- Change to Requires: libpython%{so_version} == %{version}-%{release}

to python-base to keep both packages always synchronized (add %{so_version}) (bsc#1162224). - Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug "Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=278
2020-02-08 22:22:43 +00:00 · 2020-02-08 22:22:43 +00:00 · 4617f57e14
commit 4617f57e14
parent 57a2c463f0
6 changed files with 119 additions and 0 deletions
--- a/CVE-2019-9674-zip-bomb.patch
+++ b/CVE-2019-9674-zip-bomb.patch
@ -0,0 +1,69 @@
+From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001
+From: nick sung <sungboss2004@gmail.com>
+Date: Fri, 17 May 2019 15:45:31 +0800
+Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+---
+ Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
+@@ -553,5 +553,47 @@ Command-line options
+ 
+    Test whether the zipfile is valid or not.
+ 
+Decompression pitfalls
+----------------------
+ 
+The extraction in zipfile module might fail due to some pitfalls
+listed below.
+
+From file itself
+~~~~~~~~~~~~~~~~
+
+Decompression may fail due to incorrect password / CRC checksum
+/ ZIP format or unsupported compression method / decryption.
+
+File System limitations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Exceeding limitations on different file systems can cause
+decompression failed. Such as allowable characters in the
+directory entries, length of the file name, length of the
+pathname, size of a single file, and number of files, etc.
+
+Resources limitations
+~~~~~~~~~~~~~~~~~~~~~
+
+The lack of memory or disk volume would lead to decompression
+failed. For example, decompression bombs (aka `ZIP bomb`_) apply
+to zipfile library that can cause disk volume exhaustion.
+
+Interruption
+~~~~~~~~~~~~
+
+Interruption during the decompression, such as pressing control-C
+or killing the decompression process may result in incomplete
+decompression of the archive.
+
+Default behaviors of extraction
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not knowing the default extraction behaviors can cause unexpected
+decompression results. For example, when extracting the same
+archive twice, it overwrites files without asking.
+
+
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
+--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+@@ -0,0 +1 @@
+Add decompression pitfalls to zipfile module documentation.
+\ No newline at end of file
--- a/python-base.spec
+++ b/python-base.spec
@ -91,6 +91,9 @@ Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
 # Fixes Python urrlib allowed an HTTP server to conduct Regular
 # Expression Denial of Service (ReDoS)
 Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -215,6 +218,7 @@ other applications.
 %patch55 -p1
 %patch56 -p1
 %patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-doc.spec
+++ b/python-doc.spec
@ -85,6 +85,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -149,6 +156,8 @@ Python, and Macintosh Module Reference in PDF format.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python.spec
+++ b/python.spec
@ -89,6 +89,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -267,6 +274,8 @@ that rely on earlier non-verification behavior.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac