CVE-2024-0397: A defect was discovered in the Python “ssl” module where there is a memory race condition with...

The vulnerability description explicitly identifies a memory race condition in the Python ssl module's ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() methods. The provided commit patches (e.g., bce693111bff906ccf9281c22371331aaff766ab and its cherry-picks) modify the C implementation functions for these methods, namely _ssl__SSLContext_cert_store_stats_impl and _ssl__SSLContext_get_ca_certs_impl located in Modules/_ssl.c.

The core of the vulnerability was the use of X509_STORE_get0_objects(store) to access certificate objects. This function returns internal pointers without ensuring thread safety if the store is modified concurrently. The patches replace this call with X509_STORE_get1_objects(store). This newer OpenSSL function (or a polyfill provided in the patch for older OpenSSL versions) ensures thread-safe access by either returning a deep copy of the objects or by locking the store (X509_STORE_lock and X509_STORE_unlock) during the operation of copying the objects (sk_X509_OBJECT_deep_copy).

Thus, the Python methods ssl.SSLContext.cert_store_stats and ssl.SSLContext.get_ca_certs are identified as vulnerable because their C implementations contained the race condition. These are the functions that would appear in a Python runtime profile when the vulnerability is triggered. The patch evidence directly shows the code change that mitigates this race condition within the C functions corresponding to these Python methods.