From c21db0430f0644097c92d190bc1918e1baa15b99605c096356bcb9fddadc5979 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 1 Mar 2023 22:00:56 +0000 Subject: [PATCH 1/3] - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=343 --- CVE-2023-24329-blank-URL-bypass.patch | 51 +++++++++++++++++++++++++++ python-base.changes | 7 ++++ python-base.spec | 5 +++ 3 files changed, 63 insertions(+) create mode 100644 CVE-2023-24329-blank-URL-bypass.patch diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch new file mode 100644 index 0000000..dad85a7 --- /dev/null +++ b/CVE-2023-24329-blank-URL-bypass.patch @@ -0,0 +1,51 @@ +--- + Lib/test/test_urlparse.py | 20 ++++++++++ + Lib/urlparse.py | 2 - + Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2 + + 3 files changed, 23 insertions(+), 1 deletion(-) + +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -592,6 +592,26 @@ class UrlParseTestCase(unittest.TestCase + self.assertEqual(p.netloc, "www.example.net:foo") + self.assertRaises(ValueError, lambda: p.port) + ++ def do_attributes_bad_scheme(self, bytes, parse, scheme): ++ url = scheme + "://www.example.net" ++ if bytes: ++ if url.isascii(): ++ url = url.encode("ascii") ++ else: ++ continue ++ p = parse(url) ++ if bytes: ++ self.assertEqual(p.scheme, b"") ++ else: ++ self.assertEqual(p.scheme, "") ++ ++ def test_attributes_bad_scheme(self): ++ """Check handling of invalid schemes.""" ++ for bytes in (False, True): ++ for parse in (urlparse.urlsplit, urlparse.urlparse): ++ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ self.do_attributes_bad_scheme(bytes, parse, scheme) ++ + def test_attributes_without_netloc(self): + # This example is straight from RFC 3261. It looks like it + # should allow the username, hostname, and port to be filled +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -211,7 +211,7 @@ def urlsplit(url, scheme='', allow_fragm + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + if url[:i] == 'http': # optimize the common case + scheme = url[:i].lower() + url = url[i+1:] +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs +@@ -0,0 +1,2 @@ ++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin ++with a digit, a plus sign, or a minus sign to be parsed incorrectly. diff --git a/python-base.changes b/python-base.changes index f5173f6..8c408a2 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + ------------------------------------------------------------------- Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk diff --git a/python-base.spec b/python-base.spec index 6a2c985..1d6c63a 100644 --- a/python-base.spec +++ b/python-base.spec @@ -142,6 +142,10 @@ Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -287,6 +291,7 @@ other applications. %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar From 9f86e564dadb556c59bdc3794760d162ddf6f91894d353037efb5b50b2e53ec8 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 1 Mar 2023 22:01:21 +0000 Subject: [PATCH 2/3] - Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, bsc#1208471) blocklists bypass via the urllib.parse component when supplying a URL that starts with blank characters OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=344 --- python-doc.changes | 12 ++++++++++++ python-doc.spec | 5 +++++ python.changes | 7 +++++++ python.spec | 5 +++++ 4 files changed, 29 insertions(+) diff --git a/python-doc.changes b/python-doc.changes index 6bba928..8c408a2 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + +------------------------------------------------------------------- +Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk + +- Disable NIS for new products, it's deprecated and gets removed + ------------------------------------------------------------------- Thu Jan 19 07:14:09 UTC 2023 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index 99b593a..190eee9 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -141,6 +141,10 @@ Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -224,6 +228,7 @@ Python, and Macintosh Module Reference in PDF format. %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index f5173f6..8c408a2 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + ------------------------------------------------------------------- Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk diff --git a/python.spec b/python.spec index f5621a0..f2202ba 100644 --- a/python.spec +++ b/python.spec @@ -141,6 +141,10 @@ Patch73: CVE-2022-45061-DoS-by-IDNA-decode.patch # PATCH-FIX-UPSTREAM skip_unverified_test.patch mcepl@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mcepl@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -342,6 +346,7 @@ that rely on earlier non-verification behavior. %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar From b60b8e8937e13ff1666e0f2c0547c0f8cb19634acc906af9b6ad2fc8ccbf661c Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 2 Mar 2023 15:36:10 +0000 Subject: [PATCH 3/3] Create isascii() shim for missing str.isascii(). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=345 --- CVE-2023-24329-blank-URL-bypass.patch | 63 ++++++++++++++++++++------- 1 file changed, 48 insertions(+), 15 deletions(-) diff --git a/CVE-2023-24329-blank-URL-bypass.patch b/CVE-2023-24329-blank-URL-bypass.patch index dad85a7..aadfe6a 100644 --- a/CVE-2023-24329-blank-URL-bypass.patch +++ b/CVE-2023-24329-blank-URL-bypass.patch @@ -1,22 +1,30 @@ --- - Lib/test/test_urlparse.py | 20 ++++++++++ - Lib/urlparse.py | 2 - - Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2 + - 3 files changed, 23 insertions(+), 1 deletion(-) + Lib/test/test_urlparse.py | 21 ++++++++++ + Lib/urlparse.py | 9 +++- + Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2 + 3 files changed, 30 insertions(+), 2 deletions(-) ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -592,6 +592,26 @@ class UrlParseTestCase(unittest.TestCase +Index: Python-2.7.18/Lib/test/test_urlparse.py +=================================================================== +--- Python-2.7.18.orig/Lib/test/test_urlparse.py ++++ Python-2.7.18/Lib/test/test_urlparse.py +@@ -1,4 +1,5 @@ + from test import test_support ++from urlparse import isascii + import sys + import unicodedata + import unittest +@@ -592,6 +593,26 @@ class UrlParseTestCase(unittest.TestCase self.assertEqual(p.netloc, "www.example.net:foo") self.assertRaises(ValueError, lambda: p.port) + def do_attributes_bad_scheme(self, bytes, parse, scheme): + url = scheme + "://www.example.net" + if bytes: -+ if url.isascii(): ++ if isascii(url): + url = url.encode("ascii") + else: -+ continue ++ return + p = parse(url) + if bytes: + self.assertEqual(p.scheme, b"") @@ -27,25 +35,50 @@ + """Check handling of invalid schemes.""" + for bytes in (False, True): + for parse in (urlparse.urlsplit, urlparse.urlparse): -+ for scheme in (".", "+", "-", "0", "http&", "६http"): ++ for scheme in (".", "+", "-", "0", "http&"): + self.do_attributes_bad_scheme(bytes, parse, scheme) + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled ---- a/Lib/urlparse.py -+++ b/Lib/urlparse.py -@@ -211,7 +211,7 @@ def urlsplit(url, scheme='', allow_fragm +Index: Python-2.7.18/Lib/urlparse.py +=================================================================== +--- Python-2.7.18.orig/Lib/urlparse.py ++++ Python-2.7.18/Lib/urlparse.py +@@ -31,7 +31,8 @@ test_urlparse.py provides a good indicat + import re + + __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag", +- "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"] ++ "urlsplit", "urlunsplit", "parse_qs", "parse_qsl", ++ "isascii"] + + # A classification of schemes ('' means apply by default) + uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap', +@@ -68,6 +69,10 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r + MAX_CACHE_SIZE = 20 + _parse_cache = {} + ++# Py3k shim ++def isascii(word): ++ return all([ord(c) < 128 for c in word]) ++ + def clear_cache(): + """Clear the parse cache.""" + _parse_cache.clear() +@@ -211,7 +216,7 @@ def urlsplit(url, scheme='', allow_fragm clear_cache() netloc = query = fragment = '' i = url.find(':') - if i > 0: -+ if i > 0 and url[0].isascii() and url[0].isalpha(): ++ if i > 0 and isascii(url[0]) and url[0].isalpha(): if url[:i] == 'http': # optimize the common case scheme = url[:i].lower() url = url[i+1:] +Index: Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs ++++ Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs @@ -0,0 +1,2 @@ +Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin +with a digit, a plus sign, or a minus sign to be parsed incorrectly.