Accepting request 1041645 from devel:languages:python:Factory
- Update to 3.8.16: - python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log. This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing. - Avoid publishing list of active per-interpreter audit hooks via the gc module - The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name (CVE-2022-45061). - Update bundled libexpat to 2.5.0 - Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454). - The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed). - Removed upstream patches: - CVE-2022-37454-sha3-buffer-overflow.patch - CVE-2022-45061-DoS-by-IDNA-decode.patch OBS-URL: https://build.opensuse.org/request/show/1041645 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python38?expand=0&rev=31
This commit is contained in:
commit
a9fe505070
@ -1,93 +0,0 @@
|
||||
From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001
|
||||
From: Theo Buehler <botovq@users.noreply.github.com>
|
||||
Date: Fri, 21 Oct 2022 21:26:01 +0200
|
||||
Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module
|
||||
(GH-98519)
|
||||
|
||||
This is a port of the applicable part of XKCP's fix [1] for
|
||||
CVE-2022-37454 and avoids the segmentation fault and the infinite
|
||||
loop in the test cases published in [2].
|
||||
|
||||
[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
|
||||
[2]: https://mouha.be/sha-3-buffer-overflow/
|
||||
|
||||
Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
|
||||
(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
|
||||
|
||||
Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
|
||||
---
|
||||
Lib/test/test_hashlib.py | 9 ++++++
|
||||
Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1
|
||||
Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++-----
|
||||
3 files changed, 18 insertions(+), 7 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
|
||||
|
||||
--- a/Lib/test/test_hashlib.py
|
||||
+++ b/Lib/test/test_hashlib.py
|
||||
@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase)
|
||||
def test_case_md5_uintmax(self, size):
|
||||
self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
|
||||
|
||||
+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
|
||||
+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
|
||||
+ def test_sha3_update_overflow(self, size):
|
||||
+ """Regression test for gh-98517 CVE-2022-37454."""
|
||||
+ h = hashlib.sha3_224()
|
||||
+ h.update(b'\x01')
|
||||
+ h.update(b'\x01'*0xffff_ffff)
|
||||
+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
|
||||
+
|
||||
# use the three examples from Federal Information Processing Standards
|
||||
# Publication 180-1, Secure Hash Standard, 1995 April 17
|
||||
# http://www.itl.nist.gov/div897/pubs/fip180-1.htm
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
|
||||
@@ -0,0 +1 @@
|
||||
+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
|
||||
--- a/Modules/_sha3/kcp/KeccakSponge.inc
|
||||
+++ b/Modules/_sha3/kcp/KeccakSponge.inc
|
||||
@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc
|
||||
i = 0;
|
||||
curData = data;
|
||||
while(i < dataByteLen) {
|
||||
- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
|
||||
+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
|
||||
#ifdef SnP_FastLoop_Absorb
|
||||
/* processing full blocks first */
|
||||
|
||||
@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc
|
||||
}
|
||||
else {
|
||||
/* normal lane: using the message queue */
|
||||
-
|
||||
- partialBlock = (unsigned int)(dataByteLen - i);
|
||||
- if (partialBlock+instance->byteIOIndex > rateInBytes)
|
||||
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
|
||||
partialBlock = rateInBytes-instance->byteIOIndex;
|
||||
+ else
|
||||
+ partialBlock = (unsigned int)(dataByteLen - i);
|
||||
#ifdef KeccakReference
|
||||
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
|
||||
#endif
|
||||
@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan
|
||||
i = 0;
|
||||
curData = data;
|
||||
while(i < dataByteLen) {
|
||||
- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
|
||||
+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
|
||||
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
|
||||
SnP_Permute(instance->state);
|
||||
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
|
||||
@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan
|
||||
SnP_Permute(instance->state);
|
||||
instance->byteIOIndex = 0;
|
||||
}
|
||||
- partialBlock = (unsigned int)(dataByteLen - i);
|
||||
- if (partialBlock+instance->byteIOIndex > rateInBytes)
|
||||
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
|
||||
partialBlock = rateInBytes-instance->byteIOIndex;
|
||||
+ else
|
||||
+ partialBlock = (unsigned int)(dataByteLen - i);
|
||||
i += partialBlock;
|
||||
|
||||
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
|
@ -1,88 +0,0 @@
|
||||
From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001
|
||||
From: "Miss Islington (bot)"
|
||||
<31488909+miss-islington@users.noreply.github.com>
|
||||
Date: Mon, 7 Nov 2022 18:57:10 -0800
|
||||
Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
|
||||
(GH-99222)
|
||||
|
||||
There was an unnecessary quadratic loop in idna decoding. This restores
|
||||
the behavior to linear.
|
||||
|
||||
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
|
||||
|
||||
(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
|
||||
|
||||
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
||||
---
|
||||
Lib/encodings/idna.py | 32 ++++------
|
||||
Lib/test/test_codecs.py | 6 +
|
||||
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 +
|
||||
3 files changed, 27 insertions(+), 17 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
|
||||
|
||||
--- a/Lib/encodings/idna.py
|
||||
+++ b/Lib/encodings/idna.py
|
||||
@@ -39,23 +39,21 @@ def nameprep(label):
|
||||
|
||||
# Check bidi
|
||||
RandAL = [stringprep.in_table_d1(x) for x in label]
|
||||
- for c in RandAL:
|
||||
- if c:
|
||||
- # There is a RandAL char in the string. Must perform further
|
||||
- # tests:
|
||||
- # 1) The characters in section 5.8 MUST be prohibited.
|
||||
- # This is table C.8, which was already checked
|
||||
- # 2) If a string contains any RandALCat character, the string
|
||||
- # MUST NOT contain any LCat character.
|
||||
- if any(stringprep.in_table_d2(x) for x in label):
|
||||
- raise UnicodeError("Violation of BIDI requirement 2")
|
||||
-
|
||||
- # 3) If a string contains any RandALCat character, a
|
||||
- # RandALCat character MUST be the first character of the
|
||||
- # string, and a RandALCat character MUST be the last
|
||||
- # character of the string.
|
||||
- if not RandAL[0] or not RandAL[-1]:
|
||||
- raise UnicodeError("Violation of BIDI requirement 3")
|
||||
+ if any(RandAL):
|
||||
+ # There is a RandAL char in the string. Must perform further
|
||||
+ # tests:
|
||||
+ # 1) The characters in section 5.8 MUST be prohibited.
|
||||
+ # This is table C.8, which was already checked
|
||||
+ # 2) If a string contains any RandALCat character, the string
|
||||
+ # MUST NOT contain any LCat character.
|
||||
+ if any(stringprep.in_table_d2(x) for x in label):
|
||||
+ raise UnicodeError("Violation of BIDI requirement 2")
|
||||
+ # 3) If a string contains any RandALCat character, a
|
||||
+ # RandALCat character MUST be the first character of the
|
||||
+ # string, and a RandALCat character MUST be the last
|
||||
+ # character of the string.
|
||||
+ if not RandAL[0] or not RandAL[-1]:
|
||||
+ raise UnicodeError("Violation of BIDI requirement 3")
|
||||
|
||||
return label
|
||||
|
||||
--- a/Lib/test/test_codecs.py
|
||||
+++ b/Lib/test/test_codecs.py
|
||||
@@ -1532,6 +1532,12 @@ class IDNACodecTest(unittest.TestCase):
|
||||
self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
|
||||
self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
|
||||
|
||||
+ def test_builtin_decode_length_limit(self):
|
||||
+ with self.assertRaisesRegex(UnicodeError, "too long"):
|
||||
+ (b"xn--016c"+b"a"*1100).decode("idna")
|
||||
+ with self.assertRaisesRegex(UnicodeError, "too long"):
|
||||
+ (b"xn--016c"+b"a"*70).decode("idna")
|
||||
+
|
||||
def test_stream(self):
|
||||
r = codecs.getreader("idna")(io.BytesIO(b"abc"))
|
||||
r.read(3)
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
|
||||
@@ -0,0 +1,6 @@
|
||||
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
|
||||
+related name resolution functions no longer involves a quadratic algorithm.
|
||||
+This prevents a potential CPU denial of service if an out-of-spec excessive
|
||||
+length hostname involving bidirectional characters were decoded. Some protocols
|
||||
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
|
||||
+to supply such a name.
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5114fc7918a2a5e20eb5aac696b30c36f412c6ef24b13f5c9eb9e056982d9550
|
||||
size 19038408
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFk9MACgkQsmmV4xAl
|
||||
BWjPyA//dMfeT6hw09rFQtv1w7LrAuLFrQ/03uqYz/MZPZZgMyGvN+bGbR9U9EPA
|
||||
DSntLM75GjzaXiZ8dMyvi+A/HJCX7CWeJATxVRBo+3GoFTZfmsex7B78oTakHGnZ
|
||||
3pHRDiXJovD8DPQo3/eNpbQsEri74MOqIIbBZfdrRc4Gqqv/rVRI1qxqYzt3hmHc
|
||||
NcsZudbvBlUe+5HWaYgXbgnuzixSK4iSftlfwx289bsx12b8jzY5OEP9z5NKGqLu
|
||||
Sfb0sUWaJptSn1iEKSfLj4AamN0PeeQObOXHz+N1hdqWmWjEBKX37CEnOyHjJyVc
|
||||
Xb1PH6vJPJbPBXBR3H8YP+jwG8jDIFItJph+NduQnfZ3yLPpjEiCHs/FyUzzIKWB
|
||||
iptNyVMBvgPiMDgge+kLICywbujtI2UB7tS3YO5rb09LtQiXxkGyDbE6R6Yu7ZMb
|
||||
qJJMAJUY9zHAN1rTLL7GJHHypwd3UHoXImMvrm15+vy3ctNTA6VDxn7Zw/uym7F/
|
||||
gZJY6JaUxsnPiOhtvPYHs6EOGwLFszWvgh7AhXjZ2uncPuZ/qzgWpWsRYsKIWSRz
|
||||
yVplWRGfXaZ96pWVKmHACZY6BdgZS18Y9FdRLiqYrNG85dfqd3XFrVJqQIFHjaUX
|
||||
bImNJRcwMpuU9p23CaSeUDRFdELVQ9dXfBq//x0JL2F6/vG1ADw=
|
||||
=jc+c
|
||||
-----END PGP SIGNATURE-----
|
3
Python-3.8.16.tar.xz
Normal file
3
Python-3.8.16.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562
|
||||
size 19046724
|
16
Python-3.8.16.tar.xz.asc
Normal file
16
Python-3.8.16.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPlyYACgkQsmmV4xAl
|
||||
BWhZ3RAAhtzObFVyAJIjaNHSnYClAq39NFOvAA2oFmTbNorF/sHAbV///9Zmm2we
|
||||
prT8gWUJJtPeX1+J3lj0GokthB/YggLIF6MjTL9klamXUWZrdsv8jM00T+nXMHU3
|
||||
Y4pgi0zXX4fhb5iOWeLli99T40+a/8AgbqVC0cv5d6Yk+CncYY2XsNoBuNC4dOoL
|
||||
FaSQMZUsTYf4CoZyHbAN3hs5kshaZRufAJ/LGDlZU3+luuy1PU4uNzqSSY6XMw4L
|
||||
Ar+tukCXwqIOu4baq2BYUF5VjfZrgviC7NxHZBeKuGQ3v7X0HmOWOxG59s1cmJkA
|
||||
CbyK3z/LRVmA33YyhU60QaqfUYHXhNZaMgEku2m3XTRaRkjF+Wg/LAtu01usOrYG
|
||||
BYivpD7yhVqXXvwWV3Y+lpcu8DhZTtXM3hTrN6XErLiYnN1G7sduSNabnOke6Td/
|
||||
p0Ki1UE4Ts+P8yN85/uHiGbjDejU2SRlAuWeSmeIKIyTUNPJoM5OSK9K6FgqxZef
|
||||
OYFDWVZg0Dll5bLU+f/Lw8mXVwF7dX2OUPeXauPm3LhKRHIYpfeuQ+PkP9KeIJn5
|
||||
DwfdvcKw3jVttopWgTS/pT6vu8zgOAZ6kuzhf/s+q8mB3cQRjfn7BMq/PFcNNZJG
|
||||
iLzJ2C5Q7tNn/5elUaV8TOPa2JwmiPViitE4OHqB+sH591JIh+g=
|
||||
=DwHA
|
||||
-----END PGP SIGNATURE-----
|
@ -1,19 +1,13 @@
|
||||
Index: Python-3.8.15/Python/sysmodule.c
|
||||
===================================================================
|
||||
--- Python-3.8.15.orig/Python/sysmodule.c
|
||||
+++ Python-3.8.15/Python/sysmodule.c
|
||||
@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
|
||||
SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
|
||||
SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
|
||||
SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
|
||||
+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
|
||||
---
|
||||
Include/cpython/initconfig.h | 1 +
|
||||
Lib/test/test_embed.py | 1 +
|
||||
Makefile.pre.in | 5 +++++
|
||||
Python/initconfig.c | 21 +++++++++++++++++++++
|
||||
Python/sysmodule.c | 1 +
|
||||
5 files changed, 29 insertions(+)
|
||||
|
||||
if (config->pycache_prefix != NULL) {
|
||||
SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);
|
||||
Index: Python-3.8.15/Include/cpython/initconfig.h
|
||||
===================================================================
