Ubuntu
bzr package

[CVE-2013-2099] ssl.match_hostname() trips over crafted wildcard names

Bug #1182124 reported by Andrew Starr-Bochicchio
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
Medium
Andrew Starr-Bochicchio
Bazaar 2.6.0
Python
Fix Released
Unknown
bzr (Debian)
Fix Released
Unknown
bzr (Ubuntu)
Fix Released
Medium
Andrew Starr-Bochicchio

Bug Description

/bzrlib/transport/http/_urllib2_wrappers.py contains code from Python 3.2's ssl module for which there has been a security issue found.

Python Bug: http://bugs.python.org/issue17980
CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6
Probable fix: http://hg.python.org/cpython/rev/fafd33db6ff6/

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: bzr 2.6.0~bzr6571-4ubuntu2
ProcVersionSignature: Ubuntu 3.8.0-21.32-generic 3.8.8
Uname: Linux 3.8.0-21-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Mon May 20 11:36:23 2013
InstallationDate: Installed on 2013-03-16 (64 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130316)
MarkForUpload: True
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: bzr
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~andrewsomething/bzr/CVE-2013-2099
bzr-core: Pending requested
Diff: 48 lines (+24/-1)
2 files modified
bzrlib/tests/test_https_urllib.py (+16/-0)
bzrlib/transport/http/_urllib2_wrappers.py (+8/-1)
lp:~debian-bazaar/bzr/2.6

CVE References

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :
Changed in bzr (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in bzr:
status: New → Triaged
importance: Undecided → Medium
Andrew Starr-Bochicchio (andrewsomething)
Changed in bzr:
status: Triaged → In Progress
assignee: nobody → Andrew Starr-Bochicchio (andrewsomething)
Bug Watch Updater (bug-watch-updater)
Changed in bzr (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in python:
status: Unknown → Fix Released
Andrew Starr-Bochicchio (andrewsomething)
Changed in bzr (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andrew Starr-Bochicchio (andrewsomething)
Changed in bzr:
status: In Progress → Fix Committed
milestone: none → 2.6b3
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Fixed both upstream and Debian. Attached debdiff merges the fix from Debian.

(I've dropped the Ubuntu change to Vcs fields as the UDD bzr imports for both Debian and Ubuntu are out of date. So that branch isn't very helpful. Yes, I realize that is a bit ironic...)

Changes since last Ubuntu version:

 bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low
 .
   * Merge from Debian unstable. Remaining Ubuntu changes:
    - Drop build dependencies on python-{meliae,lzma,medusa},
      which are not in main.
   * Drop changes to Vcs fields. The UDD imports are out of date.
 .
 bzr (2.6.0~bzr6574-1) unstable; urgency=low
 .
   * New upstream snapshot.
    - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
      SSL cert hostname segment (Closes: #709068, LP: #1182124).
 .
 bzr (2.6.0~bzr6573-1) unstable; urgency=low
 .
   * Upload to unstable.
   * New upstream snapshot.
   * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
     (LP: #1116079, #1160572).
   * Drop debian/patches/04_revert_ui_changes, fixed upstream.
   * Drop deprecated Dm-Upload-Allowed field.
   * Bump Standards-Version to 3.9.4, no changes needed.
   * Drop un-needed Build-Conflicts on python-gpgme.

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :
Changed in bzr (Ubuntu):
status: In Progress → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in bzr (Debian):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Merge in comment #2 looks good. Thanks!
Uploaded to saucy.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.6.0~bzr6574-1ubuntu1

---------------
bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low

  * Merge from Debian unstable. Remaining Ubuntu changes:
   - Drop build dependencies on python-{meliae,lzma,medusa},
     which are not in main.
  * Drop changes to Vcs fields. The UDD imports are out of date.

bzr (2.6.0~bzr6574-1) unstable; urgency=low

  * New upstream snapshot.
   - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single
     SSL cert hostname segment (Closes: #709068, LP: #1182124).

bzr (2.6.0~bzr6573-1) unstable; urgency=low

  * Upload to unstable.
  * New upstream snapshot.
  * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test
    (LP: #1116079, #1160572).
  * Drop debian/patches/04_revert_ui_changes, fixed upstream.
  * Drop deprecated Dm-Upload-Allowed field.
  * Bump Standards-Version to 3.9.4, no changes needed.
  * Drop un-needed Build-Conflicts on python-gpgme.
 -- Andrew Starr-Bochicchio <email address hidden> Mon, 20 May 2013 20:55:13 -0400

Changed in bzr (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Toshio Kuratomi (toshio) wrote :

Note: there's now a backports module on pypi for this function: https://pypi.python.org/pypi/backports.ssl_match_hostname/

However, it hasn't fixed this CVE upstream as fast as you have :-)

Vincent Ladeuil (vila)
Changed in bzr:
status: Fix Committed → Fix Released
Vincent Ladeuil (vila)
Changed in bzr:
milestone: 2.6b3 → 2.6.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.