[New-bugs-announce] [issue37463] socket.inet_aton IP parsing issue in ssl.match_hostname
Christian Heimes
report at bugs.python.org
Mon Jul 1 02:47:04 EDT 2019
New submission from Christian Heimes <lists at cheimes.de>:
inet_aton accepts trailing characterrs after a valid IP (
https://bugzilla.redhat.com/show_bug.cgi?id=1347549). This, in combination with its use inside ssl.match_hostname, allows the following code to work when it should fail:
import ssl
cert = {'subjectAltName': (('IP Address', '1.1.1.1'),)}
ssl.match_hostname(cert, '1.1.1.1 ; this should not work but does')
The bug was initially found by Dominik Czarnota and reported by Paul Kehrer.
The issue was introduced in commit aef1283ba428e33397d87cee3c54a5110861552d / bpo-32819. Only 3.7 and newer are affected. It's a potential security bug although low severity. For one Python 3.7 and newer no longer use ssl.match_hostname() to verify hostnames and IP addresses of a certificate. Matching is performed by OpenSSL.
----------
assignee: christian.heimes
components: SSL
keywords: 3.7regression
messages: 346964
nosy: alex, christian.heimes, dstufft, janssen, lukasz.langa, ned.deily
priority: release blocker
severity: normal
stage: needs patch
status: open
title: socket.inet_aton IP parsing issue in ssl.match_hostname
type: security
versions: Python 3.7, Python 3.8, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37463>
_______________________________________
More information about the New-bugs-announce
mailing list