diff --git a/CVE-2019-20907_tarfile-inf-loop.patch b/CVE-2019-20907_tarfile-inf-loop.patch new file mode 100644 index 0000000..a843893 --- /dev/null +++ b/CVE-2019-20907_tarfile-inf-loop.patch @@ -0,0 +1,42 @@ +From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001 +From: Rajarishi Devarajan +Date: Sun, 12 Jul 2020 23:47:42 +0200 +Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module + +Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop +--- + Lib/tarfile.py | 2 ++ + Lib/test/test_tarfile.py | 5 +++++ + Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + + 3 files changed, 8 insertions(+) + create mode 100644 Lib/test/recursion.tar + +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1400,6 +1400,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + keyword = keyword.decode("utf8") +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -321,6 +321,11 @@ class CommonReadTest(ReadTest): + with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"): + tar.extractfile(t).read() + ++ def test_length_zero_header(self): ++ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail ++ # with an exception ++ self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar')) ++ + + class MiscReadTest(CommonReadTest): + taropen = tarfile.TarFile.taropen +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +@@ -0,0 +1 @@ ++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/CVE-2020-26116-httplib-header-injection.patch b/CVE-2020-26116-httplib-header-injection.patch new file mode 100644 index 0000000..58cb66e --- /dev/null +++ b/CVE-2020-26116-httplib-header-injection.patch @@ -0,0 +1,77 @@ +--- + Lib/httplib.py | 15 +++++++++++++++ + Lib/test/test_httplib.py | 22 +++++++++++++++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} + + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + class HTTPMessage(mimetools.Message): + + def addheader(self, key, value): +@@ -940,6 +944,8 @@ class HTTPConnection: + else: + raise CannotSendRequest() + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1179,6 +1185,15 @@ class HTTPConnection: + response.close() + raise + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ "method can't contain control characters. %r (found at " ++ "least %r)" % (method, match.group())) ++ + + class HTTP: + "Compatibility class with httplib.py from 1.5." +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase): + self.assertTrue('Host: destination.com' in conn.sock.data) + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ conn = httplib.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ self.assertRaises(ValueError, conn.request, method=method, url="/") ++ ++ + @test_support.reap_threads + def test_main(verbose=None): + test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, +- HTTPTest, HTTPSTest, SourceAddressTest, ++ HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest, + TunnelTests) + + if __name__ == '__main__': diff --git a/pip-20.2.3-py2.py3-none-any.whl b/pip-20.2.3-py2.py3-none-any.whl new file mode 100644 index 0000000..1943e40 --- /dev/null +++ b/pip-20.2.3-py2.py3-none-any.whl @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3dd51a8752bc3a34c0290e4e6c16be943256c8c693cb75736b95f56128decbac +size 1350933 diff --git a/python-base.changes b/python-base.changes index ab27987..f4ed6be 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl + +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. + + ------------------------------------------------------------------- Thu Aug 26 15:35:10 UTC 2021 - Fusion Future @@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - - Disallow control characters in hostnames in http.client, - addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such - potentially malicious header injection URLs now cause - InvalidURL to be raised. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC's -Wstringop-truncation @@ -302,8 +316,9 @@ Thu Apr 4 22:28:24 CEST 2019 - Matej Cepl ------------------------------------------------------------------- Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com -- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - fixing bpo-34623. +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. ------------------------------------------------------------------- Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com @@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch - fixing bpo-35746. + fixing bpo-35746 (CVE-2019-5010). An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer diff --git a/python-base.spec b/python-base.spec index 9d9ffe0..f073ad4 100644 --- a/python-base.spec +++ b/python-base.spec @@ -34,6 +34,11 @@ Source1: macros.python2 Source2: baselibs.conf Source3: README.SUSE Source5: local.pth +# Fixed bundled wheels +Source10: setuptools-44.1.1-py2.py3-none-any.whl +Source11: pip-20.2.3-py2.py3-none-any.whl +# For Patch 66 +Source66: recursion.tar Source99: python-base-rpmlintrc # COMMON-PATCH-BEGIN Patch1: python-2.7-dirs.patch @@ -109,6 +114,14 @@ Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -239,11 +252,25 @@ other applications. %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END +# Replace bundled wheels with the updates ones +rm -v Lib/ensurepip/_bundled/*.whl +cp -v %{SOURCE10} %{SOURCE11} Lib/ensurepip/_bundled/ +STVER=$(basename %{SOURCE10}|cut -d- -f2) +PIPVER=$(basename %{SOURCE11}|cut -d- -f2) +sed -i -e "s/^\(\s*_SETUPTOOLS_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${STVER}\"/" \ + -e "s/^\(\s*_PIP_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${PIPVER}\"/" \ + Lib/ensurepip/__init__.py + %build %define _lto_cflags %{nil} export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv" @@ -320,7 +347,7 @@ EXCLUDE="$EXCLUDE test_asynchat test_asyncore test_dircache test_multiprocessing if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then ulimit -v 10000000 || : fi -make test TESTOPTS="-l -x $EXCLUDE" TESTPYTHONOPTS="-R" +make test TESTOPTS="-l -w -x $EXCLUDE" TESTPYTHONOPTS="-R" # use network, be verbose: #make test TESTOPTS="-l -u network -v" %endif diff --git a/python-doc.changes b/python-doc.changes index ab27987..f4ed6be 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl + +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. + + ------------------------------------------------------------------- Thu Aug 26 15:35:10 UTC 2021 - Fusion Future @@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - - Disallow control characters in hostnames in http.client, - addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such - potentially malicious header injection URLs now cause - InvalidURL to be raised. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC's -Wstringop-truncation @@ -302,8 +316,9 @@ Thu Apr 4 22:28:24 CEST 2019 - Matej Cepl ------------------------------------------------------------------- Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com -- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - fixing bpo-34623. +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. ------------------------------------------------------------------- Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com @@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch - fixing bpo-35746. + fixing bpo-35746 (CVE-2019-5010). An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer diff --git a/python-doc.spec b/python-doc.spec index 67df0d8..fee42e7 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -31,6 +31,8 @@ Source0: %{tarname}.tar.xz #Source3: http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2 Source2: python-%{version}-docs-pdf-a4.tar.bz2 Source3: python-%{version}-docs-pdf-letter.tar.bz2 +# For Patch 66 +Source66: recursion.tar %if 0%{?suse_version} >= 1500 BuildRequires: python3-Sphinx %else @@ -111,6 +113,14 @@ Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -183,17 +193,16 @@ Python, and Macintosh Module Reference in PDF format. %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END -# Update documentation formatting for Sphinx 3.0 (bpo#40204) -for i in `find Doc/ -type f -name "*.rst"` -do - sed -i 's/:c:type:/:c:expr:/g' $i -done - %build TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"` # TODO use not date of tarball but date of latest patch diff --git a/python.changes b/python.changes index ab27987..f4ed6be 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl + +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. + + ------------------------------------------------------------------- Thu Aug 26 15:35:10 UTC 2021 - Fusion Future @@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl by Ben Caller. - Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators. - - Disallow control characters in hostnames in http.client, - addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such - potentially malicious header injection URLs now cause - InvalidURL to be raised. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. - Fix urllib.urlretrieve failing on subsequent ftp transfers from the same host. - Fix problems identified by GCC's -Wstringop-truncation @@ -302,8 +316,9 @@ Thu Apr 4 22:28:24 CEST 2019 - Matej Cepl ------------------------------------------------------------------- Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com -- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - fixing bpo-34623. +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. ------------------------------------------------------------------- Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com @@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch - fixing bpo-35746. + fixing bpo-35746 (CVE-2019-5010). An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.7.2. A specially crafted X509 certificate can cause a NULL pointer diff --git a/python.spec b/python.spec index 4597446..df2da47 100644 --- a/python.spec +++ b/python.spec @@ -32,6 +32,8 @@ Source8: sle_tls_checks_policy.py Source50: idle.appdata.xml Source51: idle.desktop # issues with copyrighted Unicode testing files +# For Patch 66 +Source66: recursion.tar # !!!!!!!!!!!!!! # do not add or edit patches here. please edit python-base.spec @@ -111,6 +113,14 @@ Patch63: CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -297,6 +307,11 @@ that rely on earlier non-verification behavior. %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/recursion.tar b/recursion.tar new file mode 100644 index 0000000..e1d2b90 Binary files /dev/null and b/recursion.tar differ diff --git a/setuptools-44.1.1-py2.py3-none-any.whl b/setuptools-44.1.1-py2.py3-none-any.whl new file mode 100644 index 0000000..34deb87 --- /dev/null +++ b/setuptools-44.1.1-py2.py3-none-any.whl @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e98dac61759aa12d18e6e6f4c6c582095882f08431259ee92845b47a8378ff0 +size 583522