Accepting request 921455 from devel:languages:python:Factory

Synchronization of the package with SLE version. OBS-URL: https://build.opensuse.org/request/show/921455 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=158
2021-09-30 21:42:52 +00:00 · 2021-09-30 21:42:52 +00:00 · e11bd215de
commit e11bd215de
parent 9f95aebbf6 793c3bb790
11 changed files with 249 additions and 28 deletions
--- a/CVE-2019-20907_tarfile-inf-loop.patch
+++ b/CVE-2019-20907_tarfile-inf-loop.patch
@ -0,0 +1,42 @@
 From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001
 From: Rajarishi Devarajan <rishi93dev@gmail.com>
 Date: Sun, 12 Jul 2020 23:47:42 +0200
 Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module
 Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
 ---
 Lib/tarfile.py                                                    |    2 ++
 Lib/test/test_tarfile.py                                          |    5 +++++
 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst |    1 +
 3 files changed, 8 insertions(+)
 create mode 100644 Lib/test/recursion.tar
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
@@ -1400,6 +1400,8 @@ class TarInfo(object):
             length, keyword = match.groups()
             length = int(length)
 +            if length == 0:
 +                raise InvalidHeaderError("invalid header")
             value = buf[match.end(2) + 1:match.start(1) + length - 1]
             keyword = keyword.decode("utf8")
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
@@ -321,6 +321,11 @@ class CommonReadTest(ReadTest):
                 with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"):
                     tar.extractfile(t).read()
 +    def test_length_zero_header(self):
 +        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
 +        # with an exception
 +        self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar'))
 +
 class MiscReadTest(CommonReadTest):
     taropen = tarfile.TarFile.taropen
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@
 +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
--- a/CVE-2020-26116-httplib-header-injection.patch
+++ b/CVE-2020-26116-httplib-header-injection.patch
@ -0,0 +1,77 @@
 ---
 Lib/httplib.py           |   15 +++++++++++++++
 Lib/test/test_httplib.py |   22 +++++++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 --- a/Lib/httplib.py
 +++ b/Lib/httplib.py
@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c
 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
 +# These characters are not allowed within HTTP method names
 +# to prevent http header injection.
 +_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
 +
 class HTTPMessage(mimetools.Message):
     def addheader(self, key, value):
@@ -940,6 +944,8 @@ class HTTPConnection:
         else:
             raise CannotSendRequest()
 +        self._validate_method(method)
 +
         # Save the method for use later in the response phase
         self._method = method
@@ -1179,6 +1185,15 @@ class HTTPConnection:
             response.close()
             raise
 +    def _validate_method(self, method):
 +        """Validate a method name for putrequest."""
 +        # prevent http header injection
 +        match = _contains_disallowed_method_pchar_re.search(method)
 +        if match:
 +            raise ValueError(
 +                "method can't contain control characters. %r (found at "
 +                "least %r)" % (method, match.group()))
 +
 class HTTP:
     "Compatibility class with httplib.py from 1.5."
 --- a/Lib/test/test_httplib.py
 +++ b/Lib/test/test_httplib.py
@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase):
         self.assertTrue('Host: destination.com' in conn.sock.data)
 +class HttpMethodTests(TestCase):
 +    def test_invalid_method_names(self):
 +        methods = (
 +            'GET\r',
 +            'POST\n',
 +            'PUT\n\r',
 +            'POST\nValue',
 +            'POST\nHOST:abc',
 +            'GET\nrHost:abc\n',
 +            'POST\rRemainder:\r',
 +            'GET\rHOST:\n',
 +            '\nPUT'
 +        )
 +
 +        for method in methods:
 +            conn = httplib.HTTPConnection('example.com')
 +            conn.sock = FakeSocket(None)
 +            self.assertRaises(ValueError, conn.request, method=method, url="/")
 +
 +
 @test_support.reap_threads
 def test_main(verbose=None):
     test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
 -                              HTTPTest, HTTPSTest, SourceAddressTest,
 +                              HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest,
                               TunnelTests)
 if __name__ == '__main__':
--- a/pip-20.2.3-py2.py3-none-any.whl
+++ b/pip-20.2.3-py2.py3-none-any.whl
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3dd51a8752bc3a34c0290e4e6c16be943256c8c693cb75736b95f56128decbac
 size 1350933
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
 - Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
 - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
  the method parameter of HTTPConnection.putrequest in httplib, stopping
  injection of headers. Such characters now raise ValueError. 
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
    by Ben Caller.
  - Fixed line numbers and column offsets for AST nodes for calls
    without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
+    hostnames in http.client. Such potentially malicious header
-    potentially malicious header injection URLs now cause
+    injection URLs now cause a InvalidURL to be raised.
    InvalidURL to be raised.
  - Fix urllib.urlretrieve failing on subsequent ftp transfers
    from the same host.
  - Fix problems identified by GCC's -Wstringop-truncation
@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
+- bsc#1109847 (CVE-2018-14647): add
-  fixing bpo-34623.
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
--- a/python-base.spec
+++ b/python-base.spec
@ -34,6 +34,11 @@ Source1:        macros.python2
 Source2:        baselibs.conf
 Source3:        README.SUSE
 Source5:        local.pth
 # Fixed bundled wheels
 Source10:       setuptools-44.1.1-py2.py3-none-any.whl
 Source11:       pip-20.2.3-py2.py3-none-any.whl
 # For Patch 66
 Source66:       recursion.tar
 Source99:       python-base-rpmlintrc
 # COMMON-PATCH-BEGIN
 Patch1:         python-2.7-dirs.patch
@ -109,6 +114,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
 # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
 # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
 # REQUIRES SOURCE 66
 Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -239,11 +252,25 @@ other applications.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 # Replace bundled wheels with the updates ones
 rm -v Lib/ensurepip/_bundled/*.whl
 cp -v %{SOURCE10} %{SOURCE11} Lib/ensurepip/_bundled/
 STVER=$(basename %{SOURCE10}|cut -d- -f2)
 PIPVER=$(basename %{SOURCE11}|cut -d- -f2)
 sed -i -e "s/^\(\s*_SETUPTOOLS_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${STVER}\"/" \
       -e "s/^\(\s*_PIP_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${PIPVER}\"/" \
    Lib/ensurepip/__init__.py
 %build
 %define _lto_cflags %{nil}
 export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv"
@ -320,7 +347,7 @@ EXCLUDE="$EXCLUDE test_asynchat test_asyncore test_dircache test_multiprocessing
 if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then
  ulimit -v 10000000 || :
 fi
-make test TESTOPTS="-l -x $EXCLUDE" TESTPYTHONOPTS="-R"
+make test TESTOPTS="-l -w -x $EXCLUDE" TESTPYTHONOPTS="-R"
 # use network, be verbose:
 #make test TESTOPTS="-l -u network -v"
 %endif
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
 - Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
 - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
  the method parameter of HTTPConnection.putrequest in httplib, stopping
  injection of headers. Such characters now raise ValueError. 
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
    by Ben Caller.
  - Fixed line numbers and column offsets for AST nodes for calls
    without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
+    hostnames in http.client. Such potentially malicious header
-    potentially malicious header injection URLs now cause
+    injection URLs now cause a InvalidURL to be raised.
    InvalidURL to be raised.
  - Fix urllib.urlretrieve failing on subsequent ftp transfers
    from the same host.
  - Fix problems identified by GCC's -Wstringop-truncation
@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
+- bsc#1109847 (CVE-2018-14647): add
-  fixing bpo-34623.
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
--- a/python-doc.spec
+++ b/python-doc.spec
@ -31,6 +31,8 @@ Source0:        %{tarname}.tar.xz
 #Source3:        http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2
 Source2:        python-%{version}-docs-pdf-a4.tar.bz2
 Source3:        python-%{version}-docs-pdf-letter.tar.bz2
 # For Patch 66
 Source66:       recursion.tar
 %if 0%{?suse_version} >= 1500
 BuildRequires:  python3-Sphinx
 %else
@ -111,6 +113,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
 # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
 # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
 # REQUIRES SOURCE 66
 Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc = %{version}
 Provides:       pyth_ps = %{version}
@ -183,17 +193,16 @@ Python, and Macintosh Module Reference in PDF format.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 # Update documentation formatting for Sphinx 3.0 (bpo#40204)
 for i in `find Doc/ -type f -name "*.rst"`
 do
  sed -i 's/:c:type:/:c:expr:/g' $i
 done
 %build
 TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"`
 # TODO use not date of tarball but date of latest patch
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <mcepl@suse.com>
 - Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
  (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
  in specifically crafted tarball.
  Add recursion.tar as a testing tarball for the patch.
 - Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
 - Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
  (CVE-2020-26116, bpo#39603) no longer allowing special characters in
  the method parameter of HTTPConnection.putrequest in httplib, stopping
  injection of headers. Such characters now raise ValueError. 
 -------------------------------------------------------------------
 Thu Aug 26 15:35:10 UTC 2021 - Fusion Future <qydwhotmail@gmail.com>
@ -75,10 +90,9 @@ Thu Apr 23 09:17:24 UTC 2020 - Matej Cepl <mcepl@suse.com>
    by Ben Caller.
  - Fixed line numbers and column offsets for AST nodes for calls
    without arguments in decorators.
-  - Disallow control characters in hostnames in http.client,
+  - bsc#1155094 (CVE-2019-18348) Disallow control characters in
-    addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
+    hostnames in http.client. Such potentially malicious header
-    potentially malicious header injection URLs now cause
+    injection URLs now cause a InvalidURL to be raised.
    InvalidURL to be raised.
  - Fix urllib.urlretrieve failing on subsequent ftp transfers
    from the same host.
  - Fix problems identified by GCC's -Wstringop-truncation
@ -302,8 +316,9 @@ Thu Apr  4 22:28:24 CEST 2019 - Matej Cepl <mcepl@suse.com>
 -------------------------------------------------------------------
 Fri Jan 25 16:53:50 CET 2019 - mcepl@suse.com
- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
+- bsc#1109847 (CVE-2018-14647): add
-  fixing bpo-34623.
+  CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
  bpo-34623.
 -------------------------------------------------------------------
 Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
@ -322,7 +337,7 @@ Fri Jan 25 16:02:21 CET 2019 - mcepl@suse.com
 Sat Jan 19 16:19:38 CET 2019 - mcepl@suse.com
 - bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
-  fixing bpo-35746.
+  fixing bpo-35746 (CVE-2019-5010).
  An exploitable denial-of-service vulnerability exists in the
  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
  A specially crafted X509 certificate can cause a NULL pointer
--- a/python.spec
+++ b/python.spec
@ -32,6 +32,8 @@ Source8:        sle_tls_checks_policy.py
 Source50:       idle.appdata.xml
 Source51:       idle.desktop
 # issues with copyrighted Unicode testing files
 # For Patch 66
 Source66:       recursion.tar
 # !!!!!!!!!!!!!!
 # do not add or edit patches here. please edit python-base.spec
@ -111,6 +113,14 @@ Patch63:        CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP
 Patch64:        CVE-2021-3733-fix-ReDoS-in-request.patch
 # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
 Patch65:        sphinx-update-removed-function.patch
 # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
 # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
 # REQUIRES SOURCE 66
 Patch66:        CVE-2019-20907_tarfile-inf-loop.patch
 # PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
 # Fixes httplib to disallow control characters in method to avoid header
 # injection
 Patch67:        CVE-2020-26116-httplib-header-injection.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -297,6 +307,11 @@ that rely on earlier non-verification behavior.
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
 # For patch 66
 cp -v %{SOURCE66} Lib/test/recursion.tar
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/recursion.tar
+++ b/recursion.tar
--- a/setuptools-44.1.1-py2.py3-none-any.whl
+++ b/setuptools-44.1.1-py2.py3-none-any.whl
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2e98dac61759aa12d18e6e6f4c6c582095882f08431259ee92845b47a8378ff0
 size 583522