- (bsc#1214691, CVE-2022-48566) Add

CVE-2022-48566-compare_digest-more-constant.patch to make
  compare_digest more constant-time.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=385

CVE-2022-48566-compare_digest-more-constant.patch

@@ -0,0 +1,35 @@
+From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 14 Dec 2020 09:04:57 -0800
+Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438)
+ (GH-23767)
+
+The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
+
+(This is change GH-1 from https://bugs.python.org/issue40791 .)
+(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
+
+Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
+---
+ Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst |    1 +
+ Modules/_operator.c                                                |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
+
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
+@@ -0,0 +1 @@
++Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely.
+\ No newline at end of file
+--- a/Modules/_operator.c
++++ b/Modules/_operator.c
+@@ -182,7 +182,7 @@ _tscmp(const unsigned char *a, const uns
+     volatile const unsigned char *left;
+     volatile const unsigned char *right;
+     Py_ssize_t i;
+-    unsigned char result;
++    volatile unsigned char result;
+ 
+     /* loop count depends on length of b */
+     length = len_b;

python-base.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python-base.spec

@@ -158,6 +158,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -313,6 +316,7 @@ other applications.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python-doc.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python-doc.spec

@@ -157,6 +157,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -247,6 +250,7 @@ Python, and Macintosh Module Reference in PDF format.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+  CVE-2022-48566-compare_digest-more-constant.patch to make
+  compare_digest more constant-time.
+
 -------------------------------------------------------------------
 Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
 

python.spec

@@ -157,6 +157,9 @@ Patch76:        PygmentsBridge-trime_doctest_flags.patch
 Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
+# Make compare_digest more constant-time
+Patch80:        CVE-2022-48566-compare_digest-more-constant.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -367,6 +370,7 @@ that rely on earlier non-verification behavior.
 # %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar