- Change to Requires: libpython%{so_version} == %{version}-%{release}
to python-base to keep both packages always synchronized (add
%{so_version}) (bsc#1162224).
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
"Python urrlib allowed an HTTP server to conduct Regular
Expression Denial of Service (ReDoS)" (bsc#1162367)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=278
This commit is contained in:
Git OBS Bridge
parent
57a2c463f0
commit
4617f57e14
69
CVE-2019-9674-zip-bomb.patch
Normal file
69
CVE-2019-9674-zip-bomb.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001
|
||||||
|
From: nick sung <sungboss2004@gmail.com>
|
||||||
|
Date: Fri, 17 May 2019 15:45:31 +0800
|
||||||
|
Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation
|
||||||
|
|
||||||
|
We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
|
||||||
|
This gave us the idea of documentation improvement.
|
||||||
|
|
||||||
|
So, we moved a little bit forward :P
|
||||||
|
And the doc patch can be found (pr).
|
||||||
|
---
|
||||||
|
Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 29 insertions(+)
|
||||||
|
|
||||||
|
--- a/Doc/library/zipfile.rst
|
||||||
|
+++ b/Doc/library/zipfile.rst
|
||||||
|
@@ -553,5 +553,47 @@ Command-line options
|
||||||
|
|
||||||
|
Test whether the zipfile is valid or not.
|
||||||
|
|
||||||
|
+Decompression pitfalls
|
||||||
|
+----------------------
|
||||||
|
|
||||||
|
+The extraction in zipfile module might fail due to some pitfalls
|
||||||
|
+listed below.
|
||||||
|
+
|
||||||
|
+From file itself
|
||||||
|
+~~~~~~~~~~~~~~~~
|
||||||
|
+
|
||||||
|
+Decompression may fail due to incorrect password / CRC checksum
|
||||||
|
+/ ZIP format or unsupported compression method / decryption.
|
||||||
|
+
|
||||||
|
+File System limitations
|
||||||
|
+~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
+
|
||||||
|
+Exceeding limitations on different file systems can cause
|
||||||
|
+decompression failed. Such as allowable characters in the
|
||||||
|
+directory entries, length of the file name, length of the
|
||||||
|
+pathname, size of a single file, and number of files, etc.
|
||||||
|
+
|
||||||
|
+Resources limitations
|
||||||
|
+~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
+
|
||||||
|
+The lack of memory or disk volume would lead to decompression
|
||||||
|
+failed. For example, decompression bombs (aka `ZIP bomb`_) apply
|
||||||
|
+to zipfile library that can cause disk volume exhaustion.
|
||||||
|
+
|
||||||
|
+Interruption
|
||||||
|
+~~~~~~~~~~~~
|
||||||
|
+
|
||||||
|
+Interruption during the decompression, such as pressing control-C
|
||||||
|
+or killing the decompression process may result in incomplete
|
||||||
|
+decompression of the archive.
|
||||||
|
+
|
||||||
|
+Default behaviors of extraction
|
||||||
|
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
+
|
||||||
|
+Not knowing the default extraction behaviors can cause unexpected
|
||||||
|
+decompression results. For example, when extracting the same
|
||||||
|
+archive twice, it overwrites files without asking.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
|
||||||
|
.. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+Add decompression pitfalls to zipfile module documentation.
|
||||||
|
\ No newline at end of file
|
||||||
@ -91,6 +91,9 @@ Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
|
|||||||
# Fixes Python urrlib allowed an HTTP server to conduct Regular
|
# Fixes Python urrlib allowed an HTTP server to conduct Regular
|
||||||
# Expression Denial of Service (ReDoS)
|
# Expression Denial of Service (ReDoS)
|
||||||
Patch58: CVE-2020-8492-urllib-ReDoS.patch
|
Patch58: CVE-2020-8492-urllib-ReDoS.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
|
||||||
|
# Improve documentation warning against the possible zip bombs
|
||||||
|
Patch59: CVE-2019-9674-zip-bomb.patch
|
||||||
# COMMON-PATCH-END
|
# COMMON-PATCH-END
|
||||||
%define python_version %(echo %{tarversion} | head -c 3)
|
%define python_version %(echo %{tarversion} | head -c 3)
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -215,6 +218,7 @@ other applications.
