pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug

Browse Source 
"Python urrlib allowed an HTTP server to conduct Regular
  Expression Denial of Service (ReDoS)" (bsc#1162367)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=275
This commit is contained in:
Matej Cepl 2020-02-06 22:15:44 +00:00 committed by Git OBS Bridge
parent 669bddb90e
commit c010d2e825
3 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2020-8492-urllib-ReDoS.patch Normal file
View File

@ -0,0 +1,60 @@
From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Thu, 30 Jan 2020 16:13:03 +0100
Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex
The AbstractBasicAuthHandler class of the urllib.request module uses
an inefficient regular expression which can be exploited by an
attacker to cause a denial of service. Fix the regex to prevent the
catastrophic backtracking.
Vulnerability reported by Matt Schwager.
---
Lib/urllib/request.py | 2 +-
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index a6d350a97a452..72de8b2206885 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
# allow for double- and single-quoted realm values
# (single quotes are a violation of the RFC, but appear in the wild)
- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
'realm=(["\']?)([^"\']*)\\2', re.I)
# XXX could pre-emptively send auth info already accepted (RFC 2617,
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
new file mode 100644
index 0000000000000..2c2622f4e8d54
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
@@ -0,0 +1,4 @@
+The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
From 7c4bae4e611cf8c03601ecca93cf6482226c52aa Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Thu, 30 Jan 2020 23:12:18 +0100
Subject: [PATCH 2/2] Add CVE-2020-8492 to the NEWS entry
---
.../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
index 2c2622f4e8d54..92f186dcb1e49 100644
--- a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
@@ -1,4 +1,4 @@
-The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
:mod:`urllib.request` module uses an inefficient regular expression which can
be exploited by an attacker to cause a denial of service. Fix the regex to
prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.

7
python-base.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Feb 6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
"Python urrlib allowed an HTTP server to conduct Regular
Expression Denial of Service (ReDoS)" (bsc#1162367)
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

5
python-base.spec
View File

@ -85,6 +85,10 @@ Patch55: bpo36302-sort-module-sources.patch
Patch56: adapted-from-F00251-change-user-install-location.patch Patch56: adapted-from-F00251-change-user-install-location.patch
# Switch couple of tests failing on acient SLE-12 # Switch couple of tests failing on acient SLE-12
Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch
# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
# Fixes Python urrlib allowed an HTTP server to conduct Regular
# Expression Denial of Service (ReDoS)
Patch58: CVE-2020-8492-urllib-ReDoS.patch
# COMMON-PATCH-END # COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3) %define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake BuildRequires: automake
@ -208,6 +212,7 @@ other applications.
%patch51 -p1 %patch51 -p1
%patch55 -p1 %patch55 -p1
%patch56 -p1 %patch56 -p1
%patch58 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac sed -i 's/^version_required/dnl version_required/' configure.ac