From 6fa3cda54411391ae7da9e95754c4248016c60e05a3977a0ead7eab960fd739a Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sun, 11 Sep 2022 08:54:55 +0000 Subject: [PATCH] =?UTF-8?q?-=20Update=20to=203.9.14:=20=20=20-=20(CVE-2020?= =?UTF-8?q?-10735,=20bsc#1203125).=20Converting=20between=20int=20=20=20?= =?UTF-8?q?=20=20and=20str=20in=20bases=20other=20than=202=20(binary),=204?= =?UTF-8?q?,=208=20(octal),=2016=20=20=20=20=20(hexadecimal),=20or=2032=20?= =?UTF-8?q?such=20as=20base=2010=20(decimal)=20now=20raises=20a=20=20=20?= =?UTF-8?q?=20=20ValueError=20if=20the=20number=20of=20digits=20in=20strin?= =?UTF-8?q?g=20form=20is=20above=20a=20=20=20=20=20limit=20to=20avoid=20po?= =?UTF-8?q?tential=20denial=20of=20service=20attacks=20due=20to=20the=20?= =?UTF-8?q?=20=20=20=20algorithmic=20complexity.=20=20=20=20=20This=20new?= =?UTF-8?q?=20limit=20can=20be=20configured=20or=20disabled=20by=20environ?= =?UTF-8?q?ment=20=20=20=20=20variable,=20command=20line=20flag,=20or=20sy?= =?UTF-8?q?s=20APIs.=20See=20the=20integer=20=20=20=20=20string=20conversi?= =?UTF-8?q?on=20length=20limitation=20documentation.=20The=20=20=20=20=20d?= =?UTF-8?q?efault=20limit=20is=204300=20digits=20in=20string=20form.=20=20?= =?UTF-8?q?=20-=20Also=20other=20bug=20fixes:=20=20=20=20=20-=20http.serve?= =?UTF-8?q?r:=20Fix=20an=20open=20redirection=20vulnerability=20in=20the?= =?UTF-8?q?=20=20=20=20=20=20=20HTTP=20server=20when=20an=20URI=20path=20s?= =?UTF-8?q?tarts=20with=20//.=20Vulnerability=20=20=20=20=20=20=20discover?= =?UTF-8?q?ed,=20and=20initial=20fix=20proposed,=20by=20Hamza=20Avvan.=20?= =?UTF-8?q?=20=20=20=20-=20Fix=20contextvars=20HAMT=20implementation=20to?= =?UTF-8?q?=20handle=20iteration=20=20=20=20=20=20=20over=20deep=20trees.?= =?UTF-8?q?=20The=20bug=20was=20discovered=20and=20fixed=20by=20Eli=20=20?= =?UTF-8?q?=20=20=20=20=20Libman.=20See=20MagicStack/immutables#84=20for?= =?UTF-8?q?=20more=20details.=20=20=20=20=20-=20Fix=20binding=20of=20unix?= =?UTF-8?q?=20socket=20to=20empty=20address=20on=20Linux=20to=20use=20=20?= =?UTF-8?q?=20=20=20=20=20an=20available=20address=20from=20the=20abstract?= =?UTF-8?q?=20namespace,=20instead=20=20=20=20=20=20=20of=20=E2=80=9C0?= =?UTF-8?q?=E2=80=9D.=20=20=20=20=20-=20Suppress=20writing=20an=20XML=20de?= =?UTF-8?q?claration=20in=20open=20files=20=20=20=20=20=20=20in=20ElementT?= =?UTF-8?q?ree.write()=20with=20encoding=3D'unicode'=20and=20=20=20=20=20?= =?UTF-8?q?=20=20xml=5Fdeclaration=3DNone.=20=20=20=20=20-=20Fix=20the=20f?= =?UTF-8?q?ormatting=20for=20await=20x=20and=20not=20x=20in=20the=20operat?= =?UTF-8?q?or=20=20=20=20=20=20=20precedence=20table=20when=20using=20the?= =?UTF-8?q?=20help()=20system.=20=20=20=20=20-=20Fix=20ensurepip=20environ?= =?UTF-8?q?ment=20isolation=20for=20subprocess=20running=20=20=20=20=20=20?= =?UTF-8?q?=20pip.=20=20=20=20=20-=20Fix=20problem=20with=20test=5Fssl=20t?= =?UTF-8?q?est=5Fget=5Fciphers=20on=20systems=20that=20=20=20=20=20=20=20r?= =?UTF-8?q?equire=20perfect=20forward=20secrecy=20(PFS)=20ciphers.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=116 --- CVE-2021-28861-double-slash-path.patch | 127 ----------------------- Python-3.9.13.tar.xz | 3 - Python-3.9.13.tar.xz.asc | 16 --- Python-3.9.14.tar.xz | 3 + Python-3.9.14.tar.xz.asc | 16 +++ bpo-31046_ensurepip_honours_prefix.patch | 12 +-- python39.changes | 41 ++++++++ python39.spec | 8 +- sphinx-update-removed-function.patch | 2 +- 9 files changed, 69 insertions(+), 159 deletions(-) delete mode 100644 CVE-2021-28861-double-slash-path.patch delete mode 100644 Python-3.9.13.tar.xz delete mode 100644 Python-3.9.13.tar.xz.asc create mode 100644 Python-3.9.14.tar.xz create mode 100644 Python-3.9.14.tar.xz.asc diff --git a/CVE-2021-28861-double-slash-path.patch b/CVE-2021-28861-double-slash-path.patch deleted file mode 100644 index 6cbd7d4..0000000 --- a/CVE-2021-28861-double-slash-path.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 31dbe663f6c9ae68595dde9420381e065016ad6f Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Tue, 21 Jun 2022 13:16:57 -0700 -Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in - http.server. (GH-93879) - -Fix an open redirection vulnerability in the `http.server` module when -an URI path starts with `//` that could produce a 301 Location header -with a misleading target. Vulnerability discovered, and logic fix -proposed, by Hamza Avvan (@hamzaavvan). - -Test and comments authored by Gregory P. Smith [Google]. -(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e) - -Co-authored-by: Gregory P. Smith ---- - Lib/http/server.py | 7 +++ - Lib/test/test_httpservers.py | 53 ++++++++++++++++++- - ...2-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 ++ - 3 files changed, 61 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst - -diff --git a/Lib/http/server.py b/Lib/http/server.py -index 2d2300c2aeab..6bf9084341a6 100644 ---- a/Lib/http/server.py -+++ b/Lib/http/server.py -@@ -330,6 +330,13 @@ def parse_request(self): - return False - self.command, self.path = command, path - -+ # gh-87389: The purpose of replacing '//' with '/' is to protect -+ # against open redirect attacks possibly triggered if the path starts -+ # with '//' because http clients treat //path as an absolute URI -+ # without scheme (similar to http://path) rather than a path. -+ if self.path.startswith('//'): -+ self.path = '/' + self.path.lstrip('/') # Reduce to a single / -+ - # Examine the headers and look for a Connection directive. - try: - self.headers = http.client.parse_headers(self.rfile, -diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py -index c1494d29ca87..4acf7a6fea44 100644 ---- a/Lib/test/test_httpservers.py -+++ b/Lib/test/test_httpservers.py -@@ -331,7 +331,7 @@ class request_handler(NoLogRequestHandler, SimpleHTTPRequestHandler): - pass - - def setUp(self): -- BaseTestCase.setUp(self) -+ super().setUp() - self.cwd = os.getcwd() - basetempdir = tempfile.gettempdir() - os.chdir(basetempdir) -@@ -359,7 +359,7 @@ def tearDown(self): - except: - pass - finally: -- BaseTestCase.tearDown(self) -+ super().tearDown() - - def check_status_and_reason(self, response, status, data=None): - def close_conn(): -@@ -415,6 +415,55 @@ def test_undecodable_filename(self): - self.check_status_and_reason(response, HTTPStatus.OK, - data=support.TESTFN_UNDECODABLE) - -+ def test_get_dir_redirect_location_domain_injection_bug(self): -+ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. -+ -+ //netloc/ in a Location header is a redirect to a new host. -+ https://github.com/python/cpython/issues/87389 -+ -+ This checks that a path resolving to a directory on our server cannot -+ resolve into a redirect to another server. -+ """ -+ os.mkdir(os.path.join(self.tempdir, 'existing_directory')) -+ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory' -+ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash -+ # Canonicalizes to /tmp/tempdir_name/existing_directory which does -+ # exist and is a dir, triggering the 301 redirect logic. -+ response = self.request(url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ self.assertEqual(location, expected_location, msg='non-attack failed!') -+ -+ # //python.org... multi-slash prefix, no trailing slash -+ attack_url = f'/{url}' -+ response = self.request(attack_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ self.assertFalse(location.startswith('//'), msg=location) -+ self.assertEqual(location, expected_location, -+ msg='Expected Location header to start with a single / and ' -+ 'end with a / as this is a directory redirect.') -+ -+ # ///python.org... triple-slash prefix, no trailing slash -+ attack3_url = f'//{url}' -+ response = self.request(attack3_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ self.assertEqual(response.getheader('Location'), expected_location) -+ -+ # If the second word in the http request (Request-URI for the http -+ # method) is a full URI, we don't worry about it, as that'll be parsed -+ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head -+ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen. -+ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}' -+ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/' -+ response = self.request(attack_scheme_netloc_2slash_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ # We're just ensuring that the scheme and domain make it through, if -+ # there are or aren't multiple slashes at the start of the path that -+ # follows that isn't important in this Location: header. -+ self.assertTrue(location.startswith('https://pypi.org/'), msg=location) -+ - def test_get(self): - #constructs the path relative to the root directory of the HTTPServer - response = self.request(self.base_url + '/test') -diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst -new file mode 100644 -index 000000000000..029d437190de ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst -@@ -0,0 +1,3 @@ -+:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server -+when an URI path starts with ``//``. Vulnerability discovered, and initial -+fix proposed, by Hamza Avvan. diff --git a/Python-3.9.13.tar.xz b/Python-3.9.13.tar.xz deleted file mode 100644 index 8ea0920..0000000 --- a/Python-3.9.13.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:125b0c598f1e15d2aa65406e83f792df7d171cdf38c16803b149994316a3080f -size 19754368 diff --git a/Python-3.9.13.tar.xz.asc b/Python-3.9.13.tar.xz.asc deleted file mode 100644 index 1e85b64..0000000 --- a/Python-3.9.13.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl -BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g -lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+ -uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW -oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS -3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN -7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs -1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X -ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3 -YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z -hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4 -sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc= -=RYbS ------END PGP SIGNATURE----- diff --git a/Python-3.9.14.tar.xz b/Python-3.9.14.tar.xz new file mode 100644 index 0000000..8f455d3 --- /dev/null +++ b/Python-3.9.14.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:651304d216c8203fe0adf1a80af472d8e92c3b0e0a7892222ae4d9f3ae4debcf +size 19750176 diff --git a/Python-3.9.14.tar.xz.asc b/Python-3.9.14.tar.xz.asc new file mode 100644 index 0000000..3fe8cc8 --- /dev/null +++ b/Python-3.9.14.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXib8ACgkQsmmV4xAl +BWiwtA/+LhNMVhCwNFNtDaxDLv2Pt43oX07ka9kuRau6WU0bicf4zBboQW2Ut9en +epdnw06klvOrb2wlxU4jeWdzuq5bNlhW3rVyT2npbRfYeXqsi/i+sY9eV5SFRPAM +eZrnCOkuWJxTy/XRQsPFbhE0bG+npoR80RpDtZ9EfjKyL2PSyOsvudKHjepcdHMi +tCzcmHwJbakD18g268RiDZsR8q7lSQW0c3OhOPwXfFV2Xh+jS8eEEcdp2QSBq/S9 ++HIHEAYJWvAEtg9q3KMKDWOi5rd0Q6Cw4zcO8GI0HTCkNsnJmtLUJ4qTTZWOHC5t +M8Z0hzuXI9wK23GpxWuThuaMyQCW5HX8tBVuxaHNyWuJ4T6ID0eJJP4ijLNMXv4U +Q0MRbLYtIIagB8BsZtBnEIIsQ1k7THdJ5KAsWIjVaPe80yQWLOrmuXulJi+E4F/C +bBKcsFXC605xg5C3AQk58QXpyLDoPtLtRVVPtVi1aqpHCLRCikHA8kqwc7JQIf7v +p4VsfcNsYga/EF6FArdmVz8fOpQgItvhuHgMRWBZ35p/t9Ckbl7fJQB0PYfVKYWC +F+uNahFYvJ+gH96U6MddEzZlB0AHx3gfysBrgWXvgUAqvAZ/Vq6FiOf0jhFWUtb1 +8b7sp8GSp7QzIP9U3J75sonXEAvNOA31vuKSJ2sKdxsIP9/KgZE= +=kQup +-----END PGP SIGNATURE----- diff --git a/bpo-31046_ensurepip_honours_prefix.patch b/bpo-31046_ensurepip_honours_prefix.patch index f270184..73effd3 100644 --- a/bpo-31046_ensurepip_honours_prefix.patch +++ b/bpo-31046_ensurepip_honours_prefix.patch @@ -55,7 +55,7 @@ Co-Authored-By: Xavier de Gaye .. note:: --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py -@@ -52,27 +52,27 @@ def _disable_pip_configuration_settings( +@@ -57,27 +57,27 @@ def _disable_pip_configuration_settings( os.environ['PIP_CONFIG_FILE'] = os.devnull @@ -88,7 +88,7 @@ Co-Authored-By: Xavier de Gaye Note that calling this function will alter both sys.path and os.environ. """ -@@ -115,6 +115,8 @@ def _bootstrap(*, root=None, upgrade=Fal +@@ -120,6 +120,8 @@ def _bootstrap(*, root=None, upgrade=Fal args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir] if root: args += ["--root", root] @@ -97,7 +97,7 @@ Co-Authored-By: Xavier de Gaye if upgrade: args += ["--upgrade"] if user: -@@ -187,6 +189,11 @@ def _main(argv=None): +@@ -192,6 +194,11 @@ def _main(argv=None): help="Install everything relative to this alternate root directory.", ) parser.add_argument( @@ -109,7 +109,7 @@ Co-Authored-By: Xavier de Gaye "--altinstall", action="store_true", default=False, -@@ -205,6 +212,7 @@ def _main(argv=None): +@@ -210,6 +217,7 @@ def _main(argv=None): return _bootstrap( root=args.root, @@ -139,7 +139,7 @@ Co-Authored-By: Xavier de Gaye --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -1262,7 +1262,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni +@@ -1263,7 +1263,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni install|*) ensurepip="" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ @@ -148,7 +148,7 @@ Co-Authored-By: Xavier de Gaye fi altinstall: commoninstall -@@ -1272,7 +1272,7 @@ altinstall: commoninstall +@@ -1273,7 +1273,7 @@ altinstall: commoninstall install|*) ensurepip="--altinstall" ;; \ esac; \ $(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \ diff --git a/python39.changes b/python39.changes index 103cbd1..40febc2 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Sun Sep 11 08:49:43 UTC 2022 - Matej Cepl + +- Update to 3.9.14: + - (CVE-2020-10735, bsc#1203125). Converting between int + and str in bases other than 2 (binary), 4, 8 (octal), 16 + (hexadecimal), or 32 such as base 10 (decimal) now raises a + ValueError if the number of digits in string form is above a + limit to avoid potential denial of service attacks due to the + algorithmic complexity. + This new limit can be configured or disabled by environment + variable, command line flag, or sys APIs. See the integer + string conversion length limitation documentation. The + default limit is 4300 digits in string form. + - Also other bug fixes: + - http.server: Fix an open redirection vulnerability in the + HTTP server when an URI path starts with //. Vulnerability + discovered, and initial fix proposed, by Hamza Avvan. + - Fix contextvars HAMT implementation to handle iteration + over deep trees. The bug was discovered and fixed by Eli + Libman. See MagicStack/immutables#84 for more details. + - Fix binding of unix socket to empty address on Linux to use + an available address from the abstract namespace, instead + of “0”. + - Suppress writing an XML declaration in open files + in ElementTree.write() with encoding='unicode' and + xml_declaration=None. + - Fix the formatting for await x and not x in the operator + precedence table when using the help() system. + - Fix ensurepip environment isolation for subprocess running + pip. + - Fix problem with test_ssl test_get_ciphers on systems that + require perfect forward secrecy (PFS) ciphers. + - test_ssl is now checking for supported TLS version and + protocols in more tests. +- Removed upstreamed patches: + - CVE-2021-28861-double-slash-path.patch +- Realign patches: + - bpo-31046_ensurepip_honours_prefix.patch + - sphinx-update-removed-function.patch + ------------------------------------------------------------------- Thu Sep 1 03:48:37 UTC 2022 - Steve Kowalik diff --git a/python39.spec b/python39.spec index 4bf421a..c4f156d 100644 --- a/python39.spec +++ b/python39.spec @@ -57,7 +57,7 @@ %define tarversion %{version} %endif # We don't process beta signs well -%define folderversion 3.9.13 +%define folderversion %{version} %define tarname Python-%{tarversion} %define sitedir %{_libdir}/python%{python_version} # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149 @@ -93,7 +93,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.9.13 +Version: 3.9.14 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -161,9 +161,6 @@ Patch35: support-expat-CVE-2022-25236-patched.patch # PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com # avoid the command injection in the mailcap module. Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch -# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94093 -# Coerce // to / in Lib/http/server.py -Patch37: CVE-2021-28861-double-slash-path.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -423,7 +420,6 @@ other applications. %endif %patch35 -p1 %patch36 -p1 -%patch37 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/sphinx-update-removed-function.patch b/sphinx-update-removed-function.patch index 9c607c8..84a7659 100644 --- a/sphinx-update-removed-function.patch +++ b/sphinx-update-removed-function.patch @@ -4,7 +4,7 @@ --- a/Doc/tools/extensions/pyspecific.py +++ b/Doc/tools/extensions/pyspecific.py -@@ -362,7 +362,12 @@ class DeprecatedRemoved(Directive): +@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive): translatable=False) node.append(para) env = self.state.document.settings.env