Accepting request 921455 from devel:languages:python:Factory

Synchronization of the package with SLE version.

OBS-URL: https://build.opensuse.org/request/show/921455
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=158

CVE-2019-20907_tarfile-inf-loop.patch

@@ -0,0 +1,42 @@
+From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001
+From: Rajarishi Devarajan <rishi93dev@gmail.com>
+Date: Sun, 12 Jul 2020 23:47:42 +0200
+Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module
+
+Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
+---
+ Lib/tarfile.py                                                    |    2 ++
+ Lib/test/test_tarfile.py                                          |    5 +++++
+ Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst |    1 +
+ 3 files changed, 8 insertions(+)
+ create mode 100644 Lib/test/recursion.tar
+
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1400,6 +1400,8 @@ class TarInfo(object):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             keyword = keyword.decode("utf8")
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -321,6 +321,11 @@ class CommonReadTest(ReadTest):
+                 with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"):
+                     tar.extractfile(t).read()
+ 
++    def test_length_zero_header(self):
++        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
++        # with an exception
++        self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar'))
++
+ 
+ class MiscReadTest(CommonReadTest):
+     taropen = tarfile.TarFile.taropen
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+@@ -0,0 +1 @@
++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

CVE-2020-26116-httplib-header-injection.patch

@@ -0,0 +1,77 @@
+---
+ Lib/httplib.py           |   15 +++++++++++++++
+ Lib/test/test_httplib.py |   22 +++++++++++++++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+ 
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ class HTTPMessage(mimetools.Message):
+ 
+     def addheader(self, key, value):
+@@ -940,6 +944,8 @@ class HTTPConnection:
+         else:
+             raise CannotSendRequest()
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1179,6 +1185,15 @@ class HTTPConnection:
+             response.close()
+             raise
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                "method can't contain control characters. %r (found at "
++                "least %r)" % (method, match.group()))
++
+ 
+ class HTTP:
+     "Compatibility class with httplib.py from 1.5."
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase):
+         self.assertTrue('Host: destination.com' in conn.sock.data)
+ 
+ 
++class HttpMethodTests(TestCase):
++    def test_invalid_method_names(self):
++        methods = (
++            'GET\r',
++            'POST\n',
++            'PUT\n\r',
++            'POST\nValue',
++            'POST\nHOST:abc',
++            'GET\nrHost:abc\n',
++            'POST\rRemainder:\r',
++            'GET\rHOST:\n',
++            '\nPUT'
++        )
++
++        for method in methods:
++            conn = httplib.HTTPConnection('example.com')
++            conn.sock = FakeSocket(None)
++            self.assertRaises(ValueError, conn.request, method=method, url="/")
++
++
+ @test_support.reap_threads
+ def test_main(verbose=None):
+     test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
+-                              HTTPTest, HTTPSTest, SourceAddressTest,
++                              HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest,
+                               TunnelTests)
+ 
+ if __name__ == '__main__':

pip-20.2.3-py2.py3-none-any.whl

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3dd51a8752bc3a34c0290e4e6c16be943256c8c693cb75736b95f56128decbac
+size 1350933

python-base.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
+  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
+  in specifically crafted tarball.
+  Add recursion.tar as a testing tarball for the patch.
+- Provide the newest setuptools wheel (bsc#1176262,
+  CVE-2019-20916) in their correct form (bsc#1180686).
+- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
+  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
+  the method parameter of HTTPConnection.putrequest in httplib, stopping
+  injection of headers. Such characters now raise ValueError. 
+
+
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
@@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
     by Ben Caller.
   - Fixed line numbers and column offsets for AST nodes for calls
     without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
-    potentially malicious header injection URLs now cause
-    InvalidURL to be raised.
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
+    hostnames in http.client. Such potentially malicious header
+    injection URLs now cause a InvalidURL to be raised.
   - Fix urllib.urlretrieve failing on subsequent ftp transfers
     from the same host.
   - Fix problems identified by GCC's -Wstringop-truncation
@@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
 
-- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
-  fixing bpo-34623.
+- bsc#1109847 (CVE-2018-14647): add
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
+  bpo-34623.
 
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
   An exploitable denial-of-service vulnerability exists in the
   X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
   A specially crafted X509 certificate can cause a NULL pointer

python-base.spec

@@ -34,6 +34,11 @@ Source1:        macros.python2
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source5:        local.pth
+# Fixed bundled wheels
+Source10:       setuptools-44.1.1-py2.py3-none-any.whl
+Source11:       pip-20.2.3-py2.py3-none-any.whl
+# For Patch 66
+Source66:       recursion.tar
 Source99:       python-base-rpmlintrc
 # COMMON-PATCH-BEGIN
 Patch1:         python-2.7-dirs.patch
@@ -109,6 +114,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -239,11 +252,25 @@ other applications.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 
+# Replace bundled wheels with the updates ones
+rm -v Lib/ensurepip/_bundled/*.whl
+cp -v %{SOURCE10} %{SOURCE11} Lib/ensurepip/_bundled/
+STVER=$(basename %{SOURCE10}|cut -d- -f2)
+PIPVER=$(basename %{SOURCE11}|cut -d- -f2)
+sed -i -e "s/^\(\s*_SETUPTOOLS_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${STVER}\"/" \
+       -e "s/^\(\s*_PIP_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${PIPVER}\"/" \
+    Lib/ensurepip/__init__.py
+
 %build
 %define _lto_cflags %{nil}
 export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv"
@@ -320,7 +347,7 @@ EXCLUDE="$EXCLUDE test_asynchat test_asyncore test_dircache test_multiprocessing
 if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then
   ulimit -v 10000000 || :
 fi
-make test TESTOPTS="-l -x $EXCLUDE" TESTPYTHONOPTS="-R"
+make test TESTOPTS="-l -w -x $EXCLUDE" TESTPYTHONOPTS="-R"
 # use network, be verbose:
 #make test TESTOPTS="-l -u network -v"
 %endif

python-doc.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
+  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
+  in specifically crafted tarball.
+  Add recursion.tar as a testing tarball for the patch.
+- Provide the newest setuptools wheel (bsc#1176262,
+  CVE-2019-20916) in their correct form (bsc#1180686).
+- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
+  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
+  the method parameter of HTTPConnection.putrequest in httplib, stopping
+  injection of headers. Such characters now raise ValueError. 
+
+
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
@@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
     by Ben Caller.
   - Fixed line numbers and column offsets for AST nodes for calls
     without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
-    potentially malicious header injection URLs now cause
-    InvalidURL to be raised.
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
+    hostnames in http.client. Such potentially malicious header
+    injection URLs now cause a InvalidURL to be raised.
   - Fix urllib.urlretrieve failing on subsequent ftp transfers
     from the same host.
   - Fix problems identified by GCC's -Wstringop-truncation
@@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
 
-- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
-  fixing bpo-34623.
+- bsc#1109847 (CVE-2018-14647): add
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
+  bpo-34623.
 
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
   An exploitable denial-of-service vulnerability exists in the
   X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
   A specially crafted X509 certificate can cause a NULL pointer

python-doc.spec

@@ -31,6 +31,8 @@ Source0:        %{tarname}.tar.xz
 #Source3:        http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2
 Source2:        python-%{version}-docs-pdf-a4.tar.bz2
 Source3:        python-%{version}-docs-pdf-letter.tar.bz2
+# For Patch 66
+Source66:       recursion.tar
 %if 0%{?suse_version} >= 1500
 BuildRequires:  python3-Sphinx
 %else
@@ -111,6 +113,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@@ -183,17 +193,16 @@ Python, and Macintosh Module Reference in PDF format.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 
-# Update documentation formatting for Sphinx 3.0 (bpo#40204)
-for i in `find Doc/ -type f -name "*.rst"`
-do
-  sed -i 's/:c:type:/:c:expr:/g' $i
-done
-
 %build
 TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"`
 # TODO use not date of tarball but date of latest patch

python.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
+  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
+  in specifically crafted tarball.
+  Add recursion.tar as a testing tarball for the patch.
+- Provide the newest setuptools wheel (bsc#1176262,
+  CVE-2019-20916) in their correct form (bsc#1180686).
+- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
+  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
+  the method parameter of HTTPConnection.putrequest in httplib, stopping
+  injection of headers. Such characters now raise ValueError. 
+
+
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
 
@@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
     by Ben Caller.
   - Fixed line numbers and column offsets for AST nodes for calls
     without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
-    potentially malicious header injection URLs now cause
-    InvalidURL to be raised.
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
+    hostnames in http.client. Such potentially malicious header
+    injection URLs now cause a InvalidURL to be raised.
   - Fix urllib.urlretrieve failing on subsequent ftp transfers
     from the same host.
   - Fix problems identified by GCC's -Wstringop-truncation
@@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
 
-- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
-  fixing bpo-34623.
+- bsc#1109847 (CVE-2018-14647): add
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
+  bpo-34623.
 
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
   An exploitable denial-of-service vulnerability exists in the
   X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
   A specially crafted X509 certificate can cause a NULL pointer

python.spec

@@ -32,6 +32,8 @@ Source8:        sle_tls_checks_policy.py
 Source50:       idle.appdata.xml
 Source51:       idle.desktop
 # issues with copyrighted Unicode testing files
+# For Patch 66
+Source66:       recursion.tar
 
 # !!!!!!!!!!!!!!
 # do not add or edit patches here. please edit python-base.spec
@@ -111,6 +113,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -297,6 +307,11 @@ that rely on earlier non-verification behavior.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

setuptools-44.1.1-py2.py3-none-any.whl

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e98dac61759aa12d18e6e6f4c6c582095882f08431259ee92845b47a8378ff0
+size 583522