- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,

bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
  not trust the PASV response.

- build against openssl 1.1.x (incompatible with openssl 3.0x)
  for now.

- on sle12, python2 modules will still be called python-xxxx until EOL,
  for newer SLE versions they will be python2-xxxx

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=310

CVE-2021-4189-ftplib-trust-PASV-resp.patch

@@ -0,0 +1,115 @@
+commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
+Author: Gregory P. Smith <greg@krypto.org>
+Date:   Mon Mar 15 11:39:31 2021 -0700
+
+    bpo-43285 Make ftplib not trust the PASV response. (GH-24838)
+    
+    bpo-43285: Make ftplib not trust the PASV response.
+    
+    The IPv4 address value returned from the server in response to the PASV command
+    should not be trusted.  This prevents a malicious FTP server from using the
+    response to probe IPv4 address and port combinations on the client network.
+    
+    Instead of using the returned address, we use the IP address we're
+    already connected to.  This is the strategy other ftp clients adopted,
+    and matches the only strategy available for the modern IPv6 EPSV command
+    where the server response must return a port number and nothing else.
+    
+    For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
+    attribute on your `ftplib.FTP` instance to True.
+
+---
+ Lib/ftplib.py                                                      |   11 +++-
+ Lib/test/test_ftplib.py                                            |   27 +++++++++-
+ Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst |    8 ++
+ 3 files changed, 43 insertions(+), 3 deletions(-)
+
+--- a/Lib/ftplib.py
++++ b/Lib/ftplib.py
+@@ -107,7 +107,9 @@ class FTP:
+     sock = None
+     file = None
+     welcome = None
+-    passiveserver = 1
++    passiveserver = True
++    # Disables https://bugs.python.org/issue43285 security if set to True.
++    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
++        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
++            untrusted_host, port = parse227(self.sendcmd('PASV'))
++            if self.trust_server_pasv_ipv4_address:
++                host = untrusted_host
++            else:
++                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
+--- a/Lib/test/test_ftplib.py
++++ b/Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
++        # We use this as the string IPv4 address to direct the client
++        # to in response to a PASV command.  To test security behavior.
++        # https://bugs.python.org/issue43285/.
++        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha
+         sock.bind((self.socket.getsockname()[0], 0))
+         sock.listen(5)
+         sock.settimeout(10)
+-        ip, port = sock.getsockname()[:2]
++        port = sock.getsockname()[1]
++        ip = self.fake_pasv_server_ip
+         ip = ip.replace('.', ',')
+         p1, p2 = divmod(port, 256)
+         self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
++    def test_makepasv_issue43285_security_disabled(self):
++        """Test the opt-in to the old vulnerable behavior."""
++        self.client.trust_server_pasv_ipv4_address = True
++        bad_host, port = self.client.makepasv()
++        self.assertEqual(
++                bad_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((self.client.sock.getpeername()[0], port),
++                                 timeout=TIMEOUT).close()
++
++    def test_makepasv_issue43285_security_enabled_default(self):
++        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++        trusted_host, port = self.client.makepasv()
++        self.assertNotEqual(
++                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+     def test_line_too_long(self):
+         self.assertRaises(ftplib.Error, self.client.sendcmd,
+                           'x' * self.client.maxline * 2)
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst
+@@ -0,0 +1,8 @@
++:mod:`ftplib` no longer trusts the IP address value returned from the server
++in response to the PASV command by default.  This prevents a malicious FTP
++server from using the response to probe IPv4 address and port combinations
++on the client network.
++
++Code that requires the former vulnerable behavior may set a
++``trust_server_pasv_ipv4_address`` attribute on their
++:class:`ftplib.FTP` instances to ``True`` to re-enable it.

python-base.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sun Feb  6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
+  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
+  not trust the PASV response.
+
+-------------------------------------------------------------------
+Mon Dec  6 13:48:27 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- build against openssl 1.1.x (incompatible with openssl 3.0x)
+  for now.
+
 -------------------------------------------------------------------
 Tue Nov  2 08:09:03 UTC 2021 - Marcus Meissner <meissner@suse.com>
 

python-base.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-base
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -122,6 +122,9 @@ Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
+# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
+# Make ftplib not trust the PASV response. (gh#python/cpython#24838)
+Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -256,6 +259,7 @@ other applications.
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
+%patch68 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python-doc.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Sun Feb  6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
+  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
+  not trust the PASV response.
+
+-------------------------------------------------------------------
+Mon Dec  6 13:48:27 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- build against openssl 1.1.x (incompatible with openssl 3.0x)
+  for now.
+
+-------------------------------------------------------------------
+Tue Nov  2 08:09:03 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- on sle12, python2 modules will still be called python-xxxx until EOL,
+  for newer SLE versions they will be python2-xxxx
+
 -------------------------------------------------------------------
 Fri Oct 15 08:17:46 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
 

python-doc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-doc
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -121,6 +121,9 @@ Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
+# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
+# Make ftplib not trust the PASV response. (gh#python/cpython#24838)
+Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -195,6 +198,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
+%patch68 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar

python.changes

@@ -1,7 +1,21 @@
+-------------------------------------------------------------------
+Sun Feb  6 07:43:11 UTC 2022 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
+  bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
+  not trust the PASV response.
+
 -------------------------------------------------------------------
 Mon Dec  6 13:48:27 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
-- build against openssl 1.1.x (incompatible with openssl 3.0x) for now 
+- build against openssl 1.1.x (incompatible with openssl 3.0x)
+  for now.
+
+-------------------------------------------------------------------
+Tue Nov  2 08:09:03 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- on sle12, python2 modules will still be called python-xxxx until EOL,
+  for newer SLE versions they will be python2-xxxx
 
 -------------------------------------------------------------------
 Fri Oct 15 08:17:46 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

python.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -121,6 +121,9 @@ Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
+# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 mcepl@suse.com
+# Make ftplib not trust the PASV response. (gh#python/cpython#24838)
+Patch68:        CVE-2021-4189-ftplib-trust-PASV-resp.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -309,6 +312,7 @@ that rely on earlier non-verification behavior.
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
+%patch68 -p1
 
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar