Bug#719922: pu: package python-httplib2/0.7.4-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#719922: pu: package python-httplib2/0.7.4-2
From: Vincent Bernat <bernat@debian.org>
Date: Fri, 16 Aug 2013 22:51:56 +0200
Message-id: <[🔎] 20130816205156.16480.21644.reportbug@guybrush.luffy.cx>
Reply-to: Vincent Bernat <bernat@debian.org>, 719922@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi!

python-httplib2 currently in stable has a small security issue where a
certificate hostname mismatched is catched the first time but not the
second time. This issue has been fixed in unstable and the security
does not think this bug is important enough to get a DSA and propose
it to be fixed in the next point release:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602

Attached is the proposed debdiff. Tested with:

>>> import httplib2
>>> h=httplib2.Http("")
>>> h.request("https://api.stage-01.dailymotion.com/";)
- -> CertificateHostnameMismatch exception
>>> h.request("https://api.stage-01.dailymotion.com/";)
- -> CertificateHostnameMismatch exception

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJSDpDnAAoJEJWkL+g1NSX5Or0QAKC6E+MJlfXlH4QVNLmGxOuI
5k11ycO0shIgH+9i8+1fuc/RW5DtvDawX9Uf2Kx255OLbXbs0Lh8Sfz6xCxczFOC
ZOg58laBS56CjKE0U62URh8fSg2t9sqKU5E6UyNHO1mnjcs40j4J8NYL0uy065AX
o847fnp+IPwocRW/kqDoW79v95qw5cszp5k9hFsxkPGsYgDltM1JArkFt5S+N6es
J8CfijIu4Sd5W/I1VnsbUah7uamhuQKnrrETU4nXf7AN4ugdJsxqr/PEZwlXNPFr
9W53YouW3Dx8YsX7mePDVmHtba5MlT6K4rKJATBj7YgU8dyOtiJHJpFD1KGjnd1o
2Q05K7CijTTYoFjMIrO8CLMK2lLDFw7EfoGhAjpCMtIkKZTy6xhT2umd1X9bXDa3
qiZWmFk+ccChgUFYZifdc0fK2b5SxphVAxMrvJAoyNK5wwf1cVjUfN2o3gXmE25E
/gRqWKwmSqHOmtLyb6WhPyVZUdUNcZUN9nbwT71YKX33eZJZvHZH0K8gH0vYvx1b
+OfRJEFsS9QIPeoExAdmiPAStXvkaNz0xEaPWDT7+tVgXIjlJ5qpj2pV8XVSjzbr
oRq1ykR8pfvYIG+nvr6qdryEMi/gtp55Z2yyP6ewNiJEzbnOi6crOObf8ySsDoPo
GC7YfXsbJ1O/KRLoWE/Q
=KTtR
-----END PGP SIGNATURE-----

diff -Nru python-httplib2-0.7.4/debian/changelog python-httplib2-0.7.4/debian/changelog
--- python-httplib2-0.7.4/debian/changelog	2012-05-27 12:07:32.000000000 +0200
+++ python-httplib2-0.7.4/debian/changelog	2013-08-16 22:31:06.000000000 +0200
@@ -1,3 +1,13 @@
+python-httplib2 (0.7.4-2+deb7u1) stable; urgency=low
+
+  * Team upload.
+  
+  [Vincent Bernat]
+  * Stable update to fix CVE-2013-2037, #706602 by applying the same patch
+    as in unstable.
+
+ -- Vincent Bernat <bernat@debian.org>  Fri, 16 Aug 2013 22:31:05 +0200
+
 python-httplib2 (0.7.4-2) unstable; urgency=low
 
   * debian/patches/egg-info.patch:
diff -Nru python-httplib2-0.7.4/debian/patches/series python-httplib2-0.7.4/debian/patches/series
--- python-httplib2-0.7.4/debian/patches/series	2012-05-27 12:06:12.000000000 +0200
+++ python-httplib2-0.7.4/debian/patches/series	2013-08-16 22:31:32.000000000 +0200
@@ -1,2 +1,3 @@
 use_system_cacerts.patch
 egg-info.patch
+ssl-mismatch-check.patch
diff -Nru python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch
--- python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-httplib2-0.7.4/debian/patches/ssl-mismatch-check.patch	2013-08-16 22:31:27.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Close connection on certificate mismatch to avoid reuse
+Author: Roman Podolyaka <rpodolyaka...mirantis.com>
+Forwarded: https://code.google.com/p/httplib2/issues/detail?id=282
+
+diff -r 93291649202b python2/httplib2/__init__.py
+--- a/python2/httplib2/__init__.py	Tue Mar 26 14:17:48 2013 -0400
++++ b/python2/httplib2/__init__.py	Tue Apr 23 10:32:15 2013 +0300
+@@ -1030,7 +1030,7 @@
+                         raise CertificateHostnameMismatch(
+                             'Server presented certificate that does not match '
+                             'host %s: %s' % (hostname, cert), hostname, cert)
+-            except ssl_SSLError, e:
++            except (ssl_SSLError, CertificateHostnameMismatch), e:
+                 if sock:
+                     sock.close()
+                 if self.sock:
+@@ -1040,7 +1040,7 @@
+                 # to get at more detailed error information, in particular
+                 # whether the error is due to certificate validation or
+                 # something else (such as SSL protocol mismatch).
+-                if e.errno == ssl.SSL_ERROR_SSL:
++                if hasattr(e, 'errno') and e.errno == ssl.SSL_ERROR_SSL:
+                     raise SSLHandshakeError(e)
+                 else:
+                     raise

Reply to:

Follow-Ups:
- Bug#719922: pu: package python-httplib2/0.7.4-2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#719922: pu: package python-httplib2/0.7.4-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#719922: pu: package python-httplib2/0.7.4-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: tagging 709098
Next by Date: Bug#719922: pu: package python-httplib2/0.7.4-2
Previous by thread: Processed: tagging 709098
Next by thread: Bug#719922: pu: package python-httplib2/0.7.4-2
Index(es):
- Date
- Thread