diff --git a/CVE-2020-8492-urllib-ReDoS.patch b/CVE-2020-8492-urllib-ReDoS.patch new file mode 100644 index 0000000..7ffbb12 --- /dev/null +++ b/CVE-2020-8492-urllib-ReDoS.patch @@ -0,0 +1,60 @@ +From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 16:13:03 +0100 +Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex + +The AbstractBasicAuthHandler class of the urllib.request module uses +an inefficient regular expression which can be exploited by an +attacker to cause a denial of service. Fix the regex to prevent the +catastrophic backtracking. + +Vulnerability reported by Matt Schwager. +--- + Lib/urllib/request.py | 2 +- + .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst + +diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py +index a6d350a97a452..72de8b2206885 100644 +--- a/Lib/urllib/request.py ++++ b/Lib/urllib/request.py +@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, +diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +new file mode 100644 +index 0000000000000..2c2622f4e8d54 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. + +From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 23:12:18 +0100 +Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry + +--- + .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +index 2c2622f4e8d54..92f186dcb1e49 100644 +--- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -1,4 +1,4 @@ +-The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the + :mod:`urllib.request` module uses an inefficient regular expression which can + be exploited by an attacker to cause a denial of service. Fix the regex to + prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. diff --git a/python-base.changes b/python-base.changes index 48fd0c3..d11a603 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + ------------------------------------------------------------------- Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal diff --git a/python-base.spec b/python-base.spec index 1a6689b..cd72990 100644 --- a/python-base.spec +++ b/python-base.spec @@ -85,6 +85,10 @@ Patch55: bpo36302-sort-module-sources.patch Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -208,6 +212,7 @@ other applications. %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac