pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid

Browse Source 
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=326
This commit is contained in:
Matej Cepl 2022-06-09 16:47:44 +00:00 committed by Git OBS Bridge
parent cadbcd01cd
commit da24c1af97
7 changed files with 140 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
CVE-2015-20107-mailcap-unsafe-filenames.patch Normal file
View File

@ -0,0 +1,98 @@
---
Doc/library/mailcap.rst | 13 +++++++++++++
Lib/mailcap.py | 28 ++++++++++++++++++++++++++--
2 files changed, 39 insertions(+), 2 deletions(-)
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -55,6 +55,19 @@ standard. However, mailcap files are su
will automatically check such conditions and skip the entry if the check fails.
+.. versionchanged:: 3.11
+
+ To prevent security issues with shell metacharacters (symbols that have
+ special effects in a shell command line), ``findmatch`` will refuse
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+ into the returned command line.
+
+ If a disallowed character appears in *filename*, ``findmatch`` will always
+ return ``(None, None)`` as if no entry was found.
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
+
.. function:: getcaps()
Returns a dictionary mapping MIME types to a list of mailcap file entries. This
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -1,9 +1,17 @@
"""Mailcap file handling. See RFC 1524."""
import os
+import warnings
+import re
__all__ = ["getcaps","findmatch"]
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
+
# Part 1: top-level interface.
def getcaps():
@@ -16,6 +24,10 @@ def getcaps():
where the viewing command is stored with the key "view".
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
caps = {}
for mailcap in listmailcapfiles():
try:
@@ -149,10 +161,13 @@ def findmatch(caps, MIMEtype, key='view'
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -184,6 +199,10 @@ def subst(field, MIMEtype, filename, pli
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -191,7 +210,12 @@ def subst(field, MIMEtype, filename, pli
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts

7
python-base.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
-------------------------------------------------------------------
Tue May 24 07:05:36 UTC 2022 - Martin Liška <mliska@suse.cz>

4
python-base.spec
View File

@ -127,6 +127,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -262,6 +265,7 @@ other applications.
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

13
python-doc.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
-------------------------------------------------------------------
Tue May 24 07:05:36 UTC 2022 - Martin Liška <mliska@suse.cz>
- Filter out executable-stack error that is triggered for i586
target.
-------------------------------------------------------------------
Sat Feb 26 12:41:42 UTC 2022 - Matej Cepl <mcepl@suse.com>

4
python-doc.spec
View File

@ -126,6 +126,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@ -199,6 +202,7 @@ Python, and Macintosh Module Reference in PDF format.
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

14
python.changes
View File

@ -1,9 +1,15 @@
-------------------------------------------------------------------
Fri Mar 18 14:13:25 UTC 2022 - Marcus Meissner <meissner@suse.com>
Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
- python-2.7.9-sles-disable-verification-by-default.patch: remove
as it by default now always does strict enforcement anyway and it
is 2022.
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
-------------------------------------------------------------------
Tue May 24 07:05:36 UTC 2022 - Martin Liška <mliska@suse.cz>
- Filter out executable-stack error that is triggered for i586
target.
-------------------------------------------------------------------
Sat Feb 26 12:41:42 UTC 2022 - Matej Cepl <mcepl@suse.com>

4
python.spec
View File

@ -126,6 +126,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -315,6 +318,7 @@ that rely on earlier non-verification behavior.
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar