Accepting request 1041645 from devel:languages:python:Factory

- Update to 3.8.16:
  - python -m http.server no longer allows terminal
    control characters sent within a garbage request to be
    printed to the stderr server log.
    This is done by changing the http.server
    BaseHTTPRequestHandler .log_message method to replace control
    characters with a \xHH hex escape before printing.
  - Avoid publishing list of active per-interpreter
    audit hooks via the gc module
  - The IDNA codec decoder used on DNS hostnames by
    socket or asyncio related name resolution functions no
    longer involves a quadratic algorithm. This prevents a
    potential CPU denial of service if an out-of-spec excessive
    length hostname involving bidirectional characters were
    decoded. Some protocols such as urllib http 3xx redirects
    potentially allow for an attacker to supply such a
    name (CVE-2022-45061).
  - Update bundled libexpat to 2.5.0
  - Port XKCP’s fix for the buffer overflows in SHA-3
    (CVE-2022-37454).
  - The deprecated mailcap module now refuses to inject
    unsafe text (filenames, MIME types, parameters) into shell
    commands. Instead of using such text, it will warn and act
    as if a match was not found (or for test commands, as if the
    test failed).
- Removed upstream patches:
  - CVE-2022-37454-sha3-buffer-overflow.patch
  - CVE-2022-45061-DoS-by-IDNA-decode.patch

OBS-URL: https://build.opensuse.org/request/show/1041645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=31
This commit is contained in:
Dominique Leuenberger 2022-12-09 12:16:47 +00:00 committed by Git OBS Bridge
commit a9fe505070
9 changed files with 97 additions and 257 deletions

View File

@ -1,93 +0,0 @@
From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001
From: Theo Buehler <botovq@users.noreply.github.com>
Date: Fri, 21 Oct 2022 21:26:01 +0200
Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module
(GH-98519)
This is a port of the applicable part of XKCP's fix [1] for
CVE-2022-37454 and avoids the segmentation fault and the infinite
loop in the test cases published in [2].
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
[2]: https://mouha.be/sha-3-buffer-overflow/
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
---
Lib/test/test_hashlib.py | 9 ++++++
Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1
Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++-----
3 files changed, 18 insertions(+), 7 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase)
def test_case_md5_uintmax(self, size):
self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
+ def test_sha3_update_overflow(self, size):
+ """Regression test for gh-98517 CVE-2022-37454."""
+ h = hashlib.sha3_224()
+ h.update(b'\x01')
+ h.update(b'\x01'*0xffff_ffff)
+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
+
# use the three examples from Federal Information Processing Standards
# Publication 180-1, Secure Hash Standard, 1995 April 17
# http://www.itl.nist.gov/div897/pubs/fip180-1.htm
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
@@ -0,0 +1 @@
+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
--- a/Modules/_sha3/kcp/KeccakSponge.inc
+++ b/Modules/_sha3/kcp/KeccakSponge.inc
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
#ifdef SnP_FastLoop_Absorb
/* processing full blocks first */
@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc
}
else {
/* normal lane: using the message queue */
-
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
#ifdef KeccakReference
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
#endif
@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
SnP_Permute(instance->state);
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan
SnP_Permute(instance->state);
instance->byteIOIndex = 0;
}
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
i += partialBlock;
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);

View File

@ -1,88 +0,0 @@
From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 7 Nov 2022 18:57:10 -0800
Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
(GH-99222)
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/encodings/idna.py | 32 ++++------
Lib/test/test_codecs.py | 6 +
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 +
3 files changed, 27 insertions(+), 17 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
--- a/Lib/encodings/idna.py
+++ b/Lib/encodings/idna.py
@@ -39,23 +39,21 @@ def nameprep(label):
# Check bidi
RandAL = [stringprep.in_table_d1(x) for x in label]
- for c in RandAL:
- if c:
- # There is a RandAL char in the string. Must perform further
- # tests:
- # 1) The characters in section 5.8 MUST be prohibited.
- # This is table C.8, which was already checked
- # 2) If a string contains any RandALCat character, the string
- # MUST NOT contain any LCat character.
- if any(stringprep.in_table_d2(x) for x in label):
- raise UnicodeError("Violation of BIDI requirement 2")
-
- # 3) If a string contains any RandALCat character, a
- # RandALCat character MUST be the first character of the
- # string, and a RandALCat character MUST be the last
- # character of the string.
- if not RandAL[0] or not RandAL[-1]:
- raise UnicodeError("Violation of BIDI requirement 3")
+ if any(RandAL):
+ # There is a RandAL char in the string. Must perform further
+ # tests:
+ # 1) The characters in section 5.8 MUST be prohibited.
+ # This is table C.8, which was already checked
+ # 2) If a string contains any RandALCat character, the string
+ # MUST NOT contain any LCat character.
+ if any(stringprep.in_table_d2(x) for x in label):
+ raise UnicodeError("Violation of BIDI requirement 2")
+ # 3) If a string contains any RandALCat character, a
+ # RandALCat character MUST be the first character of the
+ # string, and a RandALCat character MUST be the last
+ # character of the string.
+ if not RandAL[0] or not RandAL[-1]:
+ raise UnicodeError("Violation of BIDI requirement 3")
return label
--- a/Lib/test/test_codecs.py
+++ b/Lib/test/test_codecs.py
@@ -1532,6 +1532,12 @@ class IDNACodecTest(unittest.TestCase):
self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
+ def test_builtin_decode_length_limit(self):
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*1100).decode("idna")
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*70).decode("idna")
+
def test_stream(self):
r = codecs.getreader("idna")(io.BytesIO(b"abc"))
r.read(3)
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -0,0 +1,6 @@
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
+related name resolution functions no longer involves a quadratic algorithm.
+This prevents a potential CPU denial of service if an out-of-spec excessive
+length hostname involving bidirectional characters were decoded. Some protocols
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
+to supply such a name.

