Fwd: [Security-announce][CVE-2024-5642] Buffer over-read in SSLContext.set_npn_protocols() for Python 3.9 and earlier

[Alan Coopersmith <alan.coopersmith () oracle com>]

Note that in versions of Python that still had NPN support, whether NPN support
is built depends on which SSL library/version you build with:
https://github.com/python/cpython/blob/3.9/Modules/_ssl.c#L188-L202


-------- Forwarded Message --------
Subject: 	[Security-announce][CVE-2024-5642] Buffer over-read in 
SSLContext.set_npn_protocols() for Python 3.9 and earlier
Date:   Thu, 27 Jun 2024 16:09:13 -0500
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org



There is a buffer over-read defect in CPython 3.9 and earlier due to not 
excluding an invalid value for OpenSSL's NPN APIs.

This vulnerability is of severity *LOW*.

CPython doesn't disallow configuring an empty list ("[]") for 
SSLContext.set_npn_protocols() which is an invalid value for the underlying 
OpenSSL API. This results in a buffer over-read when NPN is used (see 
CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN 
being not widely used and specifying an empty list likely being uncommon 
in-practice (typically a protocol name would be configured).

Suggested mitigation is one of the following:

* Upgrade to Python 3.10 or later where NPN isn't supported
* Avoid using NPN via SSLContext.set_npn_protocols()
* Avoid providing an empty list as a parameter to SSLContext.set_npn_protocols()

Attachment: Attached Message Part
Description: