Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

Merged
merged 1 commit into from
Aug 22, 2023

Conversation

ambv
Copy link
Contributor

@ambv ambv commented Aug 22, 2023

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

…ose flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-Authored-By: Gregory P. Smith [Google LLC] <greg@krypto.org>
@ambv ambv merged commit 0cb0c23 into python:main Aug 22, 2023
18 checks passed
@ambv ambv deleted the cve-2023-40217 branch August 22, 2023 18:00
@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows10 3.x has failed when building commit 0cb0c23.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/146/builds/6080) and take a look at the build logs.
  4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/146/builds/6080

Failed tests:

  • test_sqlite3

Failed subtests:

  • test_interact_quit - test.test_sqlite3.test_cli.InteractiveSession.test_interact_quit

Summary of the results of the build (if available):

== Tests result: FAILURE then ENV CHANGED ==

415 tests OK.

10 slowest tests:

  • test_math: 4 min 38 sec
  • test_multiprocessing_spawn: 4 min 32 sec
  • test_tokenize: 2 min 41 sec
  • test_peg_generator: 2 min 38 sec
  • test_wmi: 2 min 26 sec
  • test_unparse: 2 min 22 sec
  • test_concurrent_futures: 1 min 52 sec
  • test_capi: 1 min 40 sec
  • test_pickle: 1 min 34 sec
  • test_unicodedata: 1 min 32 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

1 re-run test:
test_sqlite3

Total duration: 21 min 31 sec

Click to see traceback logs
Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_sqlite3\test_cli.py", line 103, in test_interact_quit
    out, err = proc.communicate(input=".quit", timeout=self.TIMEOUT)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1209, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1628, in _communicate
    raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['D:\\buildarea\\3.x.bolen-windows10\\build\\PCbuild\\amd64\\python_d.exe', '-Xutf8', '-m', 'sqlite3']' timed out after 3.0 seconds


Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows 3.x has failed when building commit 0cb0c23.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/729/builds/5277) and take a look at the build logs.
  4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/729/builds/5277

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

413 tests OK.

10 slowest tests:

  • test_math: 7 min 34 sec
  • test_peg_generator: 6 min 8 sec
  • test_multiprocessing_spawn: 4 min 39 sec
  • test_tokenize: 2 min 52 sec
  • test_unparse: 2 min 35 sec
  • test_tarfile: 2 min 17 sec
  • test_venv: 1 min 56 sec
  • test_compileall: 1 min 52 sec
  • test_concurrent_futures: 1 min 47 sec
  • test_unicodedata: 1 min 47 sec

1 test altered the execution environment:
test_ssl

33 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxlimited test_xxtestfuzz
test_zipfile64 test_zoneinfo

Total duration: 22 min

Click to see traceback logs
Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows Non-Debug 3.x has failed when building commit 0cb0c23.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/730/builds/8723) and take a look at the build logs.
  4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/730/builds/8723

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

414 tests OK.

10 slowest tests:

  • test_peg_generator: 4 min 2 sec
  • test_multiprocessing_spawn: 2 min 2 sec
  • test_concurrent_futures: 1 min 18 sec
  • test_socket: 1 min 6 sec
  • test_math: 59.9 sec
  • test_mmap: 57.8 sec
  • test_hashlib: 54.6 sec
  • test_largefile: 44.7 sec
  • test_io: 38.1 sec
  • test_ssl: 37.9 sec

1 test altered the execution environment:
test_ssl

32 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 9 min 2 sec

Click to see traceback logs
Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows11 Bigmem 3.x has failed when building commit 0cb0c23.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/1079/builds/2039) and take a look at the build logs.
  4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/1079/builds/2039

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

415 tests OK.

10 slowest tests:

  • test_bigmem: 42 min 31 sec
  • test_lzma: 33 min 22 sec
  • test_bz2: 20 min 47 sec
  • test_array: 7 min 24 sec
  • test_zlib: 4 min 53 sec
  • test_hashlib: 3 min 57 sec
  • test_multiprocessing_spawn: 1 min 54 sec
  • test_math: 1 min 40 sec
  • test_concurrent_futures: 1 min 15 sec
  • test_pickle: 1 min 15 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 1 hour 1 min

Click to see traceback logs
Traceback (most recent call last):
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

@gpshead gpshead self-assigned this Aug 22, 2023
Lib/ssl.py Show resolved Hide resolved
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Sep 14, 2023
https://build.opensuse.org/request/show/1110909
by user mcepl + anag+factory
Forwarded request #1110536 from dgarcia

- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
    gh#python/cpython#108310, backport from upstream patch
    gh#python/cpython#108315
    (bsc#1214692, CVE-2023-40217)
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 3, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl added a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Fixes: bsc#1214692
Fixes: gh#python#108315
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this pull request Apr 4, 2024
Instances of `ssl.SSLSocket` were vulnerable to a bypass of
the TLS handshake and included protections (like certificate
verification) and treating sent unencrypted data as if it were
post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is
sent by the malicious peer and stored in a buffer, and then the
malicious peer closes the socket within a small timing window
before the other peers’ TLS handshake can begin. After this
sequence of events the closed socket will not immediately attempt
a TLS handshake due to not being connected but will also allow
the buffered data to be read as if a successful TLS handshake had
occurred.

Code is from gh#python/cpython@b4bcc06, it was released
upstream in 3.8.18.

Co-Authored-By: Gregory P. Smith [Google LLC] <greg@krypto.org>
Fixes: bsc#1214692
Fixes: gh#python#108315
Fixes: gh#python#108310
Patch: CVE-2023-40217-avoid-ssl-pre-close.patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants