Accepting request 1197475 from devel:languages:python:Factory
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704, CVE-2024-8088). OBS-URL: https://build.opensuse.org/request/show/1197475 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python311?expand=0&rev=39
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
b98a243190
136
CVE-2024-8088-inf-loop-zipfile_Path.patch
Normal file
136
CVE-2024-8088-inf-loop-zipfile_Path.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
---
|
||||||
|
Lib/test/test_zipfile.py | 75 ++++++++++
|
||||||
|
Lib/zipfile.py | 10 +
|
||||||
|
Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1
|
||||||
|
Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst | 3
|
||||||
|
4 files changed, 87 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/Lib/test/test_zipfile.py
|
||||||
|
+++ b/Lib/test/test_zipfile.py
|
||||||
|
@@ -3651,6 +3651,81 @@ with zipfile.ZipFile(io.BytesIO(), "w")
|
||||||
|
zipfile.Path(zf)
|
||||||
|
zf.extractall(source_path.parent)
|
||||||
|
|
||||||
|
+ def test_malformed_paths(self):
|
||||||
|
+ """
|
||||||
|
+ Path should handle malformed paths gracefully.
|
||||||
|
+
|
||||||
|
+ Paths with leading slashes are not visible.
|
||||||
|
+
|
||||||
|
+ Paths with dots are treated like regular files.
|
||||||
|
+ """
|
||||||
|
+ data = io.BytesIO()
|
||||||
|
+ zf = zipfile.ZipFile(data, "w")
|
||||||
|
+ zf.writestr("../parent.txt", b"content")
|
||||||
|
+ zf.filename = ''
|
||||||
|
+ root = zipfile.Path(zf)
|
||||||
|
+ assert list(map(str, root.iterdir())) == ['../']
|
||||||
|
+ assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content'
|
||||||
|
+
|
||||||
|
+ def test_unsupported_names(self):
|
||||||
|
+ """
|
||||||
|
+ Path segments with special characters are readable.
|
||||||
|
+
|
||||||
|
+ On some platforms or file systems, characters like
|
||||||
|
+ ``:`` and ``?`` are not allowed, but they are valid
|
||||||
|
+ in the zip file.
|
||||||
|
+ """
|
||||||
|
+ data = io.BytesIO()
|
||||||
|
+ zf = zipfile.ZipFile(data, "w")
|
||||||
|
+ zf.writestr("path?", b"content")
|
||||||
|
+ zf.writestr("V: NMS.flac", b"fLaC...")
|
||||||
|
+ zf.filename = ''
|
||||||
|
+ root = zipfile.Path(zf)
|
||||||
|
+ contents = root.iterdir()
|
||||||
|
+ assert next(contents).name == 'path?'
|
||||||
|
+ assert next(contents).name == 'V: NMS.flac'
|
||||||
|
+ assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..."
|
||||||
|
+
|
||||||
|
+ def test_backslash_not_separator(self):
|
||||||
|
+ """
|
||||||
|
+ In a zip file, backslashes are not separators.
|
||||||
|
+ """
|
||||||
|
+ data = io.BytesIO()
|
||||||
|
+ zf = zipfile.ZipFile(data, "w")
|
||||||
|
+ zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content")
|
||||||
|
+ zf.filename = ''
|
||||||
|
+ root = zipfile.Path(zf)
|
||||||
|
+ (first,) = root.iterdir()
|
||||||
|
+ assert not first.is_dir()
|
||||||
|
+ assert first.name == 'foo\\bar'
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class DirtyZipInfo(zipfile.ZipInfo):
|
||||||
|
+ """
|
||||||
|
+ Bypass name sanitization.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ def __init__(self, filename, *args, **kwargs):
|
||||||
|
+ super().__init__(filename, *args, **kwargs)
|
||||||
|
+ self.filename = filename
|
||||||
|
+
|
||||||
|
+ @classmethod
|
||||||
|
+ def for_name(cls, name, archive):
|
||||||
|
+ """
|
||||||
|
+ Construct the same way that ZipFile.writestr does.
|
||||||
|
+
|
||||||
|
+ TODO: extract this functionality and re-use
|
||||||
|
+ """
|
||||||
|
+ self = cls(filename=name, date_time=time.localtime(time.time())[:6])
|
||||||
|
+ self.compress_type = archive.compression
|
||||||
|
+ self.compress_level = archive.compresslevel
|
||||||
|
+ if self.filename.endswith('/'): # pragma: no cover
|
||||||
|
+ self.external_attr = 0o40775 << 16 # drwxrwxr-x
|
||||||
|
+ self.external_attr |= 0x10 # MS-DOS directory flag
|
||||||
|
+ else:
|
||||||
|
+ self.external_attr = 0o600 << 16 # ?rw-------
|
||||||
|
+ return self
|
||||||
|
+
|
||||||
|
|
||||||
|
class EncodedMetadataTests(unittest.TestCase):
|
||||||
|
file_names = ['\u4e00', '\u4e8c', '\u4e09'] # Han 'one', 'two', 'three'
|
||||||
|
--- a/Lib/zipfile.py
|
||||||
|
+++ b/Lib/zipfile.py
|
||||||
|
@@ -9,6 +9,7 @@ import io
|
||||||
|
import itertools
|
||||||
|
import os
|
||||||
|
import posixpath
|
||||||
|
+import re
|
||||||
|
import shutil
|
||||||
|
import stat
|
||||||
|
import struct
|
||||||
|
@@ -2212,7 +2213,7 @@ def _parents(path):
|
||||||
|
def _ancestry(path):
|
||||||
|
"""
|
||||||
|
Given a path with elements separated by
|
||||||
|
- posixpath.sep, generate all elements of that path
|
||||||
|
+ posixpath.sep, generate all elements of that path.
|
||||||
|
|
||||||
|
>>> list(_ancestry('b/d'))
|
||||||
|
['b/d', 'b']
|
||||||
|
@@ -2224,9 +2225,14 @@ def _ancestry(path):
|
||||||
|
['b']
|
||||||
|
>>> list(_ancestry(''))
|
||||||
|
[]
|
||||||
|
+
|
||||||
|
+ Multiple separators are treated like a single.
|
||||||
|
+
|
||||||
|
+ >>> list(_ancestry('//b//d///f//'))
|
||||||
|
+ ['//b//d///f', '//b//d', '//b']
|
||||||
|
"""
|
||||||
|
path = path.rstrip(posixpath.sep)
|
||||||
|
- while path and path != posixpath.sep:
|
||||||
|
+ while path.rstrip(posixpath.sep):
|
||||||
|
yield path
|
||||||
|
path, tail = posixpath.split(path)
|
||||||
|
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+:class:`zipfile.Path` objects now sanitize names from the zipfile.
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Library/2024-08-26-13-45-20.gh-issue-123270.gXHvNJ.rst
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+Applied a more surgical fix for malformed payloads in :class:`zipfile.Path`
|
||||||
|
+causing infinite loops (gh-122905) without breaking contents using
|
||||||
|
+legitimate characters.
|
||||||
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 28 16:54:34 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
||||||
|
|
||||||
|
- Add CVE-2024-8088-inf-loop-zipfile_Path.patch to prevent
|
||||||
|
malformed payload to cause infinite loops in zipfile.Path
|
||||||
|
(bsc#1229704, CVE-2024-8088).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Aug 7 12:12:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
Wed Aug 7 12:12:42 UTC 2024 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -186,6 +186,9 @@ Patch19: bso1227999-reproducible-builds.patch
|
|||||||
# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com
|
# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com
|
||||||
# prevent email header injection, patch from gh#python/cpython!122608
|
# prevent email header injection, patch from gh#python/cpython!122608
|
||||||
Patch20: CVE-2024-6923-email-hdr-inject.patch
|
Patch20: CVE-2024-6923-email-hdr-inject.patch
|
||||||
|
# PATCH-FIX-UPSTREAM CVE-2024-8088-inf-loop-zipfile_Path.patch bsc#1229704 mcepl@suse.com
|
||||||
|
# avoid denial of service in zipfile
|
||||||
|
Patch21: CVE-2024-8088-inf-loop-zipfile_Path.patch
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
@ -450,6 +453,7 @@ other applications.
|
|||||||
%patch -p1 -P 18
|
%patch -p1 -P 18
|
||||||
%patch -p1 -P 19
|
%patch -p1 -P 19
|
||||||
%patch -p1 -P 20
|
%patch -p1 -P 20
|
||||||
|
%patch -p1 -P 21
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user