Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters }

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:
> ----- Original Message -----
> > From: "Jan Lieskovsky" <jlieskov () redhat com> To:
> > oss-security () lists openwall com Cc: "Steven M. Christey"
> > <coley () linus mitre org>, "Florian Weimer" <fweimer () redhat com>,
> > "Ian Weller" <ianweller () fedoraproject org> Sent: Wednesday, May
> > 15, 2013 1:19:33 PM Subject: [oss-security] CVE Request (minor)
> > --  python-backports-ssl_match_hostname: Denial of service when
> > matching certificate with many '*' wildcard characters
> >
> > Hello Kurt, Steve, vendors,
> >
> > A denial of service flaw was found in the way 
> > python-backports-ssl_match_hostname, an implementation that
> > brings the ssl.match_hostname() function from Python 3.2 to users
> > of earlier versions of Python, performed matching of the
> > certificate's name in the case it contained many '*' wildcard
> > characters. A remote attacker, able to obtain valid certificate
> > [*] with its name containing a lot of '*' wildcard characters, 
> > could use this flaw to cause denial of service (excessive CPU
> > time consumption) by issuing request to validate that certificate
> > for / in an application using the 
> > python-backports-ssl_match_hostname functionality.
> >
> > Upstream bug report (no patch yet): [1]
> > http://bugs.python.org/issue17980
> >
> > References: [2]
> > https://bugzilla.redhat.com/show_bug.cgi?id=963186
> >
> > Credit: Issue was found by Florian Weimer of Red Hat Product
> > Security Team
> >
> > Could you allocate a CVE identifier for this (it's possible that 
> > Python 3.2 implementation is vulnerable to the same problem too, 
> > will check that case yet)?
>
> Replying to myself here. Issue is present in Python 3.2 code too -
> so the CVE should be allocated for the original (Python 3.2) code,
> rather than to python-backports-ssl_match_hostname package.
>
> Updated subject of the request to reflect this.
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
> > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> > Security Response Team -- [*] Would be minor issue because
> > ability to obtain such valid certificate would mean the necessity
> > to use some compromised CA. On the other hand though being corner
> > case, can't be completely excluded.

Please use CVE-2013-2099 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlDupAAoJEBYNRVNeJnmTR4QQAJigfFc7LqZbJJ2zKAZrNJNe
uXTXrhsNYGLWXXjInanJbDLgTtcuJp+xwhgBT/2GPLkZpapIrzmusysLnXXOh3mr
FAktSJEMqIj8SMf2Zccb1mLmWUVACSHq5uTA6rvU6BErv2/0sHvmjMDulNlVhkYs
vLf8i1D/yoE1hYef2xj6pkTcu7bRQQ9VbJWsiNwNU59MePMgIR78504HzmCkenYH
oK4Uv3P0a566FtX2wkgpPKkkYS4wTakaUrbqt7HeSArQ8NSlPc8FKelzn2H2qgje
YzzjZL0psOfpXsaj3wy8QLfRyVDAVdSXiLLMR8tFgA1KyXvmT+OJI05UAySe/NjY
huMxIc8Gy9rrEjQcpDEz9KgQXsNmIrUAasZcYXCmAM5309Pn0m3uSMHC6WX8kVlu
p2ikwjiVQc3iubBo2tVhgOuPshZ84tDrNz6CArtXpfBleYZ1Gk6qhRhngQCAPW6W
TQhQ85KycnOzQZmkHeVme7Z1EgdpFF1fkw8xXu4mU+6aqYSgXdOVVf9oGNW5brd2
27SVJj7eaYZyklqAnTKrIGpnLyg9e/GPr1T7q6L2I5QbX+8dls5U/0m0tw8COxLF
vzjDQHgkg4C/vNLP9032b083Cgm56/ypGXOXQHFaz1b9yTS9HB6Biaix2R/6ieOJ
RleZ90iLyFQKiUV9M/ua
=M2WT
-----END PGP SIGNATURE-----