gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

ambv · 2023-08-22T16:58:42Z

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

Issue: CVE-2023-40217: Bypass TLS handshake on closed sockets #108310

…ose flaw Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Co-Authored-By: Gregory P. Smith [Google LLC] <[email protected]>

bedevere-bot · 2023-08-22T18:19:10Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows10 3.x has failed when building commit 0cb0c23.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/146/builds/6080) and take a look at the build logs.
Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/146/builds/6080

Failed tests:

test_sqlite3

Failed subtests:

test_interact_quit - test.test_sqlite3.test_cli.InteractiveSession.test_interact_quit

Summary of the results of the build (if available):

== Tests result: FAILURE then ENV CHANGED ==

415 tests OK.

10 slowest tests:

test_math: 4 min 38 sec
test_multiprocessing_spawn: 4 min 32 sec
test_tokenize: 2 min 41 sec
test_peg_generator: 2 min 38 sec
test_wmi: 2 min 26 sec
test_unparse: 2 min 22 sec
test_concurrent_futures: 1 min 52 sec
test_capi: 1 min 40 sec
test_pickle: 1 min 34 sec
test_unicodedata: 1 min 32 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

1 re-run test:
test_sqlite3

Total duration: 21 min 31 sec

Click to see traceback logs

Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_sqlite3\test_cli.py", line 103, in test_interact_quit
    out, err = proc.communicate(input=".quit", timeout=self.TIMEOUT)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1209, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1628, in _communicate
    raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['D:\\buildarea\\3.x.bolen-windows10\\build\\PCbuild\\amd64\\python_d.exe', '-Xutf8', '-m', 'sqlite3']' timed out after 3.0 seconds


Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

bedevere-bot · 2023-08-22T18:23:35Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows 3.x has failed when building commit 0cb0c23.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/729/builds/5277) and take a look at the build logs.
Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/729/builds/5277

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

413 tests OK.

10 slowest tests:

test_math: 7 min 34 sec
test_peg_generator: 6 min 8 sec
test_multiprocessing_spawn: 4 min 39 sec
test_tokenize: 2 min 52 sec
test_unparse: 2 min 35 sec
test_tarfile: 2 min 17 sec
test_venv: 1 min 56 sec
test_compileall: 1 min 52 sec
test_concurrent_futures: 1 min 47 sec
test_unicodedata: 1 min 47 sec

1 test altered the execution environment:
test_ssl

33 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxlimited test_xxtestfuzz
test_zipfile64 test_zoneinfo

Total duration: 22 min

Click to see traceback logs

Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

bedevere-bot · 2023-08-22T18:38:46Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows Non-Debug 3.x has failed when building commit 0cb0c23.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/730/builds/8723) and take a look at the build logs.
Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/730/builds/8723

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

414 tests OK.

10 slowest tests:

test_peg_generator: 4 min 2 sec
test_multiprocessing_spawn: 2 min 2 sec
test_concurrent_futures: 1 min 18 sec
test_socket: 1 min 6 sec
test_math: 59.9 sec
test_mmap: 57.8 sec
test_hashlib: 54.6 sec
test_largefile: 44.7 sec
test_io: 38.1 sec
test_ssl: 37.9 sec

1 test altered the execution environment:
test_ssl

32 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 9 min 2 sec

Click to see traceback logs

Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

bedevere-bot · 2023-08-22T19:07:58Z

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows11 Bigmem 3.x has failed when building commit 0cb0c23.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/1079/builds/2039) and take a look at the build logs.
Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/1079/builds/2039

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

415 tests OK.

10 slowest tests:

test_bigmem: 42 min 31 sec
test_lzma: 33 min 22 sec
test_bz2: 20 min 47 sec
test_array: 7 min 24 sec
test_zlib: 4 min 53 sec
test_hashlib: 3 min 57 sec
test_multiprocessing_spawn: 1 min 54 sec
test_math: 1 min 40 sec
test_concurrent_futures: 1 min 15 sec
test_pickle: 1 min 15 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 1 hour 1 min

Click to see traceback logs

Traceback (most recent call last):
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

Lib/ssl.py

https://build.opensuse.org/request/show/1110909 by user mcepl + anag+factory Forwarded request #1110536 from dgarcia - Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing gh#python/cpython#108310, backport from upstream patch gh#python/cpython#108315 (bsc#1214692, CVE-2023-40217)

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Code is from gh#python/cpython@b4bcc06, it was released upstream in 3.8.18. Fixes: bsc#1214692 Fixes: gh#python#108315

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Code is from gh#python/cpython@b4bcc06, it was released upstream in 3.8.18. Fixes: bsc#1214692 Fixes: gh#python#108315 Patch: CVE-2023-40217-avoid-ssl-pre-close.patch

Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred. Code is from gh#python/cpython@b4bcc06, it was released upstream in 3.8.18. Co-Authored-By: Gregory P. Smith [Google LLC] <[email protected]> Fixes: bsc#1214692 Fixes: gh#python#108315 Fixes: gh#python#108310 Patch: CVE-2023-40217-avoid-ssl-pre-close.patch

bedevere-bot mentioned this pull request Aug 22, 2023

CVE-2023-40217: Bypass TLS handshake on closed sockets #108310

Closed

2 tasks

bedevere-bot added the awaiting core review label Aug 22, 2023

ambv merged commit 0cb0c23 into python:main Aug 22, 2023
18 checks passed

bedevere-bot removed the awaiting core review label Aug 22, 2023

ambv deleted the cve-2023-40217 branch August 22, 2023 18:00

gpshead self-assigned this Aug 22, 2023

obfusk reviewed Aug 24, 2023

View reviewed changes

Lib/ssl.py Show resolved Hide resolved

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

ambv commented Aug 22, 2023 •

edited by bedevere-bot

Loading

bedevere-bot commented Aug 22, 2023

bedevere-bot commented Aug 22, 2023

bedevere-bot commented Aug 22, 2023

bedevere-bot commented Aug 22, 2023

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw #108315

Conversation

ambv commented Aug 22, 2023 • edited by bedevere-bot Loading

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

bedevere-bot commented Aug 22, 2023

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

ambv commented Aug 22, 2023 •

edited by bedevere-bot

Loading