- (bsc#1214685, CVE-2022-48565) Add

CVE-2022-48565-plistlib-XML-vulns.patch (from
  gh#python/cpython#86217) reject XML entity declarations in
  plist files.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=384

CVE-2022-48565-plistlib-XML-vulns.patch

@@ -0,0 +1,80 @@
+From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001
+From: Ned Deily <nad@python.org>
+Date: Mon, 19 Oct 2020 22:36:27 -0400
+Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files
+ (GH-22760) (GH-22801)
+
+Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
+(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
+
+Co-authored-by: Ned Deily <nad@python.org>
+---
+ Lib/plistlib.py                                                    |   10 +++++
+ Lib/test/test_plistlib.py                                          |   19 ++++++++++
+ Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst |    3 +
+ 3 files changed, 32 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
+
+--- a/Lib/plistlib.py
++++ b/Lib/plistlib.py
+@@ -403,9 +403,19 @@ class PlistParser:
+         parser.StartElementHandler = self.handleBeginElement
+         parser.EndElementHandler = self.handleEndElement
+         parser.CharacterDataHandler = self.handleData
++        parser.EntityDeclHandler = self.handle_entity_decl
+         parser.ParseFile(fileobj)
+         return self.root
+ 
++    def handle_entity_decl(self, entity_name, is_parameter_entity, value,
++                           base, system_id, public_id, notation_name):
++        # Reject plist files with entity declarations to avoid XML
++        # vulnerabilies in expat. Regular plist files don't contain
++        # those declerations, and Apple's plutil tool does not accept
++        # them either.
++        raise InvalidFileException(
++            "XML entity declarations are not supported in plist files")
++
+     def handleBeginElement(self, element, attrs):
+         self.data = []
+         handler = getattr(self, "begin_" + element, None)
+--- a/Lib/test/test_plistlib.py
++++ b/Lib/test/test_plistlib.py
+@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi
+ </plist>
+ """.replace(" " * 8, "\t")  # Apple as well as plistlib.py output hard tabs
+ 
++XML_PLIST_WITH_ENTITY=b'''\
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
++   <!ENTITY entity "replacement text">
++  ]>
++<plist version="1.0">
++  <dict>
++    <key>A</key>
++    <string>&entity;</string>
++  </dict>
++</plist>
++'''
++
+ 
+ class TestPlistlib(unittest.TestCase):
+ 
+@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase):
+         self.assertEqual(test1, result1)
+         self.assertEqual(test2, result2)
+ 
++    def test_xml_plist_with_entity_decl(self):
++        with self.assertRaisesRegexp(plistlib.InvalidFileException,
++                                     "XML entity declarations are not supported"):
++            plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
++
++
+ 
+ def test_main():
+     test_support.run_unittest(TestPlistlib)
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
+@@ -0,0 +1,3 @@
++The :mod:`plistlib` module no longer accepts entity declarations in XML
++plist files to avoid XML vulnerabilities. This should not affect users as
++entity declarations are not used in regular plist files.

python-base.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214685, CVE-2022-48565) Add
+  CVE-2022-48565-plistlib-XML-vulns.patch (from
+  gh#python/cpython#86217) reject XML entity declarations in
+  plist files.
+- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
+  Revert-gh105127-left-tests.patch (as per discussion on
+  bsc#1210638).
+
 -------------------------------------------------------------------
 Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 

python-base.spec

@@ -149,13 +149,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
-# Detect email address parsing errors and return empty tuple to
+# # Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# # indicate the parsing error (old API)
-Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# Patch77:        CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
-# Partially revert previous patch
+# Reject entity declarations in plists
-Patch78:        Revert-gh105127-left-tests.patch
+Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
 # COMMON-PATCH-END
@@ -310,7 +310,7 @@ other applications.
 %endif
 %patch75 -p1
 %patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
 

python-doc.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214685, CVE-2022-48565) Add
+  CVE-2022-48565-plistlib-XML-vulns.patch (from
+  gh#python/cpython#86217) reject XML entity declarations in
+  plist files.
+- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
+  Revert-gh105127-left-tests.patch (as per discussion on
+  bsc#1210638).
+
 -------------------------------------------------------------------
 Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 

python-doc.spec

@@ -148,13 +148,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
-# Detect email address parsing errors and return empty tuple to
+# # Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# # indicate the parsing error (old API)
-Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# Patch77:        CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
-# Partially revert previous patch
+# Reject entity declarations in plists
-Patch78:        Revert-gh105127-left-tests.patch
+Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
 # COMMON-PATCH-END
@@ -244,7 +244,7 @@ Python, and Macintosh Module Reference in PDF format.
 %endif
 %patch75 -p1
 %patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
 %patch78 -p1
 %patch79 -p1
 

python.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- (bsc#1214685, CVE-2022-48565) Add
+  CVE-2022-48565-plistlib-XML-vulns.patch (from
+  gh#python/cpython#86217) reject XML entity declarations in
+  plist files.
+- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
+  Revert-gh105127-left-tests.patch (as per discussion on
+  bsc#1210638).
+
 -------------------------------------------------------------------
 Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
 

python.spec

@@ -148,13 +148,13 @@ Patch75:        CVE-2023-24329-blank-URL-bypass.patch
 # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
 # Build documentation even without PygmentsBridge.trim_doctest_flags
 Patch76:        PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
-# Detect email address parsing errors and return empty tuple to
+# # Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
+# # indicate the parsing error (old API)
-Patch77:        CVE-2023-27043-email-parsing-errors.patch
+# Patch77:        CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
-# Partially revert previous patch
+# Reject entity declarations in plists
-Patch78:        Revert-gh105127-left-tests.patch
+Patch78:        CVE-2022-48565-plistlib-XML-vulns.patch
 # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
 Patch79:        CVE-2023-40217-avoid-ssl-pre-close.patch
 # COMMON-PATCH-END
@@ -364,7 +364,7 @@ that rely on earlier non-verification behavior.
 %endif
 %patch75 -p1
 %patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
 %patch78 -p1
 %patch79 -p1