From bfca21eba637bd21b840eea94ad2dc03fca1232812a30d3e80f97d6868642c9b Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 20 Jul 2020 15:54:49 +0000 Subject: [PATCH] Don't fool with base64 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=16 --- CVE-2019-20907_tarfile-inf-loop.patch | 13 ------------- python39.spec | 5 ++++- recursion.tar | Bin 0 -> 516 bytes 3 files changed, 4 insertions(+), 14 deletions(-) create mode 100644 recursion.tar diff --git a/CVE-2019-20907_tarfile-inf-loop.patch b/CVE-2019-20907_tarfile-inf-loop.patch index 79e62a2..eb9790f 100644 --- a/CVE-2019-20907_tarfile-inf-loop.patch +++ b/CVE-2019-20907_tarfile-inf-loop.patch @@ -41,16 +41,3 @@ Add a check for length = 0 in the _proc_pax function to avoid running into an in +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst @@ -0,0 +1 @@ +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). ---- /dev/null -+++ b/Lib/test/recursion.tar.asc -@@ -0,0 +1,10 @@ -+YmNhbGxlcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAAAAAA -+AAAwAAAAAAAAADEAAAAAAAAAAAAAADAAAAAAAAAAAAAAADAwMjc1NQAgZwAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAADAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw -+IFg9 diff --git a/python39.spec b/python39.spec index 0589b07..a69c741 100644 --- a/python39.spec +++ b/python39.spec @@ -102,6 +102,8 @@ Source10: pre_checkin.sh Source11: skipped_tests.py Source19: idle3.desktop Source20: idle3.appdata.xml +# For Patch 32 +Source32: recursion.tar Source99: python.keyring # The following files are not used in the build. # They are listed here to work around missing functionality in rpmbuild, @@ -140,6 +142,7 @@ Patch29: bpo-31046_ensurepip_honours_prefix.patch Patch31: bsc1167501-invalid-alignment.patch # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 32 Patch32: CVE-2019-20907_tarfile-inf-loop.patch BuildRequires: automake BuildRequires: fdupes @@ -397,7 +400,7 @@ other applications. %patch32 -p1 # For patch 32 -python3 -mbase64 -d Lib/test/recursion.tar.asc > Lib/test/recursion.tar +cp -v %{SOURCE32} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac diff --git a/recursion.tar b/recursion.tar new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..e1d2b905523c3ae157706f237042c8e26e90d41494b2b930a3afa5fb21f8aaaf GIT binary patch literal 516 zcmYdFPRz+kEn=W0Fn}74P8%Xw3X=l~85kIuo0>8xq$A1Gm}!7)KUsFc41m#O8A5+e I1_}|j06>QaCIA2c literal 0 HcmV?d00001