[Python-modules-commits] r26038 - in packages/python-tornado/trunk/debian (3 files)

asb at users.alioth.debian.org asb at users.alioth.debian.org
Fri Oct 4 22:59:58 UTC 2013 

    Date: Friday, October 4, 2013 @ 22:59:56
  Author: asb
Revision: 26038

Backport fix for CVE 2013-2009. Avoid allowing multiple
wildcards in a single SSL cert hostname segment (Closes: #709069).

Added:
  packages/python-tornado/trunk/debian/patches/CVE-2013-2099.patch
Modified:
  packages/python-tornado/trunk/debian/changelog
  packages/python-tornado/trunk/debian/patches/series

Modified: packages/python-tornado/trunk/debian/changelog
===================================================================
--- packages/python-tornado/trunk/debian/changelog	2013-10-04 22:25:48 UTC (rev 26037)
+++ packages/python-tornado/trunk/debian/changelog	2013-10-04 22:59:56 UTC (rev 26038)
@@ -1,7 +1,12 @@
 python-tornado (2.4.1-3) UNRELEASED; urgency=low
 
+  [ Jakub Wilk ]
   * Run tests only if DEB_BUILD_OPTIONS=nocheck is not set.
 
+  [ Andrew Starr-Bochicchio ]
+  * Backport fix for CVE 2013-2009. Avoid allowing multiple
+    wildcards in a single SSL cert hostname segment (Closes: #709069).
+
  -- Jakub Wilk <jwilk at debian.org>  Thu, 13 Jun 2013 13:13:51 +0200
 
 python-tornado (2.4.1-2) unstable; urgency=low

Added: packages/python-tornado/trunk/debian/patches/CVE-2013-2099.patch
===================================================================
--- packages/python-tornado/trunk/debian/patches/CVE-2013-2099.patch	                        (rev 0)
+++ packages/python-tornado/trunk/debian/patches/CVE-2013-2099.patch	2013-10-04 22:59:56 UTC (rev 26038)
@@ -0,0 +1,33 @@
+From a9c94f322e691d48151c1eb67f2742a39ad3ab46 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben at bendarnell.com>
+Date: Thu, 23 May 2013 23:57:30 -0400
+Subject: [PATCH] Backport changes from ssl.match_hostname in Python 3.3.
+Origin: upstream, https://github.com/facebook/tornado/commit/a9c94f322e691d48151c1eb67f2742a39ad3ab46
+Bug: https://github.com/facebook/tornado/issues/799
+Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709069
+
+* Fix potential CPU DoS via abusive wildcard pattern
+  http://hg.python.org/cpython/rev/fafd33db6ff6
+
+---
+
+--- python-tornado-2.4.1.orig/tornado/simple_httpclient.py
++++ python-tornado-2.4.1/tornado/simple_httpclient.py
+@@ -486,9 +486,16 @@ class CertificateError(ValueError):
+     pass
+ 
+ 
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
++        if frag.count('*') > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survery of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.

Modified: packages/python-tornado/trunk/debian/patches/series
===================================================================
--- packages/python-tornado/trunk/debian/patches/series	2013-10-04 22:25:48 UTC (rev 26037)
+++ packages/python-tornado/trunk/debian/patches/series	2013-10-04 22:59:56 UTC (rev 26038)
@@ -2,3 +2,4 @@
 certs-path.patch
 ignoreuserwarning.patch
 random-port.patch
+CVE-2013-2099.patch

More information about the Python-modules-commits mailing list