tue 2013-08-20 13:24:57 +0200
message:
  Added a line of text

#################################################################

tornado :

Tornado tested using the hello world, saved as helloworld.py and started with python helloworld.py then browsed to http://localhost:8888 to see the message.

#################################################################

python3 :

tested with some examples in idle3
Comment 17 David GEIGER 2013-08-20 14:39:26 CEST
Testing complete mga3_32, ok for me nothing to report.
 
python3-pip:

[root@localhost ~]# python3-pip install fabric
Downloading/unpacking fabric
  Downloading Fabric-1.7.0.tar.gz (219kB): 219kB downloaded
  Running setup.py egg_info for package fabric
...etc
Successfully installed fabric paramiko pycrypto
Cleaning up...

[root@localhost ~]# python3-pip uninstall fabric
Uninstalling Fabric:
  /usr/bin/fab
  /usr/lib/python3.3/site-packages/Fabric-1.7.0-py3.3.egg-info
...etc
  /usr/lib/python3.3/site-packages/fabric/version.py
Proceed (y/n)? y
  Successfully uninstalled Fabric

########################################################################

python3 :

$ cd tmp
$ wget -O python3programs.py http://www.annedawson.net/Python3Programs.txt
$ python3 python3programs.py

Choose Run Module in the Run menu. It ends in a loop which you have to kill with ctrl-c but it's intentionally so and shows python3 working.

######################################################################

python-tornado :

Used the Hello World from http://www.tornadoweb.org/en/stable/
$ python helloworld.py 
WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.31ms
WARNING:root:404 GET /favicon.ico (127.0.0.1) 0.26ms

Viewed it at http://localhost:8888/ and killed it with ctrl-c

############################################################"

bzr :

same as comment 16
Comment 18 claire robinson 2013-08-20 15:07:27 CEST
Validating. Advisory from comment 11 uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 19 Thomas Backlund 2013-08-22 19:59:06 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0252.html
Comment 20 Dave Hodgins 2013-08-26 21:15:36 CEST
Advisory 10391.adv corrected in svn (cve number)

Note You need to log in before you can comment on or make changes to this bug.