Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python39 for openSUSE:Factory checked in at 2024-06-22 13:23:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python39 (Old) and /work/SRC/openSUSE:Factory/.python39.new.18349 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python39" Sat Jun 22 13:23:24 2024 rev:57 rq:1182485 version:3.9.19 Changes: -------- --- /work/SRC/openSUSE:Factory/python39/python39.changes 2024-03-26 19:25:31.485102438 +0100 +++ /work/SRC/openSUSE:Factory/.python39.new.18349/python39.changes 2024-06-22 13:23:58.427874412 +0200 @@ -1,0 +2,7 @@ +Fri Jun 21 09:44:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu> + +- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch + fixing bsc#1226447 (CVE-2024-0397) by removing memory race + condition in ssl.SSLContext certificate store methods. + +------------------------------------------------------------------- New: ---- CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch BETA DEBUG BEGIN: New: - Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch fixing bsc#1226447 (CVE-2024-0397) by removing memory race BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python39.spec ++++++ --- /var/tmp/diff_new_pack.h03rCQ/_old 2024-06-22 13:23:59.559915807 +0200 +++ /var/tmp/diff_new_pack.h03rCQ/_new 2024-06-22 13:23:59.559915807 +0200 @@ -181,6 +181,9 @@ # PATCH-FIX-UPSTREAM old-libexpat.patch gh#python/cpython#117187 mcepl@suse.com # Make the test suite work with libexpat < 2.6.0 Patch43: old-libexpat.patch +# PATCH-FIX-UPSTREAM CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch bsc#1226447 mcepl@suse.com +# removes memory race condition in ssl.SSLContext certificate store methods +Patch44: CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -446,6 +449,7 @@ %endif %patch -P 42 -p1 %patch -P 43 -p1 +%patch -P 44 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch ++++++ From 732c7d512e7cdf656a3f02a38c329b14a14a8573 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <seth@python.org> Date: Fri, 19 Apr 2024 11:21:40 -0700 Subject: [PATCH] [3.9] gh-114572: Fix locking in cert_store_stats and get_ca_certs --- Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst | 4 Modules/_ssl.c | 91 +++++++++- 2 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst Index: Python-3.9.19/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst =================================================================== --- /dev/null +++ Python-3.9.19/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst @@ -0,0 +1,4 @@ +:meth:`ssl.SSLContext.cert_store_stats` and +:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the +certificate store, when the :class:`ssl.SSLContext` is shared across +multiple threads. Index: Python-3.9.19/Modules/_ssl.c =================================================================== --- Python-3.9.19.orig/Modules/_ssl.c +++ Python-3.9.19/Modules/_ssl.c @@ -166,6 +166,10 @@ extern const SSL_METHOD *TLSv1_2_method( # define PY_OPENSSL_1_1_API 1 #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30300000L) && !defined(LIBRESSL_VERSION_NUMBER) +# define OPENSSL_VERSION_3_3 1 +#endif + /* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f * This includes the SSL_set_SSL_CTX() function. */ @@ -210,6 +214,16 @@ extern const SSL_METHOD *TLSv1_2_method( #define HAVE_OPENSSL_CRYPTO_LOCK #endif +/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */ +#ifdef OPENSSL_VERSION_1_1 +#define HAVE_OPENSSL_X509_STORE_LOCK +#endif + +/* OpenSSL 3.3 added the X509_STORE_get1_objects API */ +#ifdef OPENSSL_VERSION_3_3 +#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1 +#endif + #if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2) #define OPENSSL_NO_SSL2 #endif @@ -4675,6 +4689,54 @@ set_sni_callback(PySSLContext *self, PyO #endif } +/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3 + * Only available with the X509_STORE_lock() API */ +#if defined(HAVE_OPENSSL_X509_STORE_LOCK) && !defined(OPENSSL_VERSION_3_3) +#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1 + +static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj) +{ + int ok; + X509_OBJECT *ret = X509_OBJECT_new(); + if (ret == NULL) { + return NULL; + } + switch (X509_OBJECT_get_type(obj)) { + case X509_LU_X509: + ok = X509_OBJECT_set1_X509(ret, X509_OBJECT_get0_X509(obj)); + break; + case X509_LU_CRL: + /* X509_OBJECT_get0_X509_CRL was not const-correct prior to 3.0.*/ + ok = X509_OBJECT_set1_X509_CRL( + ret, X509_OBJECT_get0_X509_CRL((X509_OBJECT *)obj)); + break; + default: + /* We cannot duplicate unrecognized types in a polyfill, but it is + * safe to leave an empty object. The caller will ignore it. */ + ok = 1; + break; + } + if (!ok) { + X509_OBJECT_free(ret); + return NULL; + } + return ret; +} + +static STACK_OF(X509_OBJECT) * +X509_STORE_get1_objects(X509_STORE *store) +{ + STACK_OF(X509_OBJECT) *ret; + if (!X509_STORE_lock(store)) { + return NULL; + } + ret = sk_X509_OBJECT_deep_copy(X509_STORE_get0_objects(store), + x509_object_dup, X509_OBJECT_free); + X509_STORE_unlock(store); + return ret; +} +#endif + PyDoc_STRVAR(PySSLContext_sni_callback_doc, "Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.\n\ \n\ @@ -4704,7 +4766,15 @@ _ssl__SSLContext_cert_store_stats_impl(P int x509 = 0, crl = 0, ca = 0, i; store = SSL_CTX_get_cert_store(self->ctx); +#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS + objs = X509_STORE_get1_objects(store); + if (objs == NULL) { + PyErr_SetString(PyExc_MemoryError, "failed to query cert store"); + return NULL; + } +#else objs = X509_STORE_get0_objects(store); +#endif for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { obj = sk_X509_OBJECT_value(objs, i); switch (X509_OBJECT_get_type(obj)) { @@ -4718,12 +4788,13 @@ _ssl__SSLContext_cert_store_stats_impl(P crl++; break; default: - /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY. - * As far as I can tell they are internal states and never - * stored in a cert store */ + /* Ignore unrecognized types. */ break; } } +#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS + sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); +#endif return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl, "x509_ca", ca); } @@ -4755,7 +4826,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL } store = SSL_CTX_get_cert_store(self->ctx); +#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS + objs = X509_STORE_get1_objects(store); + if (objs == NULL) { + PyErr_SetString(PyExc_MemoryError, "failed to query cert store"); + return NULL; + } +#else objs = X509_STORE_get0_objects(store); +#endif for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { X509_OBJECT *obj; X509 *cert; @@ -4783,9 +4862,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL } Py_CLEAR(ci); } +#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS + sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); +#endif return rlist; error: +#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS + sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free); +#endif Py_XDECREF(ci); Py_XDECREF(rlist); return NULL;