diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch new file mode 100644 index 0000000..d88dcfe --- /dev/null +++ b/CVE-2023-24329-blank-URL-bypass.patch @@ -0,0 +1,55 @@ +From a284d69de1d1a42714576d4a9562145a94e62127 Mon Sep 17 00:00:00 2001 +From: Ben Kallus +Date: Sat, 12 Nov 2022 15:43:33 -0500 +Subject: [PATCH 1/2] gh-99418: Prevent urllib.parse.urlparse from accepting + schemes that don't begin with an alphabetical ASCII character. + +--- + Lib/test/test_urlparse.py | 18 ++++++++++ + Lib/urllib/parse.py | 2 - + Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst | 2 + + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -668,6 +668,24 @@ class UrlParseTestCase(unittest.TestCase + with self.assertRaises(ValueError): + p.port + ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urllib.parse.urlsplit, urllib.parse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ with self.subTest(bytes=bytes, parse=parse, scheme=scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if url.isascii(): ++ url = url.encode("ascii") ++ else: ++ continue ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragm + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. diff --git a/Python-3.10.10.tar.xz b/Python-3.10.10.tar.xz new file mode 100644 index 0000000..bb9a380 --- /dev/null +++ b/Python-3.10.10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0419e9085bf51b7a672009b3f50dbf1859acdf18ba725d0ec19aa5c8503f0ea3 +size 19627028 diff --git a/Python-3.10.10.tar.xz.asc b/Python-3.10.10.tar.xz.asc new file mode 100644 index 0000000..0bd900c --- /dev/null +++ b/Python-3.10.10.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmPiQfoACgkQ/+h0BBaL +2EcB8hAAmFEIHZopWn+A4tDxd001eViLrOmjygqPn1doAQ3dAgyESt4Z/HDtN6rB ++6z5rsx+qdcP9kfb/+3V0gKBh/3V4bEpnD+EQtpONWhKbCcqOfq1ok1V+uNH8uOF +ixxWkY+MWJzPPhlQiW/sm9FP6CdnaeriKf1JMCUt9aiganpo2CQv5gPE/0PlSGO5 +BEKjCcyHHPIEAxC6jLm/+33PSzbhGq+YstK/1tcqUrJfkifipovmSZeFyzULPonK +MATPyliOupo3ixPs3LoJUjNpGD4fH+p2Lg1ZOgYv7vGmeLcadNVanRlqRg76m+ke +zvp/MAqQg4Fr75m2+mfDG/Md+PrSMvz71i55a1Q1NcYdW6QR62m08FCZg7/+t5pD +H91ywhMqTv1nySsEZGfuETPTs7gMCtyBeDjIhXBMcfbhGivd7r5zZJ8MUD/FSASC +fQ/vEVeHWQeWpfFgxLfLmRnkjIS7JCGlM9z6zsZqbppWqeA94sBIf4ka2JG2DnGP +1Pvn+ragiHt1++i2yVhmoAB0t44/SgXacCce5AT3yB71brT21cOXQs0Gq80MwVPI +nVbzdOtuGNGcvEi2fbO2IEcgegSHaOHo9PvYTRropSz3V7A95x8mA1xjZf2y77H5 +/mfJ4687YIItCIcNE5Zzj6GspWlWP31OvRFIIefnKYf2JuU+qt8= +=B3xo +-----END PGP SIGNATURE----- diff --git a/Python-3.10.9.tar.xz b/Python-3.10.9.tar.xz deleted file mode 100644 index d340fc2..0000000 --- a/Python-3.10.9.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83 -size 19612112 diff --git a/Python-3.10.9.tar.xz.asc b/Python-3.10.9.tar.xz.asc deleted file mode 100644 index ab8f048..0000000 --- a/Python-3.10.9.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEz9yiRbEEPPKl+Xhl/+h0BBaL2EcFAmOPjc0ACgkQ/+h0BBaL -2EeV0hAAqnRoPq/yKFBquimXkwLGWPOwmPC1W4ehfS8OzXtfqw53xyG8q5ggemyd -pc6k6lXlgFS1AzE3wGPfVNzr+iFf2xP+3c21e3nbKUISxFQ6xF+X2xY7sTLIZUuQ -h8ZEyq7W9a1ta/78ap03+C3i98EWK5WaO5PIt57yq4ZLWdNVaJpqXessFQiZ5+ys -pN0D0iC9TCUv3QTDhyB2xB7fThVXcIsvfgvAsSzLMC3t/POsp3Qiooa1Tc9lB4TK -GEgfGUrvd/YZaI9LKT309aXfBuorjX9oDN05+efg+8/2DsRCus7KX+buNRC5xRX6 -gIFp/Bjgc+eBDW/8f8zEl/aB8DWm/rkfX83Xc0m9W0iZYtSQT0AGoQE5fcJg1jnR -lV5RpD9uZa/RrHtc/Sl7e0PfOdfZsWUKsNiiJhDVdfRPJYanezAHZCZpc8q2JoOV -IoxKlWp5eBhk10hWwtAjLGPK2iGNfUksV72oqDGU8IyA4+wL/iC9quq5nWED0U0w -gjrmXYIspCT2oCF/U3kCjqf26vYp6hxFrvloseD65ExwNiqQCGQlsxZJelCJUDnO -lezBraV5QSElsRReO2t8+XQgxoCeBbsvRpCNPWnzGdvNHljTRWVQtdx8s3A+LYEX -dNnL5pI91C+5pn+vvKYO4x2S7hdgG4aRNSwH19D05VdThEsmt0U= -=L+IQ ------END PGP SIGNATURE----- diff --git a/fix_configure_rst.patch b/fix_configure_rst.patch index 51c85bb..7e81a09 100644 --- a/fix_configure_rst.patch +++ b/fix_configure_rst.patch @@ -29,7 +29,7 @@ Create a Python.framework rather than a traditional Unix install. Optional --- a/Misc/NEWS +++ b/Misc/NEWS -@@ -3254,7 +3254,7 @@ C API +@@ -3422,7 +3422,7 @@ C API ----- - bpo-43795: The list in :ref:`stable-abi-list` now shows the public name diff --git a/python310.changes b/python310.changes index d5b11ae..d1b3655 100644 --- a/python310.changes +++ b/python310.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Mar 1 20:59:04 UTC 2023 - Matej Cepl + +- Update to 3.10.10: + Bug fixes and regressions handling, no change of behaviour and + no security bugs fixed. +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + ------------------------------------------------------------------- Tue Feb 21 11:34:49 UTC 2023 - Matej Cepl diff --git a/python310.spec b/python310.spec index b1ac96d..6cbd5be 100644 --- a/python310.spec +++ b/python310.spec @@ -103,7 +103,7 @@ Obsoletes: python39%{?1:-%{1}} %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.10.9 +Version: 3.10.10 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -166,6 +166,10 @@ Patch35: fix_configure_rst.patch # PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mcepl@suse.com # NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 Patch36: support-expat-CVE-2022-25236-patched.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch37: CVE-2023-24329-blank-URL-bypass.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -438,6 +442,7 @@ other applications. %endif %patch35 -p1 %patch36 -p1 +%patch37 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac @@ -633,7 +638,7 @@ for library in \ _posixsubprocess _queue _random resource select _ssl _socket spwd \ _statistics _struct syslog termios _testbuffer _testimportmultiple \ _testmultiphase unicodedata zlib _ctypes_test _testinternalcapi _testcapi \ - xxlimited xxlimited_35 \ + _testclinic xxlimited xxlimited_35 \ _xxtestfuzz _xxsubinterpreters _elementtree pyexpat _md5 _sha1 \ _sha256 _sha512 _blake2 _sha3 _uuid _zoneinfo do @@ -882,6 +887,7 @@ echo %{sitedir}/_import_failed > %{buildroot}/%{sitedir}/site-packages/zzzz-impo %{dynlib _ctypes_test} %{dynlib _testbuffer} %{dynlib _testcapi} +%{dynlib _testclinic} %{dynlib _testinternalcapi} %{dynlib _testimportmultiple} %{dynlib _testmultiphase}