|
||||
--- Python-3.8.15.orig/Include/cpython/initconfig.h
|
||||
+++ Python-3.8.15/Include/cpython/initconfig.h
|
||||
--- a/Include/cpython/initconfig.h
|
||||
+++ b/Include/cpython/initconfig.h
|
||||
@@ -381,6 +381,7 @@ typedef struct {
|
||||
wchar_t *base_prefix; /* sys.base_prefix */
|
||||
wchar_t *exec_prefix; /* sys.exec_prefix */
|
||||
@ -22,10 +16,32 @@ Index: Python-3.8.15/Include/cpython/initconfig.h
|
||||
|
||||
/* --- Parameter only used by Py_Main() ---------- */
|
||||
|
||||
Index: Python-3.8.15/Python/initconfig.c
|
||||
===================================================================
|
||||
--- Python-3.8.15.orig/Python/initconfig.c
|
||||
+++ Python-3.8.15/Python/initconfig.c
|
||||
--- a/Lib/test/test_embed.py
|
||||
+++ b/Lib/test/test_embed.py
|
||||
@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
|
||||
'exec_prefix': GET_DEFAULT_CONFIG,
|
||||
'base_exec_prefix': GET_DEFAULT_CONFIG,
|
||||
'module_search_paths': GET_DEFAULT_CONFIG,
|
||||
+ 'platlibdir': sys.platlibdir,
|
||||
|
||||
'site_import': 1,
|
||||
'bytes_warning': 0,
|
||||
--- a/Makefile.pre.in
|
||||
+++ b/Makefile.pre.in
|
||||
@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
|
||||
$(MULTIARCH_CPPFLAGS) \
|
||||
-o $@ $(srcdir)/Python/sysmodule.c
|
||||
|
||||
+Python/initconfig.o: $(srcdir)/Python/initconfig.c
|
||||
+ $(CC) -c $(PY_CORE_CFLAGS) \
|
||||
+ -DPLATLIBDIR='"$(platsubdir)"' \
|
||||
+ -o $@ $(srcdir)/Python/initconfig.c
|
||||
+
|
||||
$(IO_OBJS): $(IO_H)
|
||||
|
||||
.PHONY: regen-grammar
|
||||
--- a/Python/initconfig.c
|
||||
+++ b/Python/initconfig.c
|
||||
@@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config)
|
||||
CLEAR(config->base_prefix);
|
||||
CLEAR(config->exec_prefix);
|
||||
@ -96,31 +112,13 @@ Index: Python-3.8.15/Python/initconfig.c
|
||||
DUMP_SYS(executable);
|
||||
DUMP_SYS(prefix);
|
||||
DUMP_SYS(exec_prefix);
|
||||
Index: Python-3.8.15/Makefile.pre.in
|
||||
===================================================================
|
||||
--- Python-3.8.15.orig/Makefile.pre.in
|
||||
+++ Python-3.8.15/Makefile.pre.in
|
||||
@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys
|
||||
$(MULTIARCH_CPPFLAGS) \
|
||||
-o $@ $(srcdir)/Python/sysmodule.c
|
||||
--- a/Python/sysmodule.c
|
||||
+++ b/Python/sysmodule.c
|
||||
@@ -2981,6 +2981,7 @@ _PySys_InitMain(_PyRuntimeState *runtime
|
||||
SET_SYS_FROM_WSTR("base_prefix", config->base_prefix);
|
||||
SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix);
|
||||
SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix);
|
||||
+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir);
|
||||
|
||||
+Python/initconfig.o: $(srcdir)/Python/initconfig.c
|
||||
+ $(CC) -c $(PY_CORE_CFLAGS) \
|
||||
+ -DPLATLIBDIR='"$(platsubdir)"' \
|
||||
+ -o $@ $(srcdir)/Python/initconfig.c
|
||||
+
|
||||
$(IO_OBJS): $(IO_H)
|
||||
|
||||
.PHONY: regen-grammar
|
||||
Index: Python-3.8.15/Lib/test/test_embed.py
|
||||
===================================================================
|
||||
--- Python-3.8.15.orig/Lib/test/test_embed.py
|
||||
+++ Python-3.8.15/Lib/test/test_embed.py
|
||||
@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi
|
||||
'exec_prefix': GET_DEFAULT_CONFIG,
|
||||
'base_exec_prefix': GET_DEFAULT_CONFIG,
|
||||
'module_search_paths': GET_DEFAULT_CONFIG,
|
||||
+ 'platlibdir': sys.platlibdir,
|
||||
|
||||
'site_import': 1,
|
||||
'bytes_warning': 0,
|
||||
if (config->pycache_prefix != NULL) {
|
||||
SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix);
|
||||
|
@ -1,3 +1,35 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 8 10:32:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
- Update to 3.8.16:
|
||||
- python -m http.server no longer allows terminal
|
||||
control characters sent within a garbage request to be
|
||||
printed to the stderr server log.
|
||||
This is done by changing the http.server
|
||||
BaseHTTPRequestHandler .log_message method to replace control
|
||||
characters with a \xHH hex escape before printing.
|
||||
- Avoid publishing list of active per-interpreter
|
||||
audit hooks via the gc module
|
||||
- The IDNA codec decoder used on DNS hostnames by
|
||||
socket or asyncio related name resolution functions no
|
||||
longer involves a quadratic algorithm. This prevents a
|
||||
potential CPU denial of service if an out-of-spec excessive
|
||||
length hostname involving bidirectional characters were
|
||||
decoded. Some protocols such as urllib http 3xx redirects
|
||||
potentially allow for an attacker to supply such a
|
||||
name (CVE-2022-45061).
|
||||
- Update bundled libexpat to 2.5.0
|
||||
- Port XKCP’s fix for the buffer overflows in SHA-3
|
||||
(CVE-2022-37454).
|
||||
- The deprecated mailcap module now refuses to inject
|
||||
unsafe text (filenames, MIME types, parameters) into shell
|
||||
commands. Instead of using such text, it will warn and act
|
||||
as if a match was not found (or for test commands, as if the
|
||||
test failed).
|
||||
- Removed upstream patches:
|
||||
- CVE-2022-37454-sha3-buffer-overflow.patch
|
||||
- CVE-2022-45061-DoS-by-IDNA-decode.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||
|
||||
|
@ -92,7 +92,7 @@
|
||||
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
|
||||
%bcond_without profileopt
|
||||
Name: %{python_pkg_name}%{psuffix}
|
||||
Version: 3.8.15
|
||||
Version: 3.8.16
|
||||
Release: 0
|
||||
Summary: Python 3 Interpreter
|
||||
License: Python-2.0
|
||||
@ -176,13 +176,6 @@ Patch37: platlibdir-in-sys.patch
|
||||
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com
|
||||
# this patch makes things totally awesome
|
||||
Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mcepl@suse.com
|
||||
# Fix original buffer overflow
|
||||
# Originally from gh#python/cpython#98528
|
||||
Patch39: CVE-2022-37454-sha3-buffer-overflow.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com
|
||||
# Avoid DoS by decoding IDNA for too long domain names
|
||||
Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: fdupes
|
||||
@ -451,8 +444,6 @@ other applications.
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
|
||||
# drop Autoconf version requirement
|
||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||
|
Loading…
Reference in New Issue
Block a user