[Python-modules-commits] r27188 - in packages/pyopenssl/trunk/debian (3 files)
morph at users.alioth.debian.org
morph at users.alioth.debian.org
Sun Jan 12 17:50:46 UTC 2014
Date: Sunday, January 12, 2014 @ 17:50:46
Author: morph
Revision: 27188
debian/patches/CVE-2013-4314.patch removed, merged upstream
Modified:
packages/pyopenssl/trunk/debian/changelog
packages/pyopenssl/trunk/debian/patches/series
Deleted:
packages/pyopenssl/trunk/debian/patches/CVE-2013-4314.patch
Modified: packages/pyopenssl/trunk/debian/changelog
===================================================================
--- packages/pyopenssl/trunk/debian/changelog 2014-01-12 17:46:26 UTC (rev 27187)
+++ packages/pyopenssl/trunk/debian/changelog 2014-01-12 17:50:46 UTC (rev 27188)
@@ -5,9 +5,10 @@
[ Sandro Tosi ]
* New upstream release
+ - debian/patches/CVE-2013-4314.patch removed, merged upstream
* Acknowledge NMU; thanks Salvatore Bonaccorso; Closes: #722055
- -- Sandro Tosi <morph at debian.org> Sun, 12 Jan 2014 18:45:46 +0100
+ -- Sandro Tosi <morph at debian.org> Sun, 12 Jan 2014 18:50:28 +0100
pyopenssl (0.13-3.1) experimental; urgency=low
Deleted: packages/pyopenssl/trunk/debian/patches/CVE-2013-4314.patch
===================================================================
--- packages/pyopenssl/trunk/debian/patches/CVE-2013-4314.patch 2014-01-12 17:46:26 UTC (rev 27187)
+++ packages/pyopenssl/trunk/debian/patches/CVE-2013-4314.patch 2014-01-12 17:50:46 UTC (rev 27188)
@@ -1,222 +0,0 @@
-Description: Fix hostname check bypassing vulnerability
- Fix handling of NULL bytes inside subjectAltName general names when
- formatting an X509 extension as a string.
- .
- When a CA than an SSL client trusts issues a server certificate that
- has a null byte in the subjectAltName, remote attackers can obtain a
- certifcate for 'www.foo.org\0.example.com' from the CA to spoof
- 'www.foo.org' and conduct man-in-the-middle attacks between the
- pyOpenSSL-using client and SSL servers.
- .
- Additionally fix memory leak in get_extension().
-Origin: upstream, http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169
-Bug-Debian: http://bugs.debian.org/722055
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1005325
-Forwarded: not-needed
-Author: Salvatore Bonaccorso <carnil at debian.org>
-Last-Update: 2013-09-14
-Applied-Upstream: 0.13.1
-
---- a/OpenSSL/crypto/x509.c
-+++ b/OpenSSL/crypto/x509.c
-@@ -756,6 +756,7 @@
-
- extobj = PyObject_New(crypto_X509ExtensionObj, &crypto_X509Extension_Type);
- extobj->x509_extension = X509_EXTENSION_dup(ext);
-+ extobj->dealloc = 1;
-
- return (PyObject*)extobj;
- }
---- a/OpenSSL/crypto/x509ext.c
-+++ b/OpenSSL/crypto/x509ext.c
-@@ -236,19 +236,92 @@
- PyObject_Del(self);
- }
-
-+
-+/* Special handling of subjectAltName. OpenSSL's builtin formatter,
-+ * X509V3_EXT_print, mishandles NUL bytes allowing a truncated display that
-+ * does not accurately reflect what's in the extension.
-+ */
-+int
-+crypto_X509Extension_str_subjectAltName(crypto_X509ExtensionObj *self, BIO *bio) {
-+ GENERAL_NAMES *names;
-+ const X509V3_EXT_METHOD *method = NULL;
-+ long i, length, num;
-+ const unsigned char *p;
-+
-+ method = X509V3_EXT_get(self->x509_extension);
-+ if (method == NULL) {
-+ return -1;
-+ }
-+
-+ p = self->x509_extension->value->data;
-+ length = self->x509_extension->value->length;
-+ if (method->it) {
-+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
-+ ASN1_ITEM_ptr(method->it)));
-+ } else {
-+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
-+ }
-+ if (names == NULL) {
-+ return -1;
-+ }
-+
-+ num = sk_GENERAL_NAME_num(names);
-+ for (i = 0; i < num; i++) {
-+ GENERAL_NAME *name;
-+ ASN1_STRING *as;
-+ name = sk_GENERAL_NAME_value(names, i);
-+ switch (name->type) {
-+ case GEN_EMAIL:
-+ BIO_puts(bio, "email:");
-+ as = name->d.rfc822Name;
-+ BIO_write(bio, ASN1_STRING_data(as),
-+ ASN1_STRING_length(as));
-+ break;
-+ case GEN_DNS:
-+ BIO_puts(bio, "DNS:");
-+ as = name->d.dNSName;
-+ BIO_write(bio, ASN1_STRING_data(as),
-+ ASN1_STRING_length(as));
-+ break;
-+ case GEN_URI:
-+ BIO_puts(bio, "URI:");
-+ as = name->d.uniformResourceIdentifier;
-+ BIO_write(bio, ASN1_STRING_data(as),
-+ ASN1_STRING_length(as));
-+ break;
-+ default:
-+ /* use builtin print for GEN_OTHERNAME, GEN_X400,
-+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
-+ */
-+ GENERAL_NAME_print(bio, name);
-+ }
-+ /* trailing ', ' except for last element */
-+ if (i < (num - 1)) {
-+ BIO_puts(bio, ", ");
-+ }
-+ }
-+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
-+
-+ return 0;
-+}
-+
- /*
- * Print a nice text representation of the certificate request.
