python/CVE-2021-3733-fix-ReDoS-in-request.patch

--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
 
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
-    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
 
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
@@ -0,0 +1 @@
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`.  The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
Accepting request 911251 from home:fusionfuture:branches:devel:languages:python:Factory - Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in request (bpo#43075, boo#1189287). - Add missing security announcement to bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. old: devel:languages:python:Factory/python new: home:fusionfuture:branches:devel:languages:python:Factory/python rev None Index: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch =================================================================== --- bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 296) +++ bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch (revision 3) @@ -19,3 +19,8 @@ self.status = status self.reason = reason.strip() +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst +@@ -0,0 +1,2 @@ ++mod:`http.client` now avoids infinitely reading potential HTTP headers after a ++``100 Continue`` status response from the server. Index: python-base.changes =================================================================== --- python-base.changes (revision 296) +++ python-base.changes (revision 3) @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> + +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. + +------------------------------------------------------------------- Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch Index: python-base.spec =================================================================== --- python-base.spec (revision 296) +++ python-base.spec (revision 3) @@ -105,6 +105,8 @@ Patch62: CVE-2021-23336-only-amp-as-query-sep.patch # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} \| head -c 3) BuildRequires: automake @@ -233,6 +235,7 @@ %patch61 -p1 %patch62 -p1 %patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac Index: python-doc.changes =================================================================== --- python-doc.changes (revision 296) +++ python-doc.changes (revision 3) @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> + +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. + +------------------------------------------------------------------- Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch Index: python-doc.spec =================================================================== --- python-doc.spec (revision 296) +++ python-doc.spec (revision 3) @@ -107,6 +107,8 @@ Patch62: CVE-2021-23336-only-amp-as-query-sep.patch # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -177,6 +179,7 @@ %patch61 -p1 %patch62 -p1 %patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac Index: python.changes =================================================================== --- python.changes (revision 296) +++ python.changes (revision 3) @@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Tue Aug 10 12:39:28 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> + +- Add bpo43075-fix-ReDoS-in-request.patch which fixes ReDoS in + request (bpo#43075, boo#1189287). +- Add missing security announcement to + bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch. + +------------------------------------------------------------------- Mon Aug 9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com> - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch Index: python.spec =================================================================== --- python.spec (revision 296) +++ python.spec (revision 3) @@ -107,6 +107,8 @@ Patch62: CVE-2021-23336-only-amp-as-query-sep.patch # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916 Patch63: bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch +# PATCH-FIX-UPSTREAM bpo43075-fix-ReDoS-in-request.patch boo#1189287 gh#python/cpython#24391 +Patch64: bpo43075-fix-ReDoS-in-request.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -291,6 +293,7 @@ %patch61 -p1 %patch62 -p1 %patch63 -p1 +%patch64 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac Index: bpo43075-fix-ReDoS-in-request.patch =================================================================== --- bpo43075-fix-ReDoS-in-request.patch (added) +++ bpo43075-fix-ReDoS-in-request.patch (revision 3) @@ -0,0 +1,15 @@ +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:[^,],)[ \t]([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,],)[ \t]([^ \t,]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +@@ -0,0 +1 @@ ++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. OBS-URL: https://build.opensuse.org/request/show/911251 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=297 2021-08-10 14:55:29 +02:00			`--- a/Lib/urllib2.py`
			`+++ b/Lib/urllib2.py`
			`@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:`

			`# allow for double- and single-quoted realm values`
			`# (single quotes are a violation of the RFC, but appear in the wild)`
			`- rx = re.compile('(?:[^,],)[ \t]*([^ \t]+)[ \t]+'`
			`+ rx = re.compile('(?:[^,],)[ \t]*([^ \t,]+)[ \t]+'`
			`'realm=(["\']?)([^"\']*)\\2', re.I)`

			`# XXX could pre-emptively send auth info already accepted (RFC 2617,`
			`--- /dev/null`
			`+++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst`
			`@@ -0,0 +1 @@`
			+Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.