pool/python39
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1003029 from devel:languages:python:Factory

Browse Source 
- Update to 3.9.14:
  - (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - Also other bug fixes:
    - http.server: Fix an open redirection vulnerability in the
      HTTP server when an URI path starts with //. Vulnerability
      discovered, and initial fix proposed, by Hamza Avvan.
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix binding of unix socket to empty address on Linux to use
      an available address from the abstract namespace, instead
      of “0”.
    - Suppress writing an XML declaration in open files
      in ElementTree.write() with encoding='unicode' and
      xml_declaration=None.
    - Fix the formatting for await x and not x in the operator
      precedence table when using the help() system.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Fix problem with test_ssl test_get_ciphers on systems that
      require perfect forward secrecy (PFS) ciphers.

OBS-URL: https://build.opensuse.org/request/show/1003029
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=34
This commit is contained in:
Dominique Leuenberger 2022-09-17 18:08:13 +00:00 committed by Git OBS Bridge
commit a25e716d37
9 changed files with 69 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
CVE-2021-28861-double-slash-path.patch
View File

@ -1,127 +0,0 @@
From 31dbe663f6c9ae68595dde9420381e065016ad6f Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Tue, 21 Jun 2022 13:16:57 -0700
Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in
http.server. (GH-93879)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/http/server.py | 7 +++
Lib/test/test_httpservers.py | 53 ++++++++++++++++++-
...2-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 ++
3 files changed, 61 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 2d2300c2aeab..6bf9084341a6 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -330,6 +330,13 @@ def parse_request(self):
return False
self.command, self.path = command, path
+ # gh-87389: The purpose of replacing '//' with '/' is to protect
+ # against open redirect attacks possibly triggered if the path starts
+ # with '//' because http clients treat //path as an absolute URI
+ # without scheme (similar to http://path) rather than a path.
+ if self.path.startswith('//'):
+ self.path = '/' + self.path.lstrip('/') # Reduce to a single /
+
# Examine the headers and look for a Connection directive.
try:
self.headers = http.client.parse_headers(self.rfile,
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index c1494d29ca87..4acf7a6fea44 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -331,7 +331,7 @@ class request_handler(NoLogRequestHandler, SimpleHTTPRequestHandler):
pass
def setUp(self):
- BaseTestCase.setUp(self)
+ super().setUp()
self.cwd = os.getcwd()
basetempdir = tempfile.gettempdir()
os.chdir(basetempdir)
@@ -359,7 +359,7 @@ def tearDown(self):
except:
pass
finally:
- BaseTestCase.tearDown(self)
+ super().tearDown()
def check_status_and_reason(self, response, status, data=None):
def close_conn():
@@ -415,6 +415,55 @@ def test_undecodable_filename(self):
self.check_status_and_reason(response, HTTPStatus.OK,
data=support.TESTFN_UNDECODABLE)
+ def test_get_dir_redirect_location_domain_injection_bug(self):
+ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
+
+ //netloc/ in a Location header is a redirect to a new host.
+ https://github.com/python/cpython/issues/87389
+
+ This checks that a path resolving to a directory on our server cannot
+ resolve into a redirect to another server.
+ """
+ os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
+ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
+ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash
+ # Canonicalizes to /tmp/tempdir_name/existing_directory which does
+ # exist and is a dir, triggering the 301 redirect logic.
+ response = self.request(url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ self.assertEqual(location, expected_location, msg='non-attack failed!')
+
+ # //python.org... multi-slash prefix, no trailing slash
+ attack_url = f'/{url}'
+ response = self.request(attack_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ self.assertFalse(location.startswith('//'), msg=location)
+ self.assertEqual(location, expected_location,
+ msg='Expected Location header to start with a single / and '
+ 'end with a / as this is a directory redirect.')
+
+ # ///python.org... triple-slash prefix, no trailing slash
+ attack3_url = f'//{url}'
+ response = self.request(attack3_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ self.assertEqual(response.getheader('Location'), expected_location)
+
+ # If the second word in the http request (Request-URI for the http
+ # method) is a full URI, we don't worry about it, as that'll be parsed
+ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head
+ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen.
+ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}'
+ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/'
+ response = self.request(attack_scheme_netloc_2slash_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ # We're just ensuring that the scheme and domain make it through, if
+ # there are or aren't multiple slashes at the start of the path that
+ # follows that isn't important in this Location: header.
+ self.assertTrue(location.startswith('https://pypi.org/'), msg=location)
+
def test_get(self):
#constructs the path relative to the root directory of the HTTPServer
response = self.request(self.base_url + '/test')
diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
new file mode 100644
index 000000000000..029d437190de
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
@@ -0,0 +1,3 @@
+:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server
+when an URI path starts with ``//``. Vulnerability discovered, and initial
+fix proposed, by Hamza Avvan.

3
Python-3.9.13.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:125b0c598f1e15d2aa65406e83f792df7d171cdf38c16803b149994316a3080f
size 19754368

16
Python-3.9.13.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmKDr+sACgkQsmmV4xAl
BWib8A/+I+Gm2Gjf1lTFasrDIQb68gus7q9MjgjWG7HRY64gGqDBq6VcNrhVg+3g
lGL0Xr6QHkFCIJVlobDAL4UgmNkO0+I2fNhUybKPGT6BOVa4IXHkuWlJX0OBRjY+
uOw7nCEyLzEA/FbwZXb+0PKJm74s3opjUbu9/9uY7QIqWIiD77UfQ61SDsnRLaQW
oEULPWFNLbdpMhTn7M/WVUwcxbyrCzjeFJ8rDiEbux3C1AhagTW49NTxOVW722yS
3mzjuYeyfXBIfaaU9ZHW6Z7B1hbuNVF0AvOcI3nKFUjHYs5hhchM7QnZhdFG6mMN
7REmBhssGkzWBtsWVbyChHhgVIqv81qUv6tywYMWaZtKfmrgzx2UNg9rx609c5gs
1dzXWBrh2PFWLUf8U1noSOEz/Q6/fbgdHFj4AUsr+c3zr74FNABbH5VOHS6QP79X
ic0a9+zBirrSVnLlsHkEO+aXju9ITcU/DUxPIUZxgmOImL4Vx1lsjYaw00csMzA3
YItkoMwp4Hi7+Tvr/jGaTpKpmW+r00LyQfTfQmst7STDVY9EjlC3Mk2hzqgtFx5Z
hzb4EtMQNSjwPCvSXVWFFZWsLRu70n81uWfnXRBX7tRAWZoxC44jiOGjEhTJwzs4
sZAhimk17t3agM0Jf0fTFMPly0mVLQMjbE7OK8GIgv/q4O5R5lc=
=RYbS
-----END PGP SIGNATURE-----

3
Python-3.9.14.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:651304d216c8203fe0adf1a80af472d8e92c3b0e0a7892222ae4d9f3ae4debcf
size 19750176

16
Python-3.9.14.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXib8ACgkQsmmV4xAl
BWiwtA/+LhNMVhCwNFNtDaxDLv2Pt43oX07ka9kuRau6WU0bicf4zBboQW2Ut9en
epdnw06klvOrb2wlxU4jeWdzuq5bNlhW3rVyT2npbRfYeXqsi/i+sY9eV5SFRPAM
eZrnCOkuWJxTy/XRQsPFbhE0bG+npoR80RpDtZ9EfjKyL2PSyOsvudKHjepcdHMi
tCzcmHwJbakD18g268RiDZsR8q7lSQW0c3OhOPwXfFV2Xh+jS8eEEcdp2QSBq/S9
+HIHEAYJWvAEtg9q3KMKDWOi5rd0Q6Cw4zcO8GI0HTCkNsnJmtLUJ4qTTZWOHC5t
M8Z0hzuXI9wK23GpxWuThuaMyQCW5HX8tBVuxaHNyWuJ4T6ID0eJJP4ijLNMXv4U
Q0MRbLYtIIagB8BsZtBnEIIsQ1k7THdJ5KAsWIjVaPe80yQWLOrmuXulJi+E4F/C
bBKcsFXC605xg5C3AQk58QXpyLDoPtLtRVVPtVi1aqpHCLRCikHA8kqwc7JQIf7v
p4VsfcNsYga/EF6FArdmVz8fOpQgItvhuHgMRWBZ35p/t9Ckbl7fJQB0PYfVKYWC
F+uNahFYvJ+gH96U6MddEzZlB0AHx3gfysBrgWXvgUAqvAZ/Vq6FiOf0jhFWUtb1
8b7sp8GSp7QzIP9U3J75sonXEAvNOA31vuKSJ2sKdxsIP9/KgZE=
=kQup
-----END PGP SIGNATURE-----

12
bpo-31046_ensurepip_honours_prefix.patch
View File

@ -55,7 +55,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
.. note::
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
@@ -52,27 +52,27 @@ def _disable_pip_configuration_settings(
@@ -57,27 +57,27 @@ def _disable_pip_configuration_settings(
os.environ['PIP_CONFIG_FILE'] = os.devnull
@ -88,7 +88,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
Note that calling this function will alter both sys.path and os.environ.
"""
@@ -115,6 +115,8 @@ def _bootstrap(*, root=None, upgrade=Fal
@@ -120,6 +120,8 @@ def _bootstrap(*, root=None, upgrade=Fal
args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir]
if root:
args += ["--root", root]
@ -97,7 +97,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
if upgrade:
args += ["--upgrade"]
if user:
@@ -187,6 +189,11 @@ def _main(argv=None):
@@ -192,6 +194,11 @@ def _main(argv=None):
help="Install everything relative to this alternate root directory.",
)
parser.add_argument(
@ -109,7 +109,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
"--altinstall",
action="store_true",
default=False,
@@ -205,6 +212,7 @@ def _main(argv=None):
@@ -210,6 +217,7 @@ def _main(argv=None):
return _bootstrap(
root=args.root,
@ -139,7 +139,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
@@ -1262,7 +1262,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni
@@ -1263,7 +1263,7 @@ install: @FRAMEWORKINSTALLFIRST@ commoni
install|*) ensurepip="" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \
@ -148,7 +148,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
fi
altinstall: commoninstall
@@ -1272,7 +1272,7 @@ altinstall: commoninstall
@@ -1273,7 +1273,7 @@ altinstall: commoninstall
install|*) ensurepip="--altinstall" ;; \
esac; \
$(RUNSHARED) $(PYTHON_FOR_BUILD) -m ensurepip \

41
python39.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Sun Sep 11 08:49:43 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Update to 3.9.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- Also other bug fixes:
- http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //. Vulnerability
discovered, and initial fix proposed, by Hamza Avvan.
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix binding of unix socket to empty address on Linux to use
an available address from the abstract namespace, instead
of “0”.
- Suppress writing an XML declaration in open files
in ElementTree.write() with encoding='unicode' and
xml_declaration=None.
- Fix the formatting for await x and not x in the operator
precedence table when using the help() system.
- Fix ensurepip environment isolation for subprocess running
pip.
- Fix problem with test_ssl test_get_ciphers on systems that
require perfect forward secrecy (PFS) ciphers.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Realign patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
-------------------------------------------------------------------
Thu Sep 1 03:48:37 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>

8
python39.spec
View File

@ -57,7 +57,7 @@
%define tarversion %{version}
%endif
# We don't process beta signs well
%define folderversion 3.9.13
%define folderversion %{version}
%define tarname Python-%{tarversion}
%define sitedir %{_libdir}/python%{python_version}
# three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
@ -93,7 +93,7 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.9.13
Version: 3.9.14
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@ -161,9 +161,6 @@ Patch35: support-expat-CVE-2022-25236-patched.patch
# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mcepl@suse.com
# avoid the command injection in the mailcap module.
Patch36: CVE-2015-20107-mailcap-unsafe-filenames.patch
# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94093
# Coerce // to / in Lib/http/server.py
Patch37: CVE-2021-28861-double-slash-path.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@ -423,7 +420,6 @@ other applications.
%endif
%patch35 -p1
%patch36 -p1
%patch37 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

2
sphinx-update-removed-function.patch
View File

@ -4,7 +4,7 @@
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
@@ -362,7 +362,12 @@ class DeprecatedRemoved(Directive):
@@ -385,7 +385,12 @@ class DeprecatedRemoved(Directive):
translatable=False)
node.append(para)
env = self.state.document.settings.env