diff --git a/CVE-2015-20107-mailcap-unsafe-filenames.patch b/CVE-2015-20107-mailcap-unsafe-filenames.patch new file mode 100644 index 0000000..b4d4e9e --- /dev/null +++ b/CVE-2015-20107-mailcap-unsafe-filenames.patch @@ -0,0 +1,98 @@ +--- + Doc/library/mailcap.rst | 13 +++++++++++++ + Lib/mailcap.py | 28 ++++++++++++++++++++++++++-- + 2 files changed, 39 insertions(+), 2 deletions(-) + +--- a/Doc/library/mailcap.rst ++++ b/Doc/library/mailcap.rst +@@ -55,6 +55,19 @@ standard. However, mailcap files are su + will automatically check such conditions and skip the entry if the check fails. + + ++.. versionchanged:: 3.11 ++ ++ To prevent security issues with shell metacharacters (symbols that have ++ special effects in a shell command line), ``findmatch`` will refuse ++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` ++ into the returned command line. ++ ++ If a disallowed character appears in *filename*, ``findmatch`` will always ++ return ``(None, None)`` as if no entry was found. ++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), ++ ``findmatch`` will ignore all mailcap entries which use that value. ++ A :mod:`warning ` will be raised in either case. ++ + .. function:: getcaps() + + Returns a dictionary mapping MIME types to a list of mailcap file entries. This +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -1,9 +1,17 @@ + """Mailcap file handling. See RFC 1524.""" + + import os ++import warnings ++import re + + __all__ = ["getcaps","findmatch"] + ++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ ++ + # Part 1: top-level interface. + + def getcaps(): +@@ -16,6 +24,10 @@ def getcaps(): + where the viewing command is stored with the key "view". + + """ ++ if _find_unsafe(filename): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + caps = {} + for mailcap in listmailcapfiles(): + try: +@@ -149,10 +161,13 @@ def findmatch(caps, MIMEtype, key='view' + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -184,6 +199,10 @@ def subst(field, MIMEtype, filename, pli + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -191,7 +210,12 @@ def subst(field, MIMEtype, filename, pli + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts diff --git a/python-base.changes b/python-base.changes index 309c980..1dde24e 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl + +- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid + CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the + command injection in the mailcap module. + ------------------------------------------------------------------- Tue May 24 07:05:36 UTC 2022 - Martin Liška diff --git a/python-base.spec b/python-base.spec index 4287594..5519b27 100644 --- a/python-base.spec +++ b/python-base.spec @@ -127,6 +127,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # whole long discussion is on bpo#43882 # fix for santization URLs containing ASCII newline and tabs in urllib.parse Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch +# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com +# avoid the command injection in the mailcap module. +Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -262,6 +265,7 @@ other applications. %patch67 -p1 %patch68 -p1 %patch69 -p1 +%patch70 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python-doc.changes b/python-doc.changes index 7361bcc..1dde24e 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl + +- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid + CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the + command injection in the mailcap module. + +------------------------------------------------------------------- +Tue May 24 07:05:36 UTC 2022 - Martin Liška + +- Filter out executable-stack error that is triggered for i586 + target. + ------------------------------------------------------------------- Sat Feb 26 12:41:42 UTC 2022 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index 177b2ca..4c7c9cf 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -126,6 +126,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # whole long discussion is on bpo#43882 # fix for santization URLs containing ASCII newline and tabs in urllib.parse Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch +# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com +# avoid the command injection in the mailcap module. +Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -199,6 +202,7 @@ Python, and Macintosh Module Reference in PDF format. %patch67 -p1 %patch68 -p1 %patch69 -p1 +%patch70 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index 59555ec..1dde24e 100644 --- a/python.changes +++ b/python.changes @@ -1,9 +1,15 @@ ------------------------------------------------------------------- -Fri Mar 18 14:13:25 UTC 2022 - Marcus Meissner +Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl -- python-2.7.9-sles-disable-verification-by-default.patch: remove - as it by default now always does strict enforcement anyway and it - is 2022. +- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid + CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the + command injection in the mailcap module. + +------------------------------------------------------------------- +Tue May 24 07:05:36 UTC 2022 - Martin Liška + +- Filter out executable-stack error that is triggered for i586 + target. ------------------------------------------------------------------- Sat Feb 26 12:41:42 UTC 2022 - Matej Cepl diff --git a/python.spec b/python.spec index ce1454f..cef4aa7 100644 --- a/python.spec +++ b/python.spec @@ -126,6 +126,9 @@ Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # whole long discussion is on bpo#43882 # fix for santization URLs containing ASCII newline and tabs in urllib.parse Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch +# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com +# avoid the command injection in the mailcap module. +Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -315,6 +318,7 @@ that rely on earlier non-verification behavior. %patch67 -p1 %patch68 -p1 %patch69 -p1 +%patch70 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar