diff --git a/CVE-2019-9674-zip-bomb.patch b/CVE-2019-9674-zip-bomb.patch new file mode 100644 index 0000000..1ea9d99 --- /dev/null +++ b/CVE-2019-9674-zip-bomb.patch @@ -0,0 +1,69 @@ +From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001 +From: nick sung +Date: Fri, 17 May 2019 15:45:31 +0800 +Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). +--- + Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -553,5 +553,47 @@ Command-line options + + Test whether the zipfile is valid or not. + ++Decompression pitfalls ++---------------------- + ++The extraction in zipfile module might fail due to some pitfalls ++listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum ++/ ZIP format or unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause ++decompression failed. Such as allowable characters in the ++directory entries, length of the file name, length of the ++pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) apply ++to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C ++or killing the decompression process may result in incomplete ++decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors can cause unexpected ++decompression results. For example, when extracting the same ++archive twice, it overwrites files without asking. ++ ++ ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +@@ -0,0 +1 @@ ++Add decompression pitfalls to zipfile module documentation. +\ No newline at end of file diff --git a/CVE-2020-8492-urllib-ReDoS.patch b/CVE-2020-8492-urllib-ReDoS.patch new file mode 100644 index 0000000..927cba3 --- /dev/null +++ b/CVE-2020-8492-urllib-ReDoS.patch @@ -0,0 +1,35 @@ +From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 16:13:03 +0100 +Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex + +The AbstractBasicAuthHandler class of the urllib.request module uses +an inefficient regular expression which can be exploited by an +attacker to cause a denial of service. Fix the regex to prevent the +catastrophic backtracking. + +Vulnerability reported by Matt Schwager. +--- + Lib/urllib2.py | 2 +- + Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst + +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, diff --git a/python-base.changes b/python-base.changes index 48fd0c3..272fae2 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Sat Feb 8 23:29:28 CET 2020 - Matej Cepl + +- Add CVE-2019-9674-zip-bomb.patch to improve documentation + warning about dangers of zip-bombs and other security problems + with zipfile library. (bsc#1162825 CVE-2019-9674) + +------------------------------------------------------------------- +Sat Feb 8 22:30:51 CET 2020 - Matej Cepl + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + ------------------------------------------------------------------- Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal diff --git a/python-base.spec b/python-base.spec index 1a6689b..39396d2 100644 --- a/python-base.spec +++ b/python-base.spec @@ -16,6 +16,8 @@ # +%define so_version 2_7-1_0 + Name: python-base Version: 2.7.17 Release: 0 @@ -85,6 +87,13 @@ Patch55: bpo36302-sort-module-sources.patch Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -101,7 +110,7 @@ BuildRequires: zlib-devel BuildRequires: netcfg Requires: python-rpm-macros # explicitly, see bnc#697251: -Requires: libpython2_7-1_0 = %{version} +Requires: libpython%{so_version} = %{version}-%{release} Provides: %{name} = %{python_version} # bug437293 %ifarch ppc64 @@ -157,7 +166,7 @@ Provides: python2-xml = %{version} The expat module is a Python interface to the expat XML parser. Since Python2.x, it is part of the core Python distribution. -%package -n libpython2_7-1_0 +%package -n libpython%{so_version} Summary: Python Interpreter shared library Group: Development/Languages/Python @@ -208,6 +217,8 @@ other applications. %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python-doc.changes b/python-doc.changes index 48fd0c3..b935f47 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Sat Feb 8 22:30:51 CET 2020 - Matej Cepl + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + ------------------------------------------------------------------- Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal diff --git a/python-doc.spec b/python-doc.spec index 2a9d992..12bd25a 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -85,6 +85,13 @@ Patch55: bpo36302-sort-module-sources.patch Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -149,6 +156,8 @@ Python, and Macintosh Module Reference in PDF format. %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.changes b/python.changes index 48fd0c3..b935f47 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Sat Feb 8 22:30:51 CET 2020 - Matej Cepl + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + ------------------------------------------------------------------- Mon Feb 3 19:30:31 UTC 2020 - Tomáš Chvátal diff --git a/python.spec b/python.spec index 9ab49f0..1fb2188 100644 --- a/python.spec +++ b/python.spec @@ -89,6 +89,13 @@ Patch55: bpo36302-sort-module-sources.patch Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 mcepl@suse.com +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 mcepl@suse.com +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -267,6 +274,8 @@ that rely on earlier non-verification behavior. %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac