oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters }

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 22 May 2013 01:08:36 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/20/2013 01:21 PM, Tomas Hoger wrote:

On Wed, 15 May 2013 19:51:38 -0600 Kurt Seifried wrote:


On 05/15/2013 05:28 AM, Jan Lieskovsky wrote:



Replying to myself here. Issue is present in Python 3.2 code
too - so the CVE should be allocated for the original (Python
3.2) code, rather than to python-backports-ssl_match_hostname
package.


...


Please use CVE-2013-2099 for this issue.


There should be no need for two separate CVEs for this issue. 
Problematic match_hostname was developed in Python 3.  As its 
functionality is needed by Python 2 users, and it is not provided
by the standard library, Python 3 implementation was made available
via different module.  It's the same code, packaged in python (3.x)
and python-backports-ssl_match_hostname packages.  The same CVE
should apply to both.

Given that CVE-2013-2099 was assigned to Python 3 ssl,
CVE-2013-2098 seems like the one to reject as dupe.



My reasoning here was that Python 2 and 3 constitute "forked" or
separate code bases, so fall under CVE SPLIT.evidence includes:

1) Python 2to3, a lot of Python code needs work to move from 2 to 3
2) This feature was added as standard in Python 3 and then later back
ported to 2

Steve, can we get a referees decision here? Thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRnG70AAoJEBYNRVNeJnmTpEYP/jfly9dWKELpKrVdjXr7pKaU
KxwJSr2PlNA0p0vN91ESKZYsCBcGV/jnPU8YqhyW6WiFbTcpM7s8Kv7QGN+urQkB
NK0R7QNcZHb0e7/5NGkMyVFHZMivICsyOpjn8RgX39CC+OypjLCVln5cBctKvBvF
uYjf1GNOVW3EImTxGDa6xe04pqXRW1+g9E4jwaeDLNQSaB60j4QU2XmoSwsxvcor
LH2OAU3ZTaGztxLzQHfptaqV8XzeWvR8lRKduFcI8Yo6Y0peicBkTirzitLC+vDi
ZD6WX+ru7pyxNlMwfIss7H+xXQon/zCZO8Q8DTRGRTweLSMGyzVh7I2h6Xx2PfMo
2JFTJP6mEokPa9OEHZdEwkfwQGFGG2vKemrKgu7Ya+sDoNmSpNmU3jQAefUClW0b
1FGVGB2Q2gg4v2ZXyYGWSoYVBb9+Bg/d4eaJjNr2OxJh7Xlgc26f1aa9pbka6Xg/
M5sgMQwMD8ZMSuX2SY0RbiAcswQDbb5MWzcJZaeTsSqRZ5aEh+4y0VdMHAoXyiSm
+P6NcKQHYgOP/lnR7CRYjy6PgGVGW00RK0bufpR3bVbKLRAwbomVpyicJkreQag5
dO2RTGTdUnYdyFkvXUGGjrYrDi28yNt9ELn5N0fv3ChwK+dYJBMnxcQF2tIgyI9g
UdInSDJvngF8rE2QhQ0+
=tg8P
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: