Issue37463
Created on 2019-07-01 06:47 by christian.heimes, last changed 2019-07-05 09:49 by vstinner. This issue is now closed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 14499 | closed | christian.heimes, 2019-07-01 06:50 | |
| PR 14559 | merged | miss-islington, 2019-07-02 18:40 | |
| PR 14560 | merged | miss-islington, 2019-07-02 18:40 | |
| Messages (12) | |||
|---|---|---|---|
| msg346964 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2019-07-01 06:47 | |
inet_aton accepts trailing characterrs after a valid IP ( https://bugzilla.redhat.com/show_bug.cgi?id=1347549). This, in combination with its use inside ssl.match_hostname, allows the following code to work when it should fail: import ssl cert = {'subjectAltName': (('IP Address', '1.1.1.1'),)} ssl.match_hostname(cert, '1.1.1.1 ; this should not work but does') The bug was initially found by Dominik Czarnota and reported by Paul Kehrer. The issue was introduced in commit aef1283ba428e33397d87cee3c54a5110861552d / bpo-32819. Only 3.7 and newer are affected. It's a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate. Matching is performed by OpenSSL. |
|||
| msg346980 - (view) | Author: STINNER Victor (vstinner) * | Date: 2019-07-01 08:55 | |
> It's a potential security bug although low severity. What is the worst that can happen with this issue? Other the client doesn't validate the cert at all, and so this issue has no impact, or the client validates the cert and trusts the CA, but the host isn't fully validated... Ok, but could someone abuse "1.1.1.1 ; this should not work but does"? Does a web browser accept such hostname? Or can it be used to inject SQL or a shell command for example? |
|||
| msg347121 - (view) | Author: Ned Deily (ned.deily) * | Date: 2019-07-02 08:32 | |
Ping. At the moment, this is the only release blocker preventing the release of 3.7.4rc2. |
|||
| msg347122 - (view) | Author: Riccardo Schirone (rschiron) | Date: 2019-07-02 08:49 | |
As far as I know you can't request a hostname with spaces in it (which seems to be a precondition to trigger this bug) so I think an attacker cannot even create a malicious CA that would be mistakenly accepted by match_hostname. |
|||
| msg347123 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2019-07-02 09:14 | |
Riccardo, the issue is about parsing the user supplied hostname/ipaddress, not the IPAddress field of the certificate. X.509 certs store IP addresses as fixed-size binary data, 4 bytes for IPv4 or 16 bytes for IPv6. There can't be any additional payload.
The bug is in the code that parses the user supplied "hostname" parameter to ssl.match_hostname(cert, hostname). The bug allows an attacker to pass an IPv4 address with additional content and ssl.match_hostname() ignores this additional content. This example should fail, but does not fail with an exception:
>>> import ssl
>>> cert = {'subjectAltName': [('IP Address', '127.0.0.1 additional payload')]}
>>> ssl.match_hostname(cert, '127.0.0.1')
|
|||
| msg347151 - (view) | Author: Łukasz Langa (lukasz.langa) * | Date: 2019-07-02 16:37 | |
FTR 3.8b2 is also waiting for this fix due to the expert's (that's you, Christian!) priority setting. |
|||
| msg347152 - (view) | Author: miss-islington (miss-islington) | Date: 2019-07-02 18:39 | |
New changeset 477b1b25768945621d466a8b3f0739297a842439 by Miss Islington (bot) (Christian Heimes) in branch 'master': bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499) https://github.com/python/cpython/commit/477b1b25768945621d466a8b3f0739297a842439 |
|||
| msg347154 - (view) | Author: miss-islington (miss-islington) | Date: 2019-07-02 21:06 | |
New changeset 3cba3d3c55f230a59174a0dfcafb1d4685269e60 by Miss Islington (bot) in branch '3.8': bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499) https://github.com/python/cpython/commit/3cba3d3c55f230a59174a0dfcafb1d4685269e60 |
|||
| msg347155 - (view) | Author: miss-islington (miss-islington) | Date: 2019-07-02 21:22 | |
New changeset 024ea2170b7c1652a62cc7458e736c63d4970eb1 by Miss Islington (bot) in branch '3.7': bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499) https://github.com/python/cpython/commit/024ea2170b7c1652a62cc7458e736c63d4970eb1 |
|||
| msg347156 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2019-07-02 21:25 | |
Ned, Łukasz, thanks for your patience. |
|||
| msg347162 - (view) | Author: Ned Deily (ned.deily) * | Date: 2019-07-02 22:34 | |
New changeset 070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557 by Ned Deily (Christian Heimes) in branch '3.7': bpo-37463: match_hostname requires quad-dotted IPv4 (GH-14499) https://github.com/python/cpython/commit/070fae6d0ff49e63bfd5f2bdc66f8eb1df3b6557 |
|||
| msg347323 - (view) | Author: STINNER Victor (vstinner) * | Date: 2019-07-05 09:49 | |
> inet_aton accepts trailing characterrs after a valid IP ( https://bugzilla.redhat.com/show_bug.cgi?id=1347549). There is a little bit of confusion between getaddrinfo() and inet_aton() here (https://bugzilla.redhat.com/show_bug.cgi?id=1347549 is about getaddrinfo()). getaddrinfo() has been fixed: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 But glibc devs don't want to fix inet_aton() to keep the backward compatibility ("for historic reasons"): more info in bpo-37495 "socket.inet_aton parsing issue on some libc versions". This issue is about ssl.match_hostname() which uses internally socket.inet_aton(). ssl.match_hostname() has been fixed to implement further checks to workaround inet_aton() behavior (ignore extra string after a whitespace). I also removed inet_aton() from the title of this issue to reduce confusion ;-) |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-07-05 09:49:51 | vstinner | set | messages: + msg347323 |
| 2019-07-05 09:37:09 | christian.heimes | set | title: ssl.match_hostname() ignores extra string after a space in IPv4 address -> ssl.match_hostname() ignores extra string after whitespace in IPv4 address |
| 2019-07-05 09:35:33 | vstinner | set | title: socket.inet_aton IP parsing issue in ssl.match_hostname -> ssl.match_hostname() ignores extra string after a space in IPv4 address |
| 2019-07-02 22:34:03 | ned.deily | set | messages: + msg347162 |
| 2019-07-02 21:25:53 | christian.heimes | set | status: open -> closed resolution: fixed messages: + msg347156 stage: patch review -> resolved |
| 2019-07-02 21:22:56 | miss-islington | set | messages: + msg347155 |
| 2019-07-02 21:06:37 | miss-islington | set | messages: + msg347154 |
| 2019-07-02 18:40:11 | miss-islington | set | pull_requests: + pull_request14377 |
| 2019-07-02 18:40:00 | miss-islington | set | pull_requests: + pull_request14376 |
| 2019-07-02 18:39:55 | miss-islington | set | nosy:
+ miss-islington messages: + msg347152 |
| 2019-07-02 16:37:59 | lukasz.langa | set | messages: + msg347151 |
| 2019-07-02 09:14:21 | christian.heimes | set | messages: + msg347123 |
| 2019-07-02 08:49:22 | rschiron | set | nosy:
+ rschiron messages: + msg347122 |
| 2019-07-02 08:32:12 | ned.deily | set | messages: + msg347121 |
| 2019-07-01 08:55:28 | vstinner | set | nosy:
+ vstinner messages: + msg346980 |
| 2019-07-01 06:50:48 | christian.heimes | set | keywords:
+ patch stage: needs patch -> patch review pull_requests: + pull_request14315 |
| 2019-07-01 06:47:04 | christian.heimes | create | |