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5114fc7918a2a5e20eb5aac696b30c36f412c6ef24b13f5c9eb9e056982d9550
size 19038408

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFk9MACgkQsmmV4xAl
BWjPyA//dMfeT6hw09rFQtv1w7LrAuLFrQ/03uqYz/MZPZZgMyGvN+bGbR9U9EPA
DSntLM75GjzaXiZ8dMyvi+A/HJCX7CWeJATxVRBo+3GoFTZfmsex7B78oTakHGnZ
3pHRDiXJovD8DPQo3/eNpbQsEri74MOqIIbBZfdrRc4Gqqv/rVRI1qxqYzt3hmHc
NcsZudbvBlUe+5HWaYgXbgnuzixSK4iSftlfwx289bsx12b8jzY5OEP9z5NKGqLu
Sfb0sUWaJptSn1iEKSfLj4AamN0PeeQObOXHz+N1hdqWmWjEBKX37CEnOyHjJyVc
Xb1PH6vJPJbPBXBR3H8YP+jwG8jDIFItJph+NduQnfZ3yLPpjEiCHs/FyUzzIKWB
iptNyVMBvgPiMDgge+kLICywbujtI2UB7tS3YO5rb09LtQiXxkGyDbE6R6Yu7ZMb
qJJMAJUY9zHAN1rTLL7GJHHypwd3UHoXImMvrm15+vy3ctNTA6VDxn7Zw/uym7F/
gZJY6JaUxsnPiOhtvPYHs6EOGwLFszWvgh7AhXjZ2uncPuZ/qzgWpWsRYsKIWSRz
yVplWRGfXaZ96pWVKmHACZY6BdgZS18Y9FdRLiqYrNG85dfqd3XFrVJqQIFHjaUX
bImNJRcwMpuU9p23CaSeUDRFdELVQ9dXfBq//x0JL2F6/vG1ADw=
=jc+c
-----END PGP SIGNATURE-----

3
Python-3.8.16.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562
size 19046724

16
Python-3.8.16.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPlyYACgkQsmmV4xAl
BWhZ3RAAhtzObFVyAJIjaNHSnYClAq39NFOvAA2oFmTbNorF/sHAbV///9Zmm2we
prT8gWUJJtPeX1+J3lj0GokthB/YggLIF6MjTL9klamXUWZrdsv8jM00T+nXMHU3
Y4pgi0zXX4fhb5iOWeLli99T40+a/8AgbqVC0cv5d6Yk+CncYY2XsNoBuNC4dOoL
FaSQMZUsTYf4CoZyHbAN3hs5kshaZRufAJ/LGDlZU3+luuy1PU4uNzqSSY6XMw4L
Ar+tukCXwqIOu4baq2BYUF5VjfZrgviC7NxHZBeKuGQ3v7X0HmOWOxG59s1cmJkA
CbyK3z/LRVmA33YyhU60QaqfUYHXhNZaMgEku2m3XTRaRkjF+Wg/LAtu01usOrYG
BYivpD7yhVqXXvwWV3Y+lpcu8DhZTtXM3hTrN6XErLiYnN1G7sduSNabnOke6Td/
p0Ki1UE4Ts+P8yN85/uHiGbjDejU2SRlAuWeSmeIKIyTUNPJoM5OSK9K6FgqxZef
OYFDWVZg0Dll5bLU+f/Lw8mXVwF7dX2OUPeXauPm3LhKRHIYpfeuQ+PkP9KeIJn5
DwfdvcKw3jVttopWgTS/pT6vu8zgOAZ6kuzhf/s+q8mB3cQRjfn7BMq/PFcNNZJG
iLzJ2C5Q7tNn/5elUaV8TOPa2JwmiPViitE4OHqB+sH591JIh+g=
=DwHA
-----END PGP SIGNATURE-----

View File

@ -1,19 +1,13 @@
Index: Python-3.8.15/Python/sysmodule.c
===================================================================
--- Python-3.8.15.orig/Python/sysmodule.c
+++ Python-3.8.15/Python/sysmodule.c
@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
---
Include/cpython/initconfig.h | 1 +
Lib/test/test_embed.py | 1 +
Makefile.pre.in | 5 +++++
Python/initconfig.c | 21 +++++++++++++++++++++
Python/sysmodule.c | 1 +
5 files changed, 29 insertions(+)
if (config->pycache_prefix != NULL) {
SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);
Index: Python-3.8.15/Include/cpython/initconfig.h
===================================================================
--- Python-3.8.15.orig/Include/cpython/initconfig.h
+++ Python-3.8.15/Include/cpython/initconfig.h
--- a/Include/cpython/initconfig.h
+++ b/Include/cpython/initconfig.h
@@ -381,6 +381,7 @@ typedef struct {
wchar_t *base_prefix; /* sys.base_prefix */
wchar_t *exec_prefix; /* sys.exec_prefix */
@ -22,10 +16,32 @@ Index: Python-3.8.15/Include/cpython/initconfig.h
/* --- Parameter only used by Py_Main() ---------- */
Index: Python-3.8.15/Python/initconfig.c
===================================================================
--- Python-3.8.15.orig/Python/initconfig.c
+++ Python-3.8.15/Python/initconfig.c
--- a/Lib/test/test_embed.py
+++ b/Lib/test/test_embed.py
@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
'exec_prefix': GET_DEFAULT_CONFIG,
'base_exec_prefix': GET_DEFAULT_CONFIG,
'module_search_paths': GET_DEFAULT_CONFIG,
+ 'platlibdir': sys.platlibdir,
'site_import': 1,
'bytes_warning': 0,
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
$(MULTIARCH_CPPFLAGS) \
-o $@ $(srcdir)/Python/sysmodule.c
+Python/initconfig.o: $(srcdir)/Python/initconfig.c
+ $(CC) -c $(PY_CORE_CFLAGS) \
+ -DPLATLIBDIR='"$(platsubdir)"' \
+ -o $@ $(srcdir)/Python/initconfig.c
+
$(IO_OBJS): $(IO_H)
.PHONY: regen-grammar
--- a/Python/initconfig.c
+++ b/Python/initconfig.c
@@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config)
CLEAR(config->base_prefix);
CLEAR(config->exec_prefix);
@ -96,31 +112,13 @@ Index: Python-3.8.15/Python/initconfig.c
DUMP_SYS(executable);
DUMP_SYS(prefix);
DUMP_SYS(exec_prefix);
Index: Python-3.8.15/Makefile.pre.in
===================================================================
--- Python-3.8.15.orig/Makefile.pre.in
+++ Python-3.8.15/Makefile.pre.in
@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
$(MULTIARCH_CPPFLAGS) \
-o $@ $(srcdir)/Python/sysmodule.c
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -2981,6 +2981,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
+Python/initconfig.o: $(srcdir)/Python/initconfig.c
+ $(CC) -c $(PY_CORE_CFLAGS) \
+ -DPLATLIBDIR='"$(platsubdir)"' \
+ -o $@ $(srcdir)/Python/initconfig.c
+
$(IO_OBJS): $(IO_H)
.PHONY: regen-grammar
Index: Python-3.8.15/Lib/test/test_embed.py
===================================================================
--- Python-3.8.15.orig/Lib/test/test_embed.py
+++ Python-3.8.15/Lib/test/test_embed.py
@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
'exec_prefix': GET_DEFAULT_CONFIG,
'base_exec_prefix': GET_DEFAULT_CONFIG,
'module_search_paths': GET_DEFAULT_CONFIG,
+ 'platlibdir': sys.platlibdir,
'site_import': 1,
'bytes_warning': 0,
if (config->pycache_prefix != NULL) {
SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);

View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Thu Dec 8 10:32:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Update to 3.8.16:
- python -m http.server no longer allows terminal
control characters sent within a garbage request to be
printed to the stderr server log.
This is done by changing the http.server
BaseHTTPRequestHandler .log_message method to replace control
characters with a \xHH hex escape before printing.
- Avoid publishing list of active per-interpreter
audit hooks via the gc module
- The IDNA codec decoder used on DNS hostnames by
socket or asyncio related name resolution functions no
longer involves a quadratic algorithm. This prevents a
potential CPU denial of service if an out-of-spec excessive
length hostname involving bidirectional characters were
decoded. Some protocols such as urllib http 3xx redirects
potentially allow for an attacker to supply such a
name (CVE-2022-45061).
- Update bundled libexpat to 2.5.0
- Port XKCPs fix for the buffer overflows in SHA-3
(CVE-2022-37454).
- The deprecated mailcap module now refuses to inject
unsafe text (filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act
as if a match was not found (or for test commands, as if the
test failed).
- Removed upstream patches:
- CVE-2022-37454-sha3-buffer-overflow.patch
- CVE-2022-45061-DoS-by-IDNA-decode.patch
-------------------------------------------------------------------
Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>

View File

@ -92,7 +92,7 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.8.15
Version: 3.8.16
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@ -176,13 +176,6 @@ Patch37: platlibdir-in-sys.patch
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
# this patch makes things totally awesome
Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mcepl@suse.com
# Fix original buffer overflow
# Originally from gh#python/cpython#98528
Patch39: CVE-2022-37454-sha3-buffer-overflow.patch
# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
# Avoid DoS by decoding IDNA for too long domain names
Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -451,8 +444,6 @@ other applications.
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac