From 3b6fb6241d9a2efe81bdb60aeabcbf8a422a4aa7a8961beee27b1c1c9766f41b Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 18 May 2024 16:51:08 +0000 Subject: [PATCH 1/3] - bsc#1221854 (CVE-2024-0450) Add CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=416 --- ...zipfile-avoid-quoted-overlap-zipbomb.patch | 144 ++++++++++++++++++ python-base.changes | 8 + python-base.spec | 4 + python-doc.changes | 8 + python-doc.spec | 4 + python.changes | 8 + python.spec | 4 + 7 files changed, 180 insertions(+) create mode 100644 CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch diff --git a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch new file mode 100644 index 0000000..5eb04c7 --- /dev/null +++ b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch @@ -0,0 +1,144 @@ +From d8877aaabe9aa5d9b9904c222c552f3c6a85017c Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka +Date: Wed, 17 Jan 2024 15:41:50 +0200 +Subject: [PATCH] [CVE-2024-0450] Protect zipfile from "quoted-overlap" zipbomb + +Raise BadZipFile when try to read an entry that overlaps with +other entry or central directory. +(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba) + +From-PR: gh#python/cpython!110016 +Fixes: gh#python/cpython#109858 +Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +--- + Lib/test/test_zipfile.py | 61 ++++++++++ + Lib/zipfile.py | 12 + + Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3 + 3 files changed, 76 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst + +--- a/Lib/test/test_zipfile.py ++++ b/Lib/test/test_zipfile.py +@@ -11,6 +11,7 @@ import unittest + + from tempfile import TemporaryFile + from random import randint, random, getrandbits ++from unittest import mock + + from test.support import (TESTFN, findfile, unlink, rmtree, + requires_zlib, requires_bz2, requires_lzma, +@@ -1556,6 +1557,66 @@ class AbstractTestsWithRandomBinaryFiles + with open(TESTFN, "wb") as fp: + fp.write(self.data) + ++ @requires_zlib ++ def test_full_overlap(self): ++ data = ( ++ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e' ++ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00a\xed' ++ b'\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\d\x0b`P' ++ b'K\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2' ++ b'\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00' ++ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00aPK' ++ b'\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e' ++ b'8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00\x00\x00\x00\x00' ++ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bPK\x05' ++ b'\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00\x00/\x00\x00' ++ b'\x00\x00\x00' ++ ) ++ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf: ++ self.assertEqual(zipf.namelist(), ['a', 'b']) ++ zi = zipf.getinfo('a') ++ self.assertEqual(zi.header_offset, 0) ++ self.assertEqual(zi.compress_size, 16) ++ self.assertEqual(zi.file_size, 1033) ++ zi = zipf.getinfo('b') ++ self.assertEqual(zi.header_offset, 0) ++ self.assertEqual(zi.compress_size, 16) ++ self.assertEqual(zi.file_size, 1033) ++ self.assertEqual(len(zipf.read('a')), 1033) ++ with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'): ++ zipf.read('b') ++ ++ @requires_zlib ++ def test_quoted_overlap(self): ++ data = ( ++ b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc' ++ b'8\x044\x00\x00\x00(\x04\x00\x00\x01\x00\x00\x00a\x00' ++ b'\x1f\x00\xe0\xffPK\x03\x04\x14\x00\x00\x00\x08\x00\xa0l' ++ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00' ++ b'\x00\x00b\xed\xc0\x81\x08\x00\x00\x00\xc00\xd6\xfbK\\' ++ b'd\x0b`PK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0' ++ b'lH\x05Y\xfc8\x044\x00\x00\x00(\x04\x00\x00\x01' ++ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ++ b'\x00aPK\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\xa0l' ++ b'H\x05\xe2\x1e8\xbb\x10\x00\x00\x00\t\x04\x00\x00\x01\x00' ++ b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x00\x00' ++ b'bPK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00^\x00\x00' ++ b'\x00S\x00\x00\x00\x00\x00' ++ ) ++ with zipfile.ZipFile(io.BytesIO(data), 'r') as zipf: ++ self.assertEqual(zipf.namelist(), ['a', 'b']) ++ zi = zipf.getinfo('a') ++ self.assertEqual(zi.header_offset, 0) ++ self.assertEqual(zi.compress_size, 52) ++ self.assertEqual(zi.file_size, 1064) ++ zi = zipf.getinfo('b') ++ self.assertEqual(zi.header_offset, 36) ++ self.assertEqual(zi.compress_size, 16) ++ self.assertEqual(zi.file_size, 1033) ++ with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'): ++ zipf.read('a') ++ self.assertEqual(len(zipf.read('b')), 1033) ++ + def tearDown(self): + unlink(TESTFN) + unlink(TESTFN2) +--- a/Lib/zipfile.py ++++ b/Lib/zipfile.py +@@ -311,6 +311,7 @@ class ZipInfo (object): + 'compress_size', + 'file_size', + '_raw_time', ++ '_end_offset', + ) + + def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)): +@@ -349,6 +350,7 @@ class ZipInfo (object): + self.volume = 0 # Volume number of file header + self.internal_attr = 0 # Internal attributes + self.external_attr = 0 # External file attributes ++ self._end_offset = None # Start of the next local header or central directory + # Other attributes are set by class ZipFile: + # header_offset Byte offset to the file header + # CRC CRC-32 of the uncompressed file +@@ -1044,6 +1046,12 @@ class ZipFile: + if self.debug > 2: + print("total", total) + ++ end_offset = self.start_dir ++ for zinfo in sorted(self.filelist, ++ key=lambda zinfo: zinfo.header_offset, ++ reverse=True): ++ zinfo._end_offset = end_offset ++ end_offset = zinfo.header_offset + + def namelist(self): + """Return a list of file names in the archive.""" +@@ -1179,6 +1187,10 @@ class ZipFile: + 'File name in directory %r and header %r differ.' + % (zinfo.orig_filename, fname)) + ++ if (zinfo._end_offset is not None and ++ zef_file.tell() + zinfo.compress_size > zinfo._end_offset): ++ raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename)) ++ + # check for encrypted flag & handle password + is_encrypted = zinfo.flag_bits & 0x1 + zd = None +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst +@@ -0,0 +1,3 @@ ++Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises ++BadZipFile when try to read an entry that overlaps with other entry or ++central directory. diff --git a/python-base.changes b/python-base.changes index d465808..fc49fab 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 18 15:49:07 UTC 2024 - Matej Cepl + +- bsc#1221854 (CVE-2024-0450) Add + CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + detecting the vulnerability of the "quoted-overlap" zipbomb + (from gh#python/cpython!110016). + ------------------------------------------------------------------- Sat May 11 05:46:55 UTC 2024 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index e5affbe..450e77d 100644 --- a/python-base.spec +++ b/python-base.spec @@ -165,6 +165,9 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com +# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). +Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -322,6 +325,7 @@ other applications. %patch -P 78 -p1 %patch -P 79 -p1 %patch -P 80 -p1 +%patch -P 81 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python-doc.changes b/python-doc.changes index d465808..fc49fab 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 18 15:49:07 UTC 2024 - Matej Cepl + +- bsc#1221854 (CVE-2024-0450) Add + CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + detecting the vulnerability of the "quoted-overlap" zipbomb + (from gh#python/cpython!110016). + ------------------------------------------------------------------- Sat May 11 05:46:55 UTC 2024 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index cce64ff..d6e9011 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -161,6 +161,9 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com +# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). +Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -252,6 +255,7 @@ Python, and Macintosh Module Reference in PDF format. %patch -P 78 -p1 %patch -P 79 -p1 %patch -P 80 -p1 +%patch -P 81 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index d465808..fc49fab 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat May 18 15:49:07 UTC 2024 - Matej Cepl + +- bsc#1221854 (CVE-2024-0450) Add + CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + detecting the vulnerability of the "quoted-overlap" zipbomb + (from gh#python/cpython!110016). + ------------------------------------------------------------------- Sat May 11 05:46:55 UTC 2024 - Matej Cepl diff --git a/python.spec b/python.spec index bd33603..1f681f9 100644 --- a/python.spec +++ b/python.spec @@ -161,6 +161,9 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com +# detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). +Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -372,6 +375,7 @@ that rely on earlier non-verification behavior. %patch -P 78 -p1 %patch -P 79 -p1 %patch -P 80 -p1 +%patch -P 81 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar From 8c35dee7e089b6c8f4f0c27297769901c1837976338e94664de330d6b26780aa Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 18 May 2024 17:48:46 +0000 Subject: [PATCH 2/3] fix patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=417 --- ...zipfile-avoid-quoted-overlap-zipbomb.patch | 40 ++++++++----------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch index 5eb04c7..01fffcb 100644 --- a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +++ b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch @@ -11,23 +11,15 @@ From-PR: gh#python/cpython!110016 Fixes: gh#python/cpython#109858 Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch --- - Lib/test/test_zipfile.py | 61 ++++++++++ - Lib/zipfile.py | 12 + + Lib/test/test_zipfile.py | 60 ++++++++++ + Lib/zipfile.py | 12 ++ Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3 - 3 files changed, 76 insertions(+) + 3 files changed, 75 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst --- a/Lib/test/test_zipfile.py +++ b/Lib/test/test_zipfile.py -@@ -11,6 +11,7 @@ import unittest - - from tempfile import TemporaryFile - from random import randint, random, getrandbits -+from unittest import mock - - from test.support import (TESTFN, findfile, unlink, rmtree, - requires_zlib, requires_bz2, requires_lzma, -@@ -1556,6 +1557,66 @@ class AbstractTestsWithRandomBinaryFiles +@@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes with open(TESTFN, "wb") as fp: fp.write(self.data) @@ -96,15 +88,15 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch unlink(TESTFN2) --- a/Lib/zipfile.py +++ b/Lib/zipfile.py -@@ -311,6 +311,7 @@ class ZipInfo (object): - 'compress_size', - 'file_size', - '_raw_time', -+ '_end_offset', - ) +@@ -305,6 +305,7 @@ class ZipInfo (object): + 'compress_size', + 'file_size', + '_raw_time', ++ '_end_offset', + ) def __init__(self, filename="NoName", date_time=(1980,1,1,0,0,0)): -@@ -349,6 +350,7 @@ class ZipInfo (object): +@@ -343,6 +344,7 @@ class ZipInfo (object): self.volume = 0 # Volume number of file header self.internal_attr = 0 # Internal attributes self.external_attr = 0 # External file attributes @@ -112,9 +104,9 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # Other attributes are set by class ZipFile: # header_offset Byte offset to the file header # CRC CRC-32 of the uncompressed file -@@ -1044,6 +1046,12 @@ class ZipFile: +@@ -891,6 +893,12 @@ class ZipFile(object): if self.debug > 2: - print("total", total) + print "total", total + end_offset = self.start_dir + for zinfo in sorted(self.filelist, @@ -125,9 +117,9 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch def namelist(self): """Return a list of file names in the archive.""" -@@ -1179,6 +1187,10 @@ class ZipFile: - 'File name in directory %r and header %r differ.' - % (zinfo.orig_filename, fname)) +@@ -1002,6 +1010,10 @@ class ZipFile(object): + 'File name in directory "%s" and header "%s" differ.' % ( + zinfo.orig_filename, fname) + if (zinfo._end_offset is not None and + zef_file.tell() + zinfo.compress_size > zinfo._end_offset): From 01ce66c584405cee5c43ec65921d9361e37e5513470d2b74b4c3b7f3007d855a Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sun, 19 May 2024 06:56:12 +0000 Subject: [PATCH 3/3] - Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch removing failing test fixing bpo#3151, which we just not support. - Remove patches over those embedded packages (cffi): - python-2.7-libffi-aarch64.patch - sparc_longdouble.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=418 --- ...-libexpat-2.6.0-remove-failing-tests.patch | 32 +++++++++++++ ...zipfile-avoid-quoted-overlap-zipbomb.patch | 45 +++++++++++++++---- _multibuild | 5 --- python-2.7-libffi-aarch64.patch | 13 ------ python-base.changes | 6 +++ python-base.spec | 11 +++-- python-doc.changes | 6 +++ python-doc.spec | 11 +++-- python.changes | 6 +++ python.spec | 11 +++-- sparc_longdouble.patch | 21 --------- 11 files changed, 101 insertions(+), 66 deletions(-) create mode 100644 CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch delete mode 100644 _multibuild delete mode 100644 python-2.7-libffi-aarch64.patch delete mode 100644 sparc_longdouble.patch diff --git a/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch b/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch new file mode 100644 index 0000000..d10ffde --- /dev/null +++ b/CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch @@ -0,0 +1,32 @@ +--- + Lib/test/test_minidom.py | 3 ++- + Lib/test/test_xml_etree.py | 6 ------ + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -1051,7 +1051,8 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- self.assertRaises(UnicodeDecodeError, parseString, ++ self.assertRaises((UnicodeDecodeError, xml.parsers.expat.ExpatError), ++ parseString, + 'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1482,12 +1482,6 @@ class BugsTest(unittest.TestCase): + b"\n" + b'tãg') + +- def test_issue3151(self): +- e = ET.XML('') +- self.assertEqual(e.tag, '{${stuff}}localname') +- t = ET.ElementTree(e) +- self.assertEqual(ET.tostring(e), b'') +- + def test_issue6565(self): + elem = ET.XML("") + self.assertEqual(summarize_list(elem), ['tag']) diff --git a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch index 01fffcb..5abc285 100644 --- a/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +++ b/CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch @@ -11,19 +11,46 @@ From-PR: gh#python/cpython!110016 Fixes: gh#python/cpython#109858 Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch --- - Lib/test/test_zipfile.py | 60 ++++++++++ - Lib/zipfile.py | 12 ++ + Lib/test/test_zipfile.py | 66 +++++++++- + Lib/zipfile.py | 12 + Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst | 3 - 3 files changed, 75 insertions(+) + 3 files changed, 78 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst --- a/Lib/test/test_zipfile.py +++ b/Lib/test/test_zipfile.py +@@ -1004,7 +1004,7 @@ class OtherTests(unittest.TestCase): + self.assertTrue(not chk) + + def test_damaged_zipfile(self): +- """Check that zipfiles with missing bytes at the end raise BadZipFile.""" ++ """Check that zipfiles with missing bytes at the end raise BadZipfile.""" + # - Create a valid zip file + fp = io.BytesIO() + with zipfile.ZipFile(fp, mode="w") as zipf: +@@ -1012,7 +1012,7 @@ class OtherTests(unittest.TestCase): + zipfiledata = fp.getvalue() + + # - Now create copies of it missing the last N bytes and make sure +- # a BadZipFile exception is raised when we try to open it ++ # a BadZipfile exception is raised when we try to open it + for N in range(len(zipfiledata)): + fp = io.BytesIO(zipfiledata[:N]) + self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, fp) +@@ -1053,7 +1053,7 @@ class OtherTests(unittest.TestCase): + # quickly. + self.assertRaises(IOError, zipfile.ZipFile, TESTFN) + +- def test_empty_file_raises_BadZipFile(self): ++ def test_empty_file_raises_BadZipfile(self): + with open(TESTFN, 'w') as f: + pass + self.assertRaises(zipfile.BadZipfile, zipfile.ZipFile, TESTFN) @@ -1377,6 +1377,66 @@ class TestsWithRandomBinaryFiles(unittes with open(TESTFN, "wb") as fp: fp.write(self.data) -+ @requires_zlib ++ @skipUnless(zlib, "requires zlib") + def test_full_overlap(self): + data = ( + b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05\xe2\x1e' @@ -49,10 +76,10 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + self.assertEqual(zi.compress_size, 16) + self.assertEqual(zi.file_size, 1033) + self.assertEqual(len(zipf.read('a')), 1033) -+ with self.assertRaisesRegex(zipfile.BadZipFile, 'File name.*differ'): ++ with self.assertRaisesRegexp(zipfile.BadZipfile, 'File name.*differ'): + zipf.read('b') + -+ @requires_zlib ++ @skipUnless(zlib, "requires zlib") + def test_quoted_overlap(self): + data = ( + b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xa0lH\x05Y\xfc' @@ -79,7 +106,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + self.assertEqual(zi.header_offset, 36) + self.assertEqual(zi.compress_size, 16) + self.assertEqual(zi.file_size, 1033) -+ with self.assertRaisesRegex(zipfile.BadZipFile, 'Overlapped entries'): ++ with self.assertRaisesRegexp(zipfile.BadZipfile, 'Overlapped entries'): + zipf.read('a') + self.assertEqual(len(zipf.read('b')), 1033) + @@ -123,7 +150,7 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch + if (zinfo._end_offset is not None and + zef_file.tell() + zinfo.compress_size > zinfo._end_offset): -+ raise BadZipFile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename)) ++ raise BadZipfile("Overlapped entries: {!r} (possible zip bomb)".format(zinfo.orig_filename)) + # check for encrypted flag & handle password is_encrypted = zinfo.flag_bits & 0x1 @@ -132,5 +159,5 @@ Patch: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +++ b/Misc/NEWS.d/next/Library/2023-09-28-13-15-51.gh-issue-109858.43e2dg.rst @@ -0,0 +1,3 @@ +Protect :mod:`zipfile` from "quoted-overlap" zipbomb. It now raises -+BadZipFile when try to read an entry that overlaps with other entry or ++BadZipfile when try to read an entry that overlaps with other entry or +central directory. diff --git a/_multibuild b/_multibuild deleted file mode 100644 index e34acc7..0000000 --- a/_multibuild +++ /dev/null @@ -1,5 +0,0 @@ - - python-base - python-doc - - diff --git a/python-2.7-libffi-aarch64.patch b/python-2.7-libffi-aarch64.patch deleted file mode 100644 index 77a398d..0000000 --- a/python-2.7-libffi-aarch64.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c -=================================================================== ---- Python-2.7.9.orig/Modules/_ctypes/libffi/src/aarch64/ffi.c -+++ Python-2.7.9/Modules/_ctypes/libffi/src/aarch64/ffi.c -@@ -728,7 +728,7 @@ aarch64_prep_args (struct call_context * - state.ngrn = N_X_ARG_REG; - - memcpy (allocate_to_stack (&state, stack, ty->alignment, -- ty->size), ecif->avalue + i, ty->size); -+ ty->size), ecif->avalue[i], ty->size); - } - break; - diff --git a/python-base.changes b/python-base.changes index fc49fab..518b787 100644 --- a/python-base.changes +++ b/python-base.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index 450e77d..6bc35d3 100644 --- a/python-base.spec +++ b/python-base.spec @@ -51,13 +51,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -165,9 +162,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -271,11 +271,9 @@ other applications. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -326,6 +324,7 @@ other applications. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python-doc.changes b/python-doc.changes index fc49fab..518b787 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index d6e9011..b84523d 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -201,11 +201,9 @@ Python, and Macintosh Module Reference in PDF format. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -256,6 +254,7 @@ Python, and Macintosh Module Reference in PDF format. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index fc49fab..518b787 100644 --- a/python.changes +++ b/python.changes @@ -13,6 +13,12 @@ Sat May 11 05:46:55 UTC 2024 - Matej Cepl CVE-2023-52425) - Make sure to remove all embedded versions of other packages (including expat). +- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch + removing failing test fixing bpo#3151, which we just not + support. +- Remove patches over those embedded packages (cffi): + - python-2.7-libffi-aarch64.patch + - sparc_longdouble.patch ------------------------------------------------------------------- Tue Apr 16 15:39:24 UTC 2024 - Matej Cepl diff --git a/python.spec b/python.spec index 1f681f9..7741839 100644 --- a/python.spec +++ b/python.spec @@ -47,13 +47,10 @@ Patch4: python-2.5.1-sqlite.patch Patch5: python-2.7.4-canonicalize2.patch Patch7: python-2.6-gettext-plurals.patch Patch8: python-2.6b3-curses-panel.patch -Patch10: sparc_longdouble.patch Patch13: python-2.7.2-fix_date_time_compiler.patch Patch17: remove-static-libpython.patch # PATCH-FEATURE-OPENSUSE python-bundle-lang.patch bnc#617751 dimstar@opensuse.org -- gettext: when looking in default_localedir also check in locale-bundle. Patch20: python-bundle-lang.patch -# PATCH-FIX-UPSTREAM Fix argument passing in libffi for aarch64 -Patch22: python-2.7-libffi-aarch64.patch Patch24: python-bsddb6.patch # PATCH-FIX-UPSTREAM accept directory-based CA paths as well Patch33: python-2.7.9-ssl_ca_path.patch @@ -161,9 +158,12 @@ Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com # Make compare_digest more constant-time Patch80: CVE-2022-48566-compare_digest-more-constant.patch +# PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch bpo#3151 mcepl@suse.com +# We don't have fix for bpo#3151 and it is just not supported +Patch81: CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch # PATCH-FIX-UPSTREAM CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch bsc#1221854 mcepl@suse.com # detecting the vulnerability of the "quoted-overlap" zipbomb (from gh#python/cpython!110016). -Patch81: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch +Patch82: CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -321,11 +321,9 @@ that rely on earlier non-verification behavior. %patch -P 5 -p1 %patch -P 7 -p1 %patch -P 8 -p1 -%patch -P 10 -p1 %patch -P 13 -p1 %patch -P 17 -p1 %patch -P 20 -p1 -%patch -P 22 -p1 %patch -P 24 -p1 %patch -P 33 -p1 %if %{suse_version} < 1500 && !0%{?is_opensuse} @@ -376,6 +374,7 @@ that rely on earlier non-verification behavior. %patch -P 79 -p1 %patch -P 80 -p1 %patch -P 81 -p1 +%patch -P 82 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/sparc_longdouble.patch b/sparc_longdouble.patch deleted file mode 100644 index 7004f8d..0000000 --- a/sparc_longdouble.patch +++ /dev/null @@ -1,21 +0,0 @@ -Python ticket 6029 - -==== //tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c#1 - /home/build/clifford/gpdb/tools/python/2.6.2/src/base/Modules/_ctypes/libffi/src/sparc/ffi.c ==== ---- - Modules/_ctypes/libffi/src/sparc/ffi.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/Modules/_ctypes/libffi/src/sparc/ffi.c -+++ b/Modules/_ctypes/libffi/src/sparc/ffi.c -@@ -652,6 +652,11 @@ - } - else - { -+#if FFI_TYPE_LONGDOUBLE != FFI_TYPE_DOUBLE -+ /* SparcV9 long double is 16-byte aligned; skip arg if necessary */ -+ if (arg_types[i]->type == FFI_TYPE_LONGDOUBLE && (argn & 1)) -+ argn++; -+#endif - /* Right-justify. */ - argn += ALIGN(arg_types[i]->size, FFI_SIZEOF_ARG) / FFI_SIZEOF_ARG; -