Ryan Sleevi of the Google Chrome Security Team has informed us that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. It's related to Ruby's CVE-2013-4073 http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

Although Python uses a slightly different OpenSSL API to parse a X.509 certificate and turn its fields into a dictionary, our implementation eventually uses an OpenSSL function that fails to handle NULL bytes. This could lead to a breach when an application uses ssl.match_hostname() to match the hostname againt the certificate's subjectAltName's dNSName general names.

When the Ruby issues was announced publicly I already suspected that our code may suffer from the same issue. But I was unable to generate a X.509 certificate with a NULL byte in its X509v3 subjectAltName extension, only in subject and issuer. OpenSSL's config file format just didn't support NULL bytes. But Our code handled the NULL byte in subject in issuer just fine so I gave up. In the light of the bug report I went a different path and eventually I came up with a malicious certificate that showed the reported bug.

Demo certificate:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Validity
Not Before: Aug 7 13:11:52 2013 GMT
Not After : Aug 7 13:12:52 2013 GMT
Subject: C=US, ST=Oregon, L=Beaverton, O=Python Software Foundation, OU=Python Core Development, CN=null.python.org\x00example.org/emailAddress=python-dev@python.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:ea:ed:c9:fb:46:7d:6f:3b:76:80:dd:3a:f3:
03:94:0b:a7:a6:db:ec:1d:df:ff:23:74:08:9d:97:
16:3f:a3:a4:7b:3e:1b:0e:96:59:25:03:a7:26:e2:
88:a9:cf:79:cd:f7:04:56:b0:ab:79:32:6e:59:c1:
32:30:54:eb:58:a8:cb:91:f0:42:a5:64:27:cb:d4:
56:31:88:52:ad:cf:bd:7f:f0:06:64:1f:cc:27:b8:
a3:8b:8c:f3:d8:29:1f:25:0b:f5:46:06:1b:ca:02:
45:ad:7b:76:0a:9c:bf:bb:b9:ae:0d:16:ab:60:75:
ae:06:3e:9c:7c:31:dc:92:2f:29:1a:e0:4b:0c:91:
90:6c:e9:37:c5:90:d7:2a:d7:97:15:a3:80:8f:5d:
7b:49:8f:54:30:d4:97:2c:1c:5b:37:b5:ab:69:30:
68:43:d3:33:78:4b:02:60:f5:3c:44:80:a1:8f:e7:
f0:0f:d1:5e:87:9e:46:cf:62:fc:f9:bf:0c:65:12:
f1:93:c8:35:79:3f:c8:ec:ec:47:f5:ef:be:44:d5:
ae:82:1e:2d:9a:9f:98:5a:67:65:e1:74:70:7c:cb:
d3:c2:ce:0e:45:49:27:dc:e3:2d:d4:fb:48:0e:2f:
9e:77:b8:14:46:c0:c4:36:ca:02:ae:6a:91:8c:da:
2f:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
*************************************************************
WARNING: The values for DNS, email and URI are WRONG. OpenSSL
doesn't print the text after a NULL byte.
*************************************************************
DNS:altnull.python.org, email:null@python.org, URI:http://null.python.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
Signature Algorithm: sha1WithRSAEncryption
ac:4f:45:ef:7d:49:a8:21:70:8e:88:59:3e:d4:36:42:70:f5:
a3:bd:8b:d7:a8:d0:58:f6:31:4a:b1:a4:a6:dd:6f:d9:e8:44:
3c:b6:0a:71:d6:7f:b1:08:61:9d:60:ce:75:cf:77:0c:d2:37:
86:02:8d:5e:5d:f9:0f:71:b4:16:a8:c1:3d:23:1c:f1:11:b3:
56:6e:ca:d0:8d:34:94:e6:87:2a:99:f2:ae:ae:cc:c2:e8:86:
de:08:a8:7f:c5:05:fa:6f:81:a7:82:e6:d0:53:9d:34:f4:ac:
3e:40:fe:89:57:7a:29:a4:91:7e:0b:c6:51:31:e5:10:2f:a4:
60:76:cd:95:51:1a:be:8b:a1:b0:fd:ad:52:bd:d7:1b:87:60:
d2:31:c7:17:c4:18:4f:2d:08:25:a3:a7:4f:b7:92:ca:e2:f5:
25:f1:54:75:81:9d:b3:3d:61:a2:f7:da:ed:e1:c6:6f:2c:60:
1f:d8:6f:c5:92:05:ab:c9:09:62:49:a9:14:ad:55:11:cc:d6:
4a:19:94:99:97:37:1d:81:5f:8b:cf:a3:a8:96:44:51:08:3d:
0b:05:65:12:eb:b6:70:80:88:48:72:4f:c6:c2:da:cf:cd:8e:
5b:ba:97:2f:60:b4:96:56:49:5e:3a:43:76:63:04:be:2a:f6:
c1:ca:a9:94

The correct values are:

(('DNS', 'altnull.python.org\x00example.com'),
('email', 'null@python.org\x00user@example.org'),
('URI', 'http://null.python.org\\x00http://example.org'),
('IP Address', '192.0.2.1'),
('IP Address', '2001:DB8:0:0:0:0:0:1\n'))

Does it really make sense to allow to open a certificate containing a NUL byte in its name? How does OpenSSL and other projects handle this case?

OpenSSL's print() functions fail to handle the NULL byte in subjectAltName (SAN) general names as they use strlen() or printf() functions with "%s" format char. The subject and issuer elements with NULL bytes are handled correctly by OpenSSL.

wget and curl combine CN / SAN parsing and hostname matching in one function. Both report an error when they see a NULL byte in a dNSName (strlen(dNSName) != lengtt of ASN1_STRING).

Python has separate functions for retrieving the X.509 information and matching a hostname against CN / SAN. I like to keep it that way and just for our parsing code in this bug. Latter ssl.match_hostname() can check for NULL bytes and raise an exception, but that's a different issue.

This issue has been assigned CVE-2013-4238 [1].

Please use CVE-2013-4238 for this issue in Python for patches and references.

[1] http://www.openwall.com/lists/oss-security/2013/08/13/2

Thanks! The title now references the new CVE #.

Python 3.1 is affected, too. 3.1 will recieve security fixes until June 2014.

Brian Cameron from Oracle has requested a fix for Python 2.6. I have attached a patch for 2.6. In order to compile and test the patch I had to modify _ssl.c to handle OPENSSL_NO_SSL2. I also copied keycert.pem from 2.7 to fix two test failures. The former keycert.pem has expired.

It's a bit of a challenge to compile Python 2.6 on modern Linux OS. I had to set a couple of flags and overwrite MACHDEP:

export arch=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
export LDFLAGS="-L/usr/lib/$arch -L/lib/$arch"
export CFLAGS="-I/usr/include/$arch"
export CPPFLAGS="-I/usr/include/$arch"
./configure --config-cache --with-pydebug
make -j4 MACHDEP=linux2

For the record PHP has assigned CVE-2013-4248 for the issue.

New changeset c9f073e593b0 by Christian Heimes in branch '3.3':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/c9f073e593b0

New changeset 7a0f398d1a5c by Christian Heimes in branch 'default':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/7a0f398d1a5c

New changeset bd2360476bdb by Christian Heimes in branch '2.7':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
http://hg.python.org/cpython/rev/bd2360476bdb

I have applied the patch to 2.7, 3.3 and 3.4.

Barry, Benjamin, Georg:
Are you going to apply the patches yourselves?

New changeset 79007c4244d6 by Barry Warsaw in branch '2.6':

• Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
  http://hg.python.org/cpython/rev/79007c4244d6

The test is failing on Tiger buildbots:

"""
======================================================================
FAIL: test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/Users/db3l/buildarea/3.x.bolen-tiger/build/Lib/test/test_ssl.py", line 230, in test_parse_cert_CVE_2013_4238
    ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
AssertionError: Tuples differ: (('DNS', 'altnull.python.org\x... != (('DNS', 'altnull.python.org\x...

First differing element 4:
('IP Address', '<invalid>')
('IP Address', '2001:DB8:0:0:0:0:0:1\n')

  (('DNS', 'altnull.python.org\x00example.com'),
   ('email', 'null@python.org\x00user@example.org'),
   ('URI', 'http://null.python.org\x00http://example.org'),
   ('IP Address', '192.0.2.1'),
-  ('IP Address', '<invalid>'))
+  ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))

"""

http://buildbot.python.org/all/builders/x86 Tiger 3.x/builds/6829/steps/test/logs/stdio

New changeset 004743d210e4 by Christian Heimes in branch '3.3':
Issue bpo-18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/004743d210e4

New changeset 577e9402cadd by Christian Heimes in branch 'default':
Issue bpo-18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/577e9402cadd

New changeset 1cd24ea5abeb by Christian Heimes in branch '2.7':
Issue bpo-18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/1cd24ea5abeb

New changeset 50803d881a92 by Christian Heimes in branch '2.6':
Issue bpo-18709: Fix issue with IPv6 address in subjectAltName on Mac OS X Tiger
http://hg.python.org/cpython/rev/50803d881a92

Tiger has OpenSSL 0.9.7 which doesn't support IPv6 addresses. I have added a workaround.

It's not fixed in 3.1 and 3.2 yet. Please re-open the issue. I can't do it because I'm not at home.

"Charles-François Natali" <report@bugs.python.org> schrieb:

Changes by Charles-François Natali <cf.natali@gmail.com>:

----------
resolution: -> fixed
stage: patch review -> committed/rejected
status: open -> closed

---

Python tracker <report@bugs.python.org>
<http://bugs.python.org/issue18709\>

---

Oops.

Doing 'valgrind --suppressions=valgrind-python.supp ./python Lib/tests/regrtest.py test_ssl.py' I'm getting

==11944== LEAK SUMMARY:
==11944== definitely lost: 32 bytes in 1 blocks
==11944== indirectly lost: 392 bytes in 16 blocks
==11944== possibly lost: 27,008 bytes in 58 blocks
==11944== still reachable: 4,267,092 bytes in 4,124 blocks
==11944== suppressed: 32 bytes in 1 blocks

and as far as I can tell the leak is introduced by this patch, I can't seem to figure out what could be causing it though.

I can't reproduce the memory leak. valgrind's output doesn't show suspicious memory leaks.

./configure --with-pydebug --config-cache
valgrind --suppressions=Misc/valgrind-python.supp ./python Lib/test/test_ssl.py

Python 3.4 tip
--------------

==26085== HEAP SUMMARY:
==26085== in use at exit: 1,286,703 bytes in 3,778 blocks
==26085== total heap usage: 210,241 allocs, 206,463 frees, 62,923,839 bytes allocated
==26085==
==26085== LEAK SUMMARY:
==26085== definitely lost: 0 bytes in 0 blocks
==26085== indirectly lost: 0 bytes in 0 blocks
==26085== possibly lost: 1,148,038 bytes in 555 blocks
==26085== still reachable: 138,665 bytes in 3,223 blocks
==26085== suppressed: 0 bytes in 0 blocks

Python 3.4.0a1 (without patch)
------------------------------
==32513== HEAP SUMMARY:
==32513== in use at exit: 1,708,298 bytes in 4,120 blocks
==32513== total heap usage: 237,965 allocs, 233,845 frees, 94,637,130 bytes allocated
==32513==
==32513== LEAK SUMMARY:
==32513== definitely lost: 0 bytes in 0 blocks
==32513== indirectly lost: 0 bytes in 0 blocks
==32513== possibly lost: 1,568,077 bytes in 893 blocks
==32513== still reachable: 140,221 bytes in 3,227 blocks
==32513== suppressed: 0 bytes in 0 blocks
==32513== Rerun with --leak-check=full to see details of leaked memory

Python 2.7 tip
--------------

==3184== HEAP SUMMARY:
==3184== in use at exit: 6,411,895 bytes in 4,757 blocks
==3184== total heap usage: 16,245 allocs, 11,488 frees, 32,948,412 bytes allocated
==3184==
==3184== LEAK SUMMARY:
==3184== definitely lost: 0 bytes in 0 blocks
==3184== indirectly lost: 0 bytes in 0 blocks
==3184== possibly lost: 1,823,596 bytes in 1,505 blocks
==3184== still reachable: 4,588,299 bytes in 3,252 blocks
==3184== suppressed: 0 bytes in 0 blocks

Oh, I only checked the particular commit that fixed this issue in 2.6 (50803d881a92). I am not getting any leaks in 2.6 tip either, so I guess it was fixed somewhere along the way.

Sorry for the confusion!

New changeset 90040e560527 by Christian Heimes in branch '3.3':
Issue bpo-18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/90040e560527

New changeset 4e93f32176fb by Christian Heimes in branch 'default':
Issue bpo-18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/4e93f32176fb

New changeset 07ee48ce4513 by Christian Heimes in branch '2.6':
Issue bpo-18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/07ee48ce4513

New changeset a7d5b86ffb95 by Christian Heimes in branch '2.7':
Issue bpo-18709: GCC 4.6 complains that 'v' may be used uninitialized in GEN_EMAIL/GEN_URI/GEN_DNS case
http://hg.python.org/cpython/rev/a7d5b86ffb95

Christian, is the -py32 patch still up to date?

I'm removing 2.6 from the Versions field since AFAIK we've resolved this issue for 2.6. This way it'll be easier to scan the blockers for 2.6.9.

If anyone things we still have things to address for this issue in 2.6.9, please reassign it or follow up.

So, this is fixed, but there's some suspicion of a memory leak?
If that's true, maybe we could mark this as closed then open a new
bug for the leak? This shows up as a big scary "release blocker"
against 3.4, and I'm like making releases and stuff.

There's no longer any suspicion, no, at least from my side.

I don't get it. Has somebody found a memory leak in my patch?

Larry, I have removed 2.7, 3.3 and 3.4 from the affected versions. They fix has already landed. 3.1 and 3.2 are still open, though.

Georg, the patch for 3.2 is still up to date. Are you going to commit it?

The patch hasn't been committed to 3.2 yet.

Not sure if 3.2 is still open to security fixes.

New changeset 386b0f478117 by Georg Brandl in branch '3.2':
Issue bpo-18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
https://hg.python.org/cpython/rev/386b0f478117

Do we have patch for 3.1 version, or 3.2 patch will be also OK?

These Python versions no longer receive security updates. Please update.