- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug

"Python urrlib allowed an HTTP server to conduct Regular Expression Denial of Service (ReDoS)" (bsc#1162367) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=275
2020-02-06 22:15:44 +00:00 · 2020-02-06 22:15:44 +00:00 · c010d2e825
commit c010d2e825
parent 669bddb90e
3 changed files with 72 additions and 0 deletions
--- a/CVE-2020-8492-urllib-ReDoS.patch
+++ b/CVE-2020-8492-urllib-ReDoS.patch
@ -0,0 +1,60 @@
+From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 30 Jan 2020 16:13:03 +0100
+Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking.
+
+Vulnerability reported by Matt Schwager.
+---
+ Lib/urllib/request.py                                         | 2 +-
+ .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst    | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index a6d350a97a452..72de8b2206885 100644
+--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
+@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000000000..2c2622f4e8d54
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,4 @@
+The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
+
+From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 30 Jan 2020 23:12:18 +0100
+Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry
+
+---
+ .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst      | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+index 2c2622f4e8d54..92f186dcb1e49 100644
+--- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -1,4 +1,4 @@
+-The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+ :mod:`urllib.request` module uses an inefficient regular expression which can
+ be exploited by an attacker to cause a denial of service. Fix the regex to
+ prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -85,6 +85,10 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -208,6 +212,7 @@ other applications.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac