Accepting request 911127 from home:fusionfuture:branches:devel:languages:python:Factory

- Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 (bpo#44022, boo#1189241). OBS-URL: https://build.opensuse.org/request/show/911127 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=296
2021-08-10 04:45:07 +00:00
parent 767f0ce31a
commit 3cfc9f2646
7 changed files with 51 additions and 0 deletions
--- a/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
+++ b/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
@@ -0,0 +1,21 @@
 --- a/Lib/httplib.py
 +++ b/Lib/httplib.py
@@ -449,6 +449,7 @@ class HTTPResponse:
             if status != CONTINUE:
                 break
             # skip the header from the 100 response
 +            header_count = 0
             while True:
                 skip = self.fp.readline(_MAXLINE + 1)
                 if len(skip) > _MAXLINE:
@@ -458,6 +459,10 @@ class HTTPResponse:
                     break
                 if self.debuglevel > 0:
                     print "header:", skip
 +                # bpo-44022: Fix http client infinite line reading (DoS) after a http 100
 +                header_count += 1
 +                if header_count > _MAXHEADERS:
 +                    raise HTTPException("got more than %d headers" % _MAXHEADERS)
         self.status = status
         self.reason = reason.strip()
--- a/python-base.changes
+++ b/python-base.changes
@@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http 
  100 (bpo#44022, boo#1189241).
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>
--- a/python-base.spec
+++ b/python-base.spec
@@ -103,6 +103,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -230,6 +232,7 @@ other applications.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.changes
+++ b/python-doc.changes
@@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http 
  100 (bpo#44022, boo#1189241).
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>
--- a/python-doc.spec
+++ b/python-doc.spec
@@ -105,6 +105,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -174,6 +176,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.changes
+++ b/python.changes
@@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Aug  9 15:16:15 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
  which fixes http client infinite line reading (DoS) after a http 
  100 (bpo#44022, boo#1189241).
 -------------------------------------------------------------------
 Fri Feb 26 18:21:55 UTC 2021 - Matej Cepl <mcepl@suse.com>
--- a/python.spec
+++ b/python.spec
@@ -105,6 +105,8 @@ Patch61:        CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch
 # PATCH-FIX-UPSTREAM CVE-2021-23336-only-amp-as-query-sep.patch bsc#[0-9]+ mcepl@suse.com
 # this patch makes things totally awesome
 Patch62:        CVE-2021-23336-only-amp-as-query-sep.patch
 # PATCH-FIX-UPSTREAM bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch boo#1189241 gh#python/cpython#25916
 Patch63:        bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -288,6 +290,7 @@ that rely on earlier non-verification behavior.
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac