← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

 

This bug was fixed in the package python2.7 - 2.7.15-4ubuntu4~18.04.1

---------------
python2.7 (2.7.15-4ubuntu4~18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: incorrect cookie domain check
    - debian/patches/CVE-2018-20852.patch: prefix dot in domain for proper
      subdomain validation in Lib/cookielib.py, Lib/test/test_cookielib.py.
    - CVE-2018-20852
  * SECURITY UPDATE: NULL pointer dereference via X509 certificate
    - debian/patches/CVE-2019-5010.patch: fix segfault in ssl cert parser
      in Lib/test/talos-2019-0758.pem, Lib/test/test_ssl.py,
      Modules/_ssl.c.
    - CVE-2019-5010
  * SECURITY UPDATE: improper handling of unicode encoding
    - debian/patches/CVE-2019-9636-1.patch: add check for characters in
      netloc that normalize to separators in Doc/library/urlparse.rst,
      Lib/test/test_urlparse.py, Lib/urlparse.py.
    - debian/patches/CVE-2019-9636-2.patch: only print test messages when
      verbose in Lib/test/test_urlparse.py.
    - CVE-2019-9636
  * SECURITY UPDATE: HTTP header injection
    - debian/patches/CVE-2019-9740.patch: disallow control chars in http
      URLs in Lib/httplib.py, Lib/test/test_urllib.py,
      Lib/test/test_urllib2.py, Lib/test/test_xmlrpc.py.
    - CVE-2019-9740
    - CVE-2019-9947
  * SECURITY UPDATE: urllib support the local_file: scheme
    - debian/patches/CVE-2019-9948.patch: disallow file reading in
      Lib/urllib.py, Lib/test/test_urllib.py.
    - CVE-2019-9948
  * SECURITY UPDATE: incomplete fix for CVE-2019-9636
    - debian/patches/CVE-2019-10160-1.patch: fix handling of
      pre-normalization characters in urlsplit() in
      Lib/test/test_urlparse.py, Lib/urlparse.py.
    - debian/patches/CVE-2019-10160-2.patch: correct fix to handle
      decomposition in usernames in Lib/test/test_urlparse.py,
      Lib/urlparse.py.
    - debian/patches/CVE-2019-10160-3.patch: fix urlparse.urlsplit() error
      message for Unicode URL in Lib/test/test_urlparse.py,
      Lib/urlparse.py.
    - CVE-2019-10160
  * debian/patches/issue9146.diff: fix FIPS mode environments where MD5
    isn't available in Modules/_hashopenssl.c. (LP: #1835135)

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Tue, 09 Jul 2019
12:51:35 -0400

** Changed in: python2.7 (Ubuntu Bionic)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20852

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10160

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-5010

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9636

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9740

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9947

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9948

** Changed in: python2.7 (Ubuntu Disco)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged
Status in python3.5 package in Ubuntu:
  Invalid
Status in python2.7 source package in Xenial:
  In Progress
Status in python3.5 source package in Xenial:
  Fix Released
Status in python2.7 source package in Bionic:
  Fix Released
Status in python3.5 source package in Bionic:
  Invalid
Status in python2.7 source package in Cosmic:
  Won't Fix
Status in python3.5 source package in Cosmic:
  Invalid
Status in python2.7 source package in Disco:
  Fix Released
Status in python3.5 source package in Disco:
  Invalid
Status in python2.7 source package in Eoan:
  Triaged
Status in python3.5 source package in Eoan:
  Invalid

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions