Skip to content

[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw#108320

Merged
ambv merged 1 commit intopython:3.9from
ambv:cve-2023-40217-3.9
Aug 22, 2023
Merged

[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw#108320
ambv merged 1 commit intopython:3.9from
ambv:cve-2023-40217-3.9

Conversation

@ambv
Copy link
Contributor

@ambv ambv commented Aug 22, 2023
edited by bedevere-bot
Loading

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

@ambv @gpshead
pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-cl…
fc26281 
…ose flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-Authored-By: Gregory P. Smith [Google LLC] <[email protected]>
@ambv ambv requested a review from tiran as a code owner August 22, 2023 17:01
@bedevere-bot bedevere-bot mentioned this pull request Aug 22, 2023
Closed
2 tasks
@ambv ambv merged commit 264b1da into python:3.9 Aug 22, 2023
@ambv ambv deleted the cve-2023-40217-3.9 branch August 22, 2023 18:00
@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL7 LTO + PGO 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/240/builds/601) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/240/builds/601

Failed tests:

  • test_ssl

Failed subtests:

  • test_preauth_data_to_tls_client - test.test_ssl.TestPreHandshakeClose

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

411 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 20 sec
  • test_multiprocessing_spawn: 1 min 31 sec
  • test_multiprocessing_forkserver: 1 min 13 sec
  • test_multiprocessing_fork: 1 min 5 sec
  • test_signal: 46.6 sec
  • test_asyncio: 44.7 sec
  • test_io: 33.0 sec
  • test_pydoc: 31.4 sec
  • test_imaplib: 29.7 sec
  • test_tokenize: 27.7 sec

1 test failed:
test_ssl

13 tests skipped:
test_devpoll test_gdb test_ioctl test_kqueue test_msilib
test_startfile test_tix test_tk test_ttk_guionly test_winconsoleio
test_winreg test_winsound test_zipfile64

1 re-run test:
test_ssl

Total duration: 2 min 28 sec

Click to see traceback logs 
Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_8cbe36b6'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_973e3686'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_377fe0cd'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto-pgo/build/Lib/test/test_ssl.py", line 4988, in test_preauth_data_to_tls_client
    client.connect(server.listener.getsockname())
ConnectionResetError: [Errno 104] Connection reset by peer

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 macOS 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/726/builds/400) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/726/builds/400

Failed tests:

  • test_asyncio

Failed subtests:

  • test_create_ssl_connection - test.test_asyncio.test_events.KqueueEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.SelectEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.PollEventLoopTests
  • test_create_ssl_unix_connection - test.test_asyncio.test_events.KqueueEventLoopTests
  • test_create_ssl_connection - test.test_asyncio.test_events.SelectEventLoopTests
  • test_create_ssl_connection - test.test_asyncio.test_events.PollEventLoopTests

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

405 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 58 sec
  • test_multiprocessing_spawn: 2 min 34 sec
  • test_multiprocessing_forkserver: 1 min 51 sec
  • test_unparse: 1 min 33 sec
  • test_tokenize: 1 min 28 sec
  • test_capi: 1 min 7 sec
  • test_lib2to3: 58.7 sec
  • test_asyncio: 58.3 sec
  • test_unicodedata: 54.0 sec
  • test_logging: 49.1 sec

1 test failed:
test_asyncio

16 tests skipped:
test_devpoll test_epoll test_gdb test_ioctl test_msilib
test_multiprocessing_fork test_ossaudiodev test_spwd
test_startfile test_tix test_tk test_ttk_guionly test_winconsoleio
test_winreg test_winsound test_zipfile64

1 re-run test:
test_asyncio

Total duration: 8 min 53 sec

Click to see traceback logs 
Traceback (most recent call last):
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_452cdc06'


Traceback (most recent call last):
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 617, in test_create_ssl_connection
    self._test_create_ssl_connection(httpd, create_connection,
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 605, in _test_create_ssl_connection
    self._basetest_create_ssl_connection(conn_fut, check_sockname,
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 564, in _basetest_create_ssl_connection
    tr, pr = self.loop.run_until_complete(connection_fut)
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 647, in run_until_complete
    return future.result()
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1090, in create_connection
    transport, protocol = await self._create_connection_transport(
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1120, in _create_connection_transport
    await waiter
ConnectionResetError


Traceback (most recent call last):
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_ac85ba1a'


Traceback (most recent call last):
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 633, in test_create_ssl_unix_connection
    self._test_create_ssl_connection(httpd, create_connection,
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 605, in _test_create_ssl_connection
    self._basetest_create_ssl_connection(conn_fut, check_sockname,
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/test/test_asyncio/test_events.py", line 564, in _basetest_create_ssl_connection
    tr, pr = self.loop.run_until_complete(connection_fut)
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 647, in run_until_complete
    return future.result()
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/unix_events.py", line 258, in create_unix_connection
    transport, protocol = await self._create_connection_transport(
  File "/Users/buildbot/buildarea/3.9.pablogsal-macos-m1.macos-with-brew/build/Lib/asyncio/base_events.py", line 1120, in _create_connection_transport
    await waiter
ConnectionResetError

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL7 LTO 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/412/builds/601) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/412/builds/601

Failed tests:

  • test_ssl

Failed subtests:

  • test_preauth_data_to_tls_client - test.test_ssl.TestPreHandshakeClose

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

412 tests OK.

10 slowest tests:

  • test_concurrent_futures: 2 min 20 sec
  • test_multiprocessing_spawn: 1 min 33 sec
  • test_gdb: 1 min 31 sec
  • test_multiprocessing_forkserver: 1 min 15 sec
  • test_multiprocessing_fork: 1 min 4 sec
  • test_signal: 46.7 sec
  • test_asyncio: 44.9 sec
  • test_peg_generator: 40.9 sec
  • test_io: 34.0 sec
  • test_pydoc: 31.3 sec

1 test failed:
test_ssl

12 tests skipped:
test_devpoll test_ioctl test_kqueue test_msilib test_startfile
test_tix test_tk test_ttk_guionly test_winconsoleio test_winreg
test_winsound test_zipfile64

1 re-run test:
test_ssl

Total duration: 2 min 52 sec

Click to see traceback logs 
Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/test/test_ssl.py", line 4988, in test_preauth_data_to_tls_client
    client.connect(server.listener.getsockname())
ConnectionResetError: [Errno 104] Connection reset by peer


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_ed5fa457'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_bb406249'


Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL7-x86_64.lto/build/Lib/multiprocessing/resource_tracker.py", line 201, in main
    cache[rtype].remove(name)
KeyError: '/psm_bff6d2ad'

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 RHEL8 FIPS Only Blake2 Builtin Hash 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/382/builds/638) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/382/builds/638

Failed tests:

  • test_socket

Failed subtests:

  • test_hmac_sha1 - test.test_socket.LinuxKernelCryptoAPI

Summary of the results of the build (if available):

== Tests result: FAILURE then FAILURE ==

412 tests OK.

10 slowest tests:

  • test_gdb: 6 min 53 sec
  • test_concurrent_futures: 2 min 56 sec
  • test_capi: 2 min 1 sec
  • test_multiprocessing_spawn: 1 min 48 sec
  • test_asyncio: 1 min 41 sec
  • test_unparse: 1 min 22 sec
  • test_multiprocessing_forkserver: 1 min 18 sec
  • test_tokenize: 1 min 15 sec
  • test_peg_generator: 1 min 2 sec
  • test_multiprocessing_fork: 1 min 1 sec

1 test failed:
test_socket

12 tests skipped:
test_devpoll test_ioctl test_kqueue test_msilib test_startfile
test_tix test_tk test_ttk_guionly test_winconsoleio test_winreg
test_winsound test_zipfile64

1 re-run test:
test_socket

Total duration: 12 min 27 sec

Click to see traceback logs 
Traceback (most recent call last):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-fips-x86_64.no-builtin-hashes-except-blake2/build/Lib/test/test_socket.py", line 6268, in test_hmac_sha1
    algo.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, b"Jefe")
OSError: [Errno 22] Invalid argument

@bedevere-bot
Copy link

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot PPC64LE RHEL8 3.9 has failed when building commit 264b1da.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/250/builds/537) and take a look at the build logs.
  4. Check if the failure is related to this commit (264b1da) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/250/builds/537

Failed tests:

  • test_gdb

Summary of the results of the build (if available):

==

Click to see traceback logs 
remote: Enumerating objects: 3481, done.        
remote: Counting objects:   0% (1/2076)        
remote: Counting objects:   1% (21/2076)        
remote: Counting objects:   2% (42/2076)        
remote: Counting objects:   3% (63/2076)        
remote: Counting objects:   4% (84/2076)        
remote: Counting objects:   5% (104/2076)        
remote: Counting objects:   6% (125/2076)        
remote: Counting objects:   7% (146/2076)        
remote: Counting objects:   8% (167/2076)        
remote: Counting objects:   9% (187/2076)        
remote: Counting objects:  10% (208/2076)        
remote: Counting objects:  11% (229/2076)        
remote: Counting objects:  12% (250/2076)        
remote: Counting objects:  13% (270/2076)        
remote: Counting objects:  14% (291/2076)        
remote: Counting objects:  15% (312/2076)        
remote: Counting objects:  16% (333/2076)        
remote: Counting objects:  17% (353/2076)        
remote: Counting objects:  18% (374/2076)        
remote: Counting objects:  19% (395/2076)        
remote: Counting objects:  20% (416/2076)        
remote: Counting objects:  21% (436/2076)        
remote: Counting objects:  22% (457/2076)        
remote: Counting objects:  23% (478/2076)        
remote: Counting objects:  24% (499/2076)        
remote: Counting objects:  25% (519/2076)        
remote: Counting objects:  26% (540/2076)        
remote: Counting objects:  27% (561/2076)        
remote: Counting objects:  28% (582/2076)        
remote: Counting objects:  29% (603/2076)        
remote: Counting objects:  30% (623/2076)        
remote: Counting objects:  31% (644/2076)        
remote: Counting objects:  32% (665/2076)        
remote: Counting objects:  33% (686/2076)        
remote: Counting objects:  34% (706/2076)        
remote: Counting objects:  35% (727/2076)        
remote: Counting objects:  36% (748/2076)        
remote: Counting objects:  37% (769/2076)        
remote: Counting objects:  38% (789/2076)        
remote: Counting objects:  39% (810/2076)        
remote: Counting objects:  40% (831/2076)        
remote: Counting objects:  41% (852/2076)        
remote: Counting objects:  42% (872/2076)        
remote: Counting objects:  43% (893/2076)        
remote: Counting objects:  44% (914/2076)        
remote: Counting objects:  45% (935/2076)        
remote: Counting objects:  46% (955/2076)        
remote: Counting objects:  47% (976/2076)        
remote: Counting objects:  48% (997/2076)        
remote: Counting objects:  49% (1018/2076)        
remote: Counting objects:  50% (1038/2076)        
remote: Counting objects:  51% (1059/2076)        
remote: Counting objects:  52% (1080/2076)        
remote: Counting objects:  53% (1101/2076)        
remote: Counting objects:  54% (1122/2076)        
remote: Counting objects:  55% (1142/2076)        
remote: Counting objects:  56% (1163/2076)        
remote: Counting objects:  57% (1184/2076)        
remote: Counting objects:  58% (1205/2076)        
remote: Counting objects:  59% (1225/2076)        
remote: Counting objects:  60% (1246/2076)        
remote: Counting objects:  61% (1267/2076)        
remote: Counting objects:  62% (1288/2076)        
remote: Counting objects:  63% (1308/2076)        
remote: Counting objects:  64% (1329/2076)        
remote: Counting objects:  65% (1350/2076)        
remote: Counting objects:  66% (1371/2076)        
remote: Counting objects:  67% (1391/2076)        
remote: Counting objects:  68% (1412/2076)        
remote: Counting objects:  69% (1433/2076)        
remote: Counting objects:  70% (1454/2076)        
remote: Counting objects:  71% (1474/2076)        
remote: Counting objects:  72% (1495/2076)        
remote: Counting objects:  73% (1516/2076)        
remote: Counting objects:  74% (1537/2076)        
remote: Counting objects:  75% (1557/2076)        
remote: Counting objects:  76% (1578/2076)        
remote: Counting objects:  77% (1599/2076)        
remote: Counting objects:  78% (1620/2076)        
remote: Counting objects:  79% (1641/2076)        
remote: Counting objects:  80% (1661/2076)        
remote: Counting objects:  81% (1682/2076)        
remote: Counting objects:  82% (1703/2076)        
remote: Counting objects:  83% (1724/2076)        
remote: Counting objects:  84% (1744/2076)        
remote: Counting objects:  85% (1765/2076)        
remote: Counting objects:  86% (1786/2076)        
remote: Counting objects:  87% (1807/2076)        
remote: Counting objects:  88% (1827/2076)        
remote: Counting objects:  89% (1848/2076)        
remote: Counting objects:  90% (1869/2076)        
remote: Counting objects:  91% (1890/2076)        
remote: Counting objects:  92% (1910/2076)        
remote: Counting objects:  93% (1931/2076)        
remote: Counting objects:  94% (1952/2076)        
remote: Counting objects:  95% (1973/2076)        
remote: Counting objects:  96% (1993/2076)        
remote: Counting objects:  97% (2014/2076)        
remote: Counting objects:  98% (2035/2076)        
remote: Counting objects:  99% (2056/2076)        
remote: Counting objects: 100% (2076/2076)        
remote: Counting objects: 100% (2076/2076), done.        
remote: Compressing objects:  33% (1/3)        
remote: Compressing objects:  66% (2/3)        
remote: Compressing objects: 100% (3/3)        
remote: Compressing objects: 100% (3/3), done.        
Receiving objects:   0% (1/3481)
Receiving objects:   1% (35/3481)
Receiving objects:   2% (70/3481)
Receiving objects:   3% (105/3481)
Receiving objects:   4% (140/3481)
Receiving objects:   5% (175/3481)
Receiving objects:   6% (209/3481)
Receiving objects:   7% (244/3481)
Receiving objects:   8% (279/3481)
Receiving objects:   9% (314/3481)
Receiving objects:  10% (349/3481)
Receiving objects:  11% (383/3481)
Receiving objects:  12% (418/3481)
Receiving objects:  13% (453/3481)
Receiving objects:  14% (488/3481)
Receiving objects:  15% (523/3481)
Receiving objects:  16% (557/3481)
Receiving objects:  17% (592/3481)
Receiving objects:  18% (627/3481)
Receiving objects:  19% (662/3481)
Receiving objects:  20% (697/3481)
Receiving objects:  21% (732/3481)
Receiving objects:  22% (766/3481)
Receiving objects:  23% (801/3481)
Receiving objects:  24% (836/3481)
Receiving objects:  25% (871/3481)
Receiving objects:  26% (906/3481)
Receiving objects:  27% (940/3481)
Receiving objects:  28% (975/3481)
Receiving objects:  29% (1010/3481)
Receiving objects:  30% (1045/3481)
Receiving objects:  31% (1080/3481)
Receiving objects:  32% (1114/3481)
Receiving objects:  33% (1149/3481)
Receiving objects:  34% (1184/3481)
Receiving objects:  35% (1219/3481)
Receiving objects:  36% (1254/3481)
Receiving objects:  37% (1288/3481)
Receiving objects:  38% (1323/3481)
Receiving objects:  39% (1358/3481)
Receiving objects:  40% (1393/3481)
Receiving objects:  41% (1428/3481)
Receiving objects:  42% (1463/3481)
Receiving objects:  43% (1497/3481)
Receiving objects:  44% (1532/3481)
Receiving objects:  45% (1567/3481)
Receiving objects:  46% (1602/3481)
Receiving objects:  47% (1637/3481)
Receiving objects:  48% (1671/3481)
Receiving objects:  49% (1706/3481)
Receiving objects:  50% (1741/3481)
Receiving objects:  51% (1776/3481)
Receiving objects:  52% (1811/3481)
Receiving objects:  53% (1845/3481)
Receiving objects:  54% (1880/3481)
Receiving objects:  55% (1915/3481)
Receiving objects:  56% (1950/3481)
Receiving objects:  57% (1985/3481)
Receiving objects:  58% (2019/3481)
Receiving objects:  59% (2054/3481)
Receiving objects:  60% (2089/3481)
Receiving objects:  61% (2124/3481)
Receiving objects:  62% (2159/3481)
Receiving objects:  63% (2194/3481)
Receiving objects:  64% (2228/3481)
Receiving objects:  65% (2263/3481)
Receiving objects:  66% (2298/3481)
Receiving objects:  67% (2333/3481)
Receiving objects:  68% (2368/3481)
Receiving objects:  69% (2402/3481)
Receiving objects:  70% (2437/3481)
Receiving objects:  71% (2472/3481)
Receiving objects:  72% (2507/3481)
Receiving objects:  73% (2542/3481)
Receiving objects:  74% (2576/3481)
Receiving objects:  75% (2611/3481)
Receiving objects:  76% (2646/3481)
Receiving objects:  77% (2681/3481)
Receiving objects:  78% (2716/3481)
Receiving objects:  79% (2750/3481)
Receiving objects:  80% (2785/3481)
Receiving objects:  81% (2820/3481)
Receiving objects:  82% (2855/3481)
Receiving objects:  83% (2890/3481)
Receiving objects:  84% (2925/3481)
Receiving objects:  85% (2959/3481)
Receiving objects:  86% (2994/3481)
Receiving objects:  87% (3029/3481)
Receiving objects:  88% (3064/3481)
Receiving objects:  89% (3099/3481)
Receiving objects:  90% (3133/3481)
Receiving objects:  91% (3168/3481)
Receiving objects:  92% (3203/3481)
Receiving objects:  93% (3238/3481)
Receiving objects:  94% (3273/3481)
remote: Total 3481 (delta 2073), reused 2073 (delta 2073), pack-reused 1405        
Receiving objects:  95% (3307/3481)
Receiving objects:  96% (3342/3481)
Receiving objects:  97% (3377/3481)
Receiving objects:  98% (3412/3481)
Receiving objects:  99% (3447/3481)
Receiving objects: 100% (3481/3481)
Receiving objects: 100% (3481/3481), 5.93 MiB | 13.97 MiB/s, done.
Resolving deltas:   0% (0/2709)
Resolving deltas:   1% (28/2709)
Resolving deltas:   2% (55/2709)
Resolving deltas:   3% (82/2709)
Resolving deltas:   4% (109/2709)
Resolving deltas:   5% (136/2709)
Resolving deltas:   6% (164/2709)
Resolving deltas:   7% (190/2709)
Resolving deltas:   8% (217/2709)
Resolving deltas:   9% (244/2709)
Resolving deltas:  10% (271/2709)
Resolving deltas:  11% (298/2709)
Resolving deltas:  12% (326/2709)
Resolving deltas:  13% (354/2709)
Resolving deltas:  14% (381/2709)
Resolving deltas:  15% (407/2709)
Resolving deltas:  16% (434/2709)
Resolving deltas:  17% (461/2709)
Resolving deltas:  18% (488/2709)
Resolving deltas:  19% (516/2709)
Resolving deltas:  20% (542/2709)
Resolving deltas:  21% (569/2709)
Resolving deltas:  22% (596/2709)
Resolving deltas:  23% (624/2709)
Resolving deltas:  24% (651/2709)
Resolving deltas:  25% (678/2709)
Resolving deltas:  26% (705/2709)
Resolving deltas:  27% (732/2709)
Resolving deltas:  28% (759/2709)
Resolving deltas:  29% (786/2709)
Resolving deltas:  30% (813/2709)
Resolving deltas:  31% (840/2709)
Resolving deltas:  32% (867/2709)
Resolving deltas:  33% (894/2709)
Resolving deltas:  34% (922/2709)
Resolving deltas:  35% (949/2709)
Resolving deltas:  36% (976/2709)
Resolving deltas:  37% (1003/2709)
Resolving deltas:  38% (1030/2709)
Resolving deltas:  39% (1057/2709)
Resolving deltas:  40% (1084/2709)
Resolving deltas:  41% (1111/2709)
Resolving deltas:  42% (1138/2709)
Resolving deltas:  43% (1165/2709)
Resolving deltas:  44% (1192/2709)
Resolving deltas:  45% (1220/2709)
Resolving deltas:  46% (1247/2709)
Resolving deltas:  47% (1274/2709)
Resolving deltas:  48% (1301/2709)
Resolving deltas:  49% (1328/2709)
Resolving deltas:  50% (1355/2709)
Resolving deltas:  51% (1382/2709)
Resolving deltas:  52% (1409/2709)
Resolving deltas:  53% (1436/2709)
Resolving deltas:  54% (1463/2709)
Resolving deltas:  55% (1490/2709)
Resolving deltas:  56% (1518/2709)
Resolving deltas:  57% (1545/2709)
Resolving deltas:  58% (1572/2709)
Resolving deltas:  59% (1599/2709)
Resolving deltas:  60% (1626/2709)
Resolving deltas:  61% (1653/2709)
Resolving deltas:  62% (1680/2709)
Resolving deltas:  63% (1707/2709)
Resolving deltas:  64% (1734/2709)
Resolving deltas:  65% (1761/2709)
Resolving deltas:  66% (1788/2709)
Resolving deltas:  67% (1816/2709)
Resolving deltas:  68% (1843/2709)
Resolving deltas:  69% (1870/2709)
Resolving deltas:  69% (1880/2709)
Resolving deltas:  70% (1897/2709)
Resolving deltas:  71% (1924/2709)
Resolving deltas:  72% (1951/2709)
Resolving deltas:  72% (1958/2709)
Resolving deltas:  73% (1978/2709)
Resolving deltas:  74% (2005/2709)
Resolving deltas:  75% (2032/2709)
Resolving deltas:  75% (2036/2709)
Resolving deltas:  76% (2059/2709)
Resolving deltas:  77% (2086/2709)
Resolving deltas:  78% (2114/2709)
Resolving deltas:  79% (2141/2709)
Resolving deltas:  80% (2168/2709)
Resolving deltas:  81% (2195/2709)
Resolving deltas:  82% (2222/2709)
Resolving deltas:  83% (2249/2709)
Resolving deltas:  84% (2276/2709)
Resolving deltas:  85% (2303/2709)
Resolving deltas:  85% (2325/2709)
Resolving deltas:  86% (2330/2709)
Resolving deltas:  87% (2357/2709)
Resolving deltas:  88% (2384/2709)
Resolving deltas:  89% (2412/2709)
Resolving deltas:  90% (2439/2709)
Resolving deltas:  91% (2466/2709)
Resolving deltas:  91% (2475/2709)
Resolving deltas:  92% (2493/2709)
Resolving deltas:  93% (2520/2709)
Resolving deltas:  94% (2547/2709)
Resolving deltas:  95% (2574/2709)
Resolving deltas:  96% (2601/2709)
Resolving deltas:  97% (2628/2709)
Resolving deltas:  98% (2655/2709)
Resolving deltas:  99% (2682/2709)
Resolving deltas: 100% (2709/2709)
Resolving deltas: 100% (2709/2709), completed with 712 local objects.
From https://github.com/python/cpython
 * branch                  3.9        -> FETCH_HEAD
 * [new tag]               3.7        -> 3.7
 * [new tag]               v3.12.0b3  -> v3.12.0b3
 * [new tag]               v3.12.0b4  -> v3.12.0b4
 * [new tag]               v3.12.0rc1 -> v3.12.0rc1
Note: switching to '264b1dacc67346efa0933d1e63f622676e0ed96b'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 264b1dacc6 [3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320)
Switched to and reset branch '3.9'

configure: WARNING: unrecognized options: --without-static-libpython
configure: WARNING: unrecognized options: --without-static-libpython

../Modules/_threadmodule.c: In function ‘local_clear’:
../Modules/_threadmodule.c:812:20: warning: unused variable ‘tstate’ [-Wunused-variable]
     PyThreadState *tstate;
                    ^~~~~~

test_msilib skipped -- No module named '_msi'
test_startfile skipped -- object <module 'os' from '/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/build_oot/../Lib/os.py'> has no attribute 'startfile'
test_kqueue skipped -- test works only on BSD
test_ioctl skipped -- Unable to open /dev/tty
test_winsound skipped -- No module named 'winsound'
test_winreg skipped -- No module named 'winreg'
test_tk skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...]
test_winconsoleio skipped -- test only relevant on win32
test_flock (__main__.FNTLEINTRTest) ... ok
test_lockf (__main__.FNTLEINTRTest) ... ok
test_read (__main__.OSEINTRTest) ... ok
test_wait (__main__.OSEINTRTest) ... ok
test_wait3 (__main__.OSEINTRTest) ... ok
test_wait4 (__main__.OSEINTRTest) ... ok
test_waitpid (__main__.OSEINTRTest) ... ok
test_write (__main__.OSEINTRTest) ... ok
test_devpoll (__main__.SelectEINTRTest) ... skipped 'need select.devpoll'
test_epoll (__main__.SelectEINTRTest) ... ok
test_kqueue (__main__.SelectEINTRTest) ... skipped 'need select.kqueue'
test_poll (__main__.SelectEINTRTest) ... ok
test_select (__main__.SelectEINTRTest) ... ok
test_sigtimedwait (__main__.SignalEINTRTest) ... ok
test_sigwaitinfo (__main__.SignalEINTRTest) ... ok
test_accept (__main__.SocketEINTRTest) ... ok
test_open (__main__.SocketEINTRTest) ... ok
test_os_open (__main__.SocketEINTRTest) ... ok
test_recv (__main__.SocketEINTRTest) ... ok
test_recvmsg (__main__.SocketEINTRTest) ... ok
test_send (__main__.SocketEINTRTest) ... ok
test_sendall (__main__.SocketEINTRTest) ... ok
test_sendmsg (__main__.SocketEINTRTest) ... ok
test_sleep (__main__.TimeEINTRTest) ... ok

----------------------------------------------------------------------
Ran 24 tests in 10.625s

OK (skipped=2)
test_ttk_guionly skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...]
test_zipfile64 skipped -- test requires loads of disk-space bytes and a long time to run
test_tix skipped -- Tk unavailable due to TclError: no display name and no $DISPLAY environment variab [...]
test_devpoll skipped -- test works only on Solaris OS family
<string>:2: PendingDeprecationWarning: lib2to3 package is deprecated and may not be able to parse Python 3.10+
Timeout (0:15:00)!
Thread 0x00007fffa3cf5320 (most recent call first):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/selectors.py", line 416 in select
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1995 in _communicate
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1134 in communicate
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 112 in run_gdb
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 226 in get_stack_trace
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 909 in test_pycfunction
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 550 in _callTestMethod
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 592 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 651 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/runner.py", line 184 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1850 in _run_suite
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1974 in run_unittest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 263 in _test_module
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 288 in _runtest_inner2
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 326 in _runtest_inner
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 204 in _runtest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 247 in runtest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest_mp.py", line 83 in run_tests_worker
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 692 in _main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 672 in main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 733 in main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/regrtest.py", line 43 in _main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/regrtest.py", line 47 in <module>
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 87 in _run_code
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 197 in _run_module_as_main
Timeout (0:15:00)!
Thread 0x00007fff9e8e5320 (most recent call first):
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/selectors.py", line 416 in select
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1995 in _communicate
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/subprocess.py", line 1134 in communicate
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 112 in run_gdb
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 226 in get_stack_trace
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/test_gdb.py", line 909 in test_pycfunction
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 550 in _callTestMethod
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 592 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/case.py", line 651 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 122 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/suite.py", line 84 in __call__
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/unittest/runner.py", line 184 in run
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1850 in _run_suite
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/support/__init__.py", line 1974 in run_unittest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 263 in _test_module
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 288 in _runtest_inner2
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 326 in _runtest_inner
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 217 in _runtest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/runtest.py", line 247 in runtest
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 334 in rerun_failed_tests
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 716 in _main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 672 in main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/libregrtest/main.py", line 733 in main
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/test/__main__.py", line 2 in <module>
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 87 in _run_code
  File "/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/Lib/runpy.py", line 197 in _run_module_as_main
make: *** [Makefile:1240: buildbottest] Error 1

Cannot open file '/home/buildbot/buildarea/3.9.cstratak-RHEL8-ppc64le/build/build_oot/test-results.xml' for upload

carlosroman pushed a commit to DataDog/cpython that referenced this pull request Oct 11, 2023
@ambv @gpshead @carlosroman
[3.9] pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl …
6368a8e 
…pre-close flaw (python#108320)

pythongh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.

Co-authored-by: Gregory P. Smith [Google LLC] <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiran tiran Awaiting requested review from tiran tiran is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ambv @bedevere-bot