Accepting request 772516 from devel:languages:python:Factory

- Add CVE-2019-9674-zip-bomb.patch to improve documentation warning about dangers of zip-bombs and other security problems with zipfile library. (bsc#1162825 CVE-2019-9674) - Change to Requires: libpython%{so_version} == %{version}-%{release} to python-base to keep both packages always synchronized (add %{so_version}) (bsc#1162224). OBS-URL: https://build.opensuse.org/request/show/772516 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=149
2020-02-15 21:23:53 +00:00 · 2020-02-15 21:23:53 +00:00 · 5e971de0be
commit 5e971de0be
parent 59fa2831c6 4269d11262
8 changed files with 184 additions and 2 deletions
--- a/CVE-2019-9674-zip-bomb.patch
+++ b/CVE-2019-9674-zip-bomb.patch
@ -0,0 +1,69 @@
+From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001
+From: nick sung <sungboss2004@gmail.com>
+Date: Fri, 17 May 2019 15:45:31 +0800
+Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+---
+ Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
+@@ -553,5 +553,47 @@ Command-line options
+ 
+    Test whether the zipfile is valid or not.
+ 
+Decompression pitfalls
+----------------------
+ 
+The extraction in zipfile module might fail due to some pitfalls
+listed below.
+
+From file itself
+~~~~~~~~~~~~~~~~
+
+Decompression may fail due to incorrect password / CRC checksum
+/ ZIP format or unsupported compression method / decryption.
+
+File System limitations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Exceeding limitations on different file systems can cause
+decompression failed. Such as allowable characters in the
+directory entries, length of the file name, length of the
+pathname, size of a single file, and number of files, etc.
+
+Resources limitations
+~~~~~~~~~~~~~~~~~~~~~
+
+The lack of memory or disk volume would lead to decompression
+failed. For example, decompression bombs (aka `ZIP bomb`_) apply
+to zipfile library that can cause disk volume exhaustion.
+
+Interruption
+~~~~~~~~~~~~
+
+Interruption during the decompression, such as pressing control-C
+or killing the decompression process may result in incomplete
+decompression of the archive.
+
+Default behaviors of extraction
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Not knowing the default extraction behaviors can cause unexpected
+decompression results. For example, when extracting the same
+archive twice, it overwrites files without asking.
+
+
+.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
+--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+@@ -0,0 +1 @@
+Add decompression pitfalls to zipfile module documentation.
+\ No newline at end of file
--- a/CVE-2020-8492-urllib-ReDoS.patch
+++ b/CVE-2020-8492-urllib-ReDoS.patch
@ -0,0 +1,35 @@
+From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 30 Jan 2020 16:13:03 +0100
+Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking.
+
+Vulnerability reported by Matt Schwager.
+---
+ Lib/urllib2.py                                                     |    2 +-
+ Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst |    4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,4 @@
+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
+:mod:`urllib.request` module uses an inefficient regular expression which can
+be exploited by an attacker to cause a denial of service. Fix the regex to
+prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
+--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
+@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Sat Feb  8 23:29:28 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2019-9674-zip-bomb.patch to improve documentation
+  warning about dangers of zip-bombs and other security problems
+  with zipfile library. (bsc#1162825 CVE-2019-9674)
+
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-base.spec
+++ b/python-base.spec
@ -16,6 +16,8 @@
 #


+%define so_version 2_7-1_0
+
 Name:           python-base
 Version:        2.7.17
 Release:        0
@ -85,6 +87,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -101,7 +110,7 @@ BuildRequires:  zlib-devel
 BuildRequires:  netcfg
 Requires:       python-rpm-macros
 # explicitly, see bnc#697251:
-Requires:       libpython2_7-1_0 = %{version}
+Requires:       libpython%{so_version} = %{version}-%{release}
 Provides:       %{name} = %{python_version}
 # bug437293
 %ifarch ppc64
@ -157,7 +166,7 @@ Provides:       python2-xml = %{version}
 The expat module is a Python interface to the expat XML parser. Since
 Python2.x, it is part of the core Python distribution.

-%package -n libpython2_7-1_0
+%package -n libpython%{so_version}
 Summary:        Python Interpreter shared library
 Group:          Development/Languages/Python

@ -208,6 +217,8 @@ other applications.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-doc.spec
+++ b/python-doc.spec
@ -85,6 +85,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -149,6 +156,8 @@ Python, and Macintosh Module Reference in PDF format.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Feb  8 22:30:51 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Change to Requires: libpython%{so_version} == %{version}-%{release}
+  to python-base to keep both packages always synchronized (add
+  %{so_version}) (bsc#1162224).
+
+-------------------------------------------------------------------
+Thu Feb  6 23:14:47 CET 2020 - Matej Cepl <mcepl@suse.com>
+
+- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug
+  "Python urrlib allowed an HTTP server to conduct Regular
+  Expression Denial of Service (ReDoS)" (bsc#1162367)
+
 -------------------------------------------------------------------
 Mon Feb  3 19:30:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python.spec
+++ b/python.spec
@ -89,6 +89,13 @@ Patch55:        bpo36302-sort-module-sources.patch
 Patch56:        adapted-from-F00251-change-user-install-location.patch
 # Switch couple of tests failing on acient SLE-12
 Patch57:        python-2.7.17-switch-off-failing-SSL-tests.patch
+# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com
+# Fixes Python urrlib allowed an HTTP server to conduct Regular
+# Expression Denial of Service (ReDoS)
+Patch58:        CVE-2020-8492-urllib-ReDoS.patch
+# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com
+# Improve documentation warning against the possible zip bombs
+Patch59:        CVE-2019-9674-zip-bomb.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -267,6 +274,8 @@ that rely on earlier non-verification behavior.
 %patch51 -p1
 %patch55 -p1
 %patch56 -p1
+%patch58 -p1
+%patch59 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac