pool/python39
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 983632 from devel:languages:python:Factory

Browse Source 
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
  command injection in the mailcap module.
- Fix building of documentation and the universal configuration of the
  %primary_interpreter.
- (bsc#1196784, CVE-2022-25236) Rename patch:
  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
  as it was fully patched against CVE-2022-25236.

    22.0.4, bnc#1186819, CVE-2021-3572)

OBS-URL: https://build.opensuse.org/request/show/983632
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=30
This commit is contained in:
Dominique Leuenberger 2022-06-19 19:10:34 +00:00 committed by Git OBS Bridge
commit 35d1711e18
4 changed files with 196 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
CVE-2015-20107-mailcap-unsafe-filenames.patch Normal file
View File

@ -0,0 +1,136 @@
From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encukou@gmail.com>
Date: Wed, 27 Apr 2022 18:17:33 +0200
Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
filenames/types/params
---
Doc/library/mailcap.rst | 12 ++++
Lib/mailcap.py | 26 +++++++++-
Lib/test/test_mailcap.py | 8 ++-
Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +
4 files changed, 46 insertions(+), 4 deletions(-)
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard. However, mailcap files are su
use) to determine whether or not the mailcap line applies. :func:`findmatch`
will automatically check such conditions and skip the entry if the check fails.
+ .. versionchanged:: 3.11
+
+ To prevent security issues with shell metacharacters (symbols that have
+ special effects in a shell command line), ``findmatch`` will refuse
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+ into the returned command line.
+
+ If a disallowed character appears in *filename*, ``findmatch`` will always
+ return ``(None, None)`` as if no entry was found.
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
.. function:: getcaps()
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
import os
import warnings
+import re
__all__ = ["getcaps","findmatch"]
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
else:
return 1, 0
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
# Part 1: top-level interface.
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view'
entry to use.
"""
+ if _find_unsafe(filename):
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCa
(["", "audio/*", "foo.txt"], ""),
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+ (["echo %t", "audio/*", "foo.txt"], None),
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
('"An audio fragment"', audio_basic_entry)),
([c, "audio/*"],
{"filename": fname},
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
+ (None, None)),
+ ([c, "audio/wav"],
+ {"filename": fname},
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
([c, "message/external-body"],
{"plist": plist},
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).

15
python39.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Fix building of documentation and the universal configuration of the
%primary_interpreter.
- (bsc#1196784, CVE-2022-25236) Rename patch:
support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
as it was fully patched against CVE-2022-25236.
-------------------------------------------------------------------
Fri May 20 14:18:15 UTC 2022 - Matej Cepl <mcepl@suse.com>
@ -250,7 +263,7 @@ Sat Mar 26 22:22:24 UTC 2022 - Matej Cepl <mcepl@suse.com>
including bugfix for EntryPoint.extras, which was returning
match objects and not the extras strings.
- bpo-46985: Upgrade pip wheel bundled with ensurepip (pip
22.0.4)
22.0.4, bnc#1186819, CVE-2021-3572)
- bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically
determine size of signal handler stack size CPython allocates
using getauxval(AT_MINSIGSTKSZ). This changes allows for

26
python39.spec
View File

@ -51,7 +51,11 @@
%define python_pkg_name python39
# Will provide the python3-* provides
# Will do the /usr/bin/python3 and all the core links
%define primary_interpreter 0
%if 0%{?sle_version} || 0%{?suse_version} >= 1550
%define primary_interpreter 0
%else
%define primary_interpreter 1
%endif
# We don't process beta signs well
%define folderversion 3.9.13
%define tarname Python-%{tarversion}
@ -151,9 +155,12 @@ Patch33: no-skipif-doctests.patch
# PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
# skip a test failing on SLE-15
Patch34: skip-test_pyobject_freed_is_freed.patch
# PATCH-FIX-UPSTREAM support-expat-245.patch jsc#SLE-21253 mcepl@suse.com
# PATCH-FIX-UPSTREAM support-expat-CVE-2022-25236-patched.patch jsc#SLE-21253 mcepl@suse.com
# Makes Python resilient to changes of API of libexpat
Patch35: support-expat-245.patch
Patch35: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -181,12 +188,12 @@ BuildRequires: pkgconfig(libtirpc)
BuildRequires: mpdecimal-devel
%endif
%if %{with doc}
%if 0%{?suse_version} >= 1550
BuildRequires: %{python_pkg_name}-Sphinx
BuildRequires: %{python_pkg_name}-python-docs-theme >= 2022.1
%else
%if 0%{?sle_version} && 0%{?sle_version} <= 150300
BuildRequires: python3-Sphinx
BuildRequires: python3-python-docs-theme >= 2022.1
%else
BuildRequires: %{python_pkg_name}-Sphinx
BuildRequires: %{python_pkg_name}-python-docs-theme >= 2022.1
%endif
%endif
%if %{with general}
@ -404,16 +411,15 @@ other applications.
%patch25 -p1
%patch29 -p1
%patch32 -p1
%if 0%{?suse_version} <= 1500
%patch33 -p1
%endif
%if 0%{?sle_version} && 0%{?sle_version} <= 150300
%patch33 -p1
%patch34 -p1
%endif
%if %{with mpdecimal}
%patch05 -p1
%endif
%patch35 -p1
%patch36 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

60
support-expat-245.patch → support-expat-CVE-2022-25236-patched.patch
View File

@ -1,9 +1,9 @@
From d4f5bb912e67299b59b814b89a5afd9a8821a14e Mon Sep 17 00:00:00 2001
From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 21 Feb 2022 11:03:08 -0800
Date: Mon, 21 Feb 2022 08:16:09 -0800
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
(GH-31471)
(GH-31472)
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
@ -23,53 +23,53 @@ Also, test_minidom.py: Support Expat >=2.4.5
Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
---
Lib/test/test_minidom.py | 13 ++++------
Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1
2 files changed, 7 insertions(+), 7 deletions(-)
Lib/test/test_minidom.py | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -6,12 +6,11 @@ import io
@@ -6,7 +6,6 @@ import io
from test import support
import unittest
-import pyexpat
+import xml.parsers.expat
import xml.dom.minidom
from xml.dom.minidom import parse, Node, Document, parseString
from xml.dom.minidom import getDOMImplementation
-from xml.parsers.expat import ExpatError
tstfile = support.findfile("test.xml", subdir="xmltestdata")
@@ -1149,10 +1148,10 @@ class MinidomTest(unittest.TestCase):
@@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase):
# Verify that character decoding errors raise exceptions instead
# of crashing
- if pyexpat.version_info >= (2, 4, 5):
- self.assertRaises(ExpatError, parseString,
+ if xml.parsers.expat.version_info >= (2, 4, 4):
+ self.assertRaises(xml.parsers.expat.ExpatError, parseString,
b'<fran\xe7ais></fran\xe7ais>')
- b'<fran\xe7ais></fran\xe7ais>')
- self.assertRaises(ExpatError, parseString,
+ self.assertRaises(xml.parsers.expat.ExpatError, parseString,
b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
else:
self.assertRaises(UnicodeDecodeError, parseString,
@@ -1617,8 +1616,8 @@ class MinidomTest(unittest.TestCase):
- b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
- else:
- self.assertRaises(UnicodeDecodeError, parseString,
+ # It doesnt make any sense to insist on the exact text of the
+ # error message, or even the exact Exception … it is enough that
+ # the error has been discovered.
+ with self.assertRaises((UnicodeDecodeError, ExpatError)):
+ parseString(
b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>')
doc.unlink()
@@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase):
self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
def testExceptionOnSpacesInXMLNSValue(self):
- if pyexpat.version_info >= (2, 4, 5):
- context = self.assertRaisesRegex(ExpatError, 'syntax error')
+ if xml.parsers.expat.version_info >= (2, 4, 4):
+ context = self.assertRaisesRegex(xml.parsers.expat.ExpatError, 'syntax error')
else:
context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
- else:
- context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
-
- with context:
+ # It doesnt make any sense to insist on the exact text of the
+ # error message, or even the exact Exception … it is enough that
+ # the error has been discovered.
+ with self.assertRaises((ExpatError, ValueError)):
parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>')
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst
@@ -0,0 +1 @@
+Make test suite support Expat >=2.4.5
def testDocRemoveChild(self):