|
|||||||
%patch55 -p1
|
%patch55 -p1
|
||||||
%patch56 -p1
|
%patch56 -p1
|
||||||
%patch58 -p1
|
%patch58 -p1
|
||||||
|
%patch59 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^version_required/dnl version_required/' configure.ac
|
sed -i 's/^version_required/dnl version_required/' configure.ac
|
||||||
|
|||||||
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Feb 8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Change to Requires: libpython%{so_version} == %{version}-%{release}
|
||||||
|
to python-base to keep both packages always synchronized (add
|
||||||
|
%{so_version}) (bsc#1162224).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
|
||||||
|
"Python urrlib allowed an HTTP server to conduct Regular
|
||||||
|
Expression Denial of Service (ReDoS)" (bsc#1162367)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
|
Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -85,6 +85,13 @@ Patch55: bpo36302-sort-module-sources.patch
|
|||||||
Patch56: adapted-from-F00251-change-user-install-location.patch
|
Patch56: adapted-from-F00251-change-user-install-location.patch
|
||||||
# Switch couple of tests failing on acient SLE-12
|
# Switch couple of tests failing on acient SLE-12
|
||||||
Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
|
Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
|
||||||
|
# Fixes Python urrlib allowed an HTTP server to conduct Regular
|
||||||
|
# Expression Denial of Service (ReDoS)
|
||||||
|
Patch58: CVE-2020-8492-urllib-ReDoS.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
|
||||||
|
# Improve documentation warning against the possible zip bombs
|
||||||
|
Patch59: CVE-2019-9674-zip-bomb.patch
|
||||||
# COMMON-PATCH-END
|
# COMMON-PATCH-END
|
||||||
Provides: pyth_doc
|
Provides: pyth_doc
|
||||||
Provides: pyth_ps
|
Provides: pyth_ps
|
||||||
@ -149,6 +156,8 @@ Python, and Macintosh Module Reference in PDF format.
|
|||||||
%patch51 -p1
|
%patch51 -p1
|
||||||
%patch55 -p1
|
%patch55 -p1
|
||||||
%patch56 -p1
|
%patch56 -p1
|
||||||
|
%patch58 -p1
|
||||||
|
%patch59 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^version_required/dnl version_required/' configure.ac
|
sed -i 's/^version_required/dnl version_required/' configure.ac
|
||||||
|
|||||||
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Feb 8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Change to Requires: libpython%{so_version} == %{version}-%{release}
|
||||||
|
to python-base to keep both packages always synchronized (add
|
||||||
|
%{so_version}) (bsc#1162224).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
|
||||||
|
"Python urrlib allowed an HTTP server to conduct Regular
|
||||||
|
Expression Denial of Service (ReDoS)" (bsc#1162367)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
|
Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -89,6 +89,13 @@ Patch55: bpo36302-sort-module-sources.patch
|
|||||||
Patch56: adapted-from-F00251-change-user-install-location.patch
|
Patch56: adapted-from-F00251-change-user-install-location.patch
|
||||||
# Switch couple of tests failing on acient SLE-12
|
# Switch couple of tests failing on acient SLE-12
|
||||||
Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
|
Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
|
||||||
|
# Fixes Python urrlib allowed an HTTP server to conduct Regular
|
||||||
|
# Expression Denial of Service (ReDoS)
|
||||||
|
Patch58: CVE-2020-8492-urllib-ReDoS.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
|
||||||
|
# Improve documentation warning against the possible zip bombs
|
||||||
|
Patch59: CVE-2019-9674-zip-bomb.patch
|
||||||
# COMMON-PATCH-END
|
# COMMON-PATCH-END
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: db-devel
|
BuildRequires: db-devel
|
||||||
@ -267,6 +274,8 @@ that rely on earlier non-verification behavior.
|
|||||||
%patch51 -p1
|
%patch51 -p1
|
||||||
%patch55 -p1
|
%patch55 -p1
|
||||||
%patch56 -p1
|
%patch56 -p1
|
||||||
|
%patch58 -p1
|
||||||
|
%patch59 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^version_required/dnl version_required/' configure.ac
|
sed -i 's/^version_required/dnl version_required/' configure.ac
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user