Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow setting an empty list for NPN in CPython 3.9 and earlier #121227

Open
sethmlarson opened this issue Jul 1, 2024 · 1 comment
Open

Disallow setting an empty list for NPN in CPython 3.9 and earlier #121227

sethmlarson opened this issue Jul 1, 2024 · 1 comment
Labels
3.8 only security fixes 3.9 only security fixes type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jul 1, 2024

Bug report

Bug description:

OpenSSL prior to 3.3.2 had a defect in SSL_select_next_proto where invalid values (such as an empty list) would cause a buffer overread (see CVE-2024-5535). The issue can be fixed in CPython by not calling SSL_select_next_proto with an invalid value.

This is a low severity vulnerability in CPython and is tracked separately in CVE-2024-5642. CPython 3.10 and beyond removed support for NPN and thus aren't affected by this issue.

CPython versions tested on:

3.8, 3.9

Operating systems tested on:

No response

@sethmlarson sethmlarson added type-bug An unexpected behavior, bug, or error type-security A security issue and removed type-bug An unexpected behavior, bug, or error labels Jul 1, 2024
@Eclips4 Eclips4 added 3.9 only security fixes 3.8 only security fixes labels Jul 1, 2024
@AdrianBunk
Copy link

CPython 3.7 to 3.9 are only affected when using OpenSSL < 1.1.1, since CPython >= 3.7 did already drop NPN support with OpenSSL >= 1.1.1 (by accident? see 29eab55 and 9617741).

CPython 3.8 was released a year after OpenSSL 1.1.1, which makes it unlikely that the vulnerable combination of CPython >= 3.8 and OpenSSL < 1.1.1 would be common.

For Python3 < 3.7 in Debian ELTS I did the big hammer

-# define HAVE_NPN 1
+# define HAVE_NPN 0

which might also be a reasonable approach for you for the rare affected setups with 3.8 or 3.9?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.8 only security fixes 3.9 only security fixes type-security A security issue
Projects
None yet
Development

No branches or pull requests

3 participants