- */
- static PyObject *
--crypto_X509Extension_str(crypto_X509ExtensionObj *self)
--{
-+crypto_X509Extension_str(crypto_X509ExtensionObj *self) {
- int str_len;
- char *tmp_str;
- PyObject *str;
- BIO *bio = BIO_new(BIO_s_mem());
-
-- if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0))
-- {
-+ if (OBJ_obj2nid(self->x509_extension->object) == NID_subject_alt_name) {
-+ if (crypto_X509Extension_str_subjectAltName(self, bio) == -1) {
-+ BIO_free(bio);
-+ exception_from_error_queue(crypto_Error);
-+ return NULL;
-+ }
-+ } else if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) {
- BIO_free(bio);
- exception_from_error_queue(crypto_Error);
- return NULL;
-@@ -267,7 +340,7 @@
- "X509Extension",
- sizeof(crypto_X509ExtensionObj),
- 0,
-- (destructor)crypto_X509Extension_dealloc,
-+ (destructor)crypto_X509Extension_dealloc,
- NULL, /* print */
- NULL, /* getattr */
- NULL, /* setattr (setattrfunc)crypto_X509Name_setattr, */
---- a/OpenSSL/test/test_crypto.py
-+++ b/OpenSSL/test/test_crypto.py
-@@ -265,6 +265,37 @@
- -----END RSA PRIVATE KEY-----
- """)
-
-+# certificate with NULL bytes in subjectAltName and common name
-+
-+nulbyteSubjectAltNamePEM = b("""-----BEGIN CERTIFICATE-----
-+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
-+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
-+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
-+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
-+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
-+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
-+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
-+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
-+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
-+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
-+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
-+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
-+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
-+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
-+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
-+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
-+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
-+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
-+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
-+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
-+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
-+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
-+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
-+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
-+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
-+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
-+-----END CERTIFICATE-----""")
-+
-
- class X509ExtTests(TestCase):
- """
-@@ -856,6 +887,19 @@
- [(b("CN"), b("foo")), (b("OU"), b("bar"))])
-
-
-+ def test_load_nul_byte_attribute(self):
-+ """
-+ An :py:class:`OpenSSL.crypto.X509Name` from an
-+ :py:class:`OpenSSL.crypto.X509` instance loaded from a file can have a
-+ NUL byte in the value of one of its attributes.
-+ """
-+ cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
-+ subject = cert.get_subject()
-+ self.assertEqual(
-+ "null.python.org\x00example.org", subject.commonName)
-+
-+
-+
- class _PKeyInteractionTestsMixin:
- """
- Tests which involve another thing and a PKey.
-@@ -1382,6 +1426,24 @@
- self.assertRaises(TypeError, cert.get_extension, "hello")
-
-
-+ def test_nullbyte_subjectAltName(self):
-+ """
-+ The fields of a `subjectAltName` extension on an X509 may contain NUL
-+ bytes and this value is reflected in the string representation of the
-+ extension object.
-+ """
-+ cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
-+
-+ ext = cert.get_extension(3)
-+ self.assertEqual(ext.get_short_name(), b('subjectAltName'))
-+ self.assertEqual(
-+ b("DNS:altnull.python.org\x00example.com, "
-+ "email:null at python.org\x00user at example.org, "
-+ "URI:http://null.python.org\x00http://example.org, "
-+ "IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"),
-+ b(str(ext)))
-+
-+
- def test_invalid_digest_algorithm(self):
- """
- L{X509.digest} raises L{ValueError} if called with an unrecognized hash
Modified: packages/pyopenssl/trunk/debian/patches/series
===================================================================
--- packages/pyopenssl/trunk/debian/patches/series 2014-01-12 17:46:26 UTC (rev 27187)
+++ packages/pyopenssl/trunk/debian/patches/series 2014-01-12 17:50:46 UTC (rev 27188)
@@ -1,3 +1,2 @@
10_fix_doc_buildsystem.patch
disable_test_set_default_verify_paths.patch
-CVE-2013-4314.patch
More information about the Python-modules-commits
mailing list