rpm/python
SHA256
1
0
Fork 0
forked from pool/python
Code Pull Requests Activity

Accepting request 1111680 from devel:languages:python:Factory

Browse Source 
- (bsc#1214691, CVE-2022-48566) Add
  CVE-2022-48566-compare_digest-more-constant.patch to make
  compare_digest more constant-time.

- (bsc#1214685, CVE-2022-48565) Add
  CVE-2022-48565-plistlib-XML-vulns.patch (from
  gh#python/cpython#86217) reject XML entity declarations in
  plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
  Revert-gh105127-left-tests.patch (as per discussion on
  bsc#1210638).

OBS-URL: https://build.opensuse.org/request/show/1111680
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=188
This commit is contained in:
Ana Guerrero 2023-09-22 19:46:40 +00:00 committed by Git OBS Bridge
commit fa963f5919
10 changed files with 205 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
CVE-2022-48565-plistlib-XML-vulns.patch Normal file
View File

@ -0,0 +1,80 @@
From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001
From: Ned Deily <nad@python.org>
Date: Mon, 19 Oct 2020 22:36:27 -0400
Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files
(GH-22760) (GH-22801)
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
Co-authored-by: Ned Deily <nad@python.org>
---
Lib/plistlib.py | 10 +++++
Lib/test/test_plistlib.py | 19 ++++++++++
Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 +
3 files changed, 32 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -403,9 +403,19 @@ class PlistParser:
parser.StartElementHandler = self.handleBeginElement
parser.EndElementHandler = self.handleEndElement
parser.CharacterDataHandler = self.handleData
+ parser.EntityDeclHandler = self.handle_entity_decl
parser.ParseFile(fileobj)
return self.root
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value,
+ base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML
+ # vulnerabilies in expat. Regular plist files don't contain
+ # those declerations, and Apple's plutil tool does not accept
+ # them either.
+ raise ValueError(
+ "XML entity declarations are not supported in plist files")
+
def handleBeginElement(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi
</plist>
""".replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs
+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+ <!ENTITY entity "replacement text">
+ ]>
+<plist version="1.0">
+ <dict>
+ <key>A</key>
+ <string>&entity;</string>
+ </dict>
+</plist>
+'''
+
class TestPlistlib(unittest.TestCase):
@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase):
self.assertEqual(test1, result1)
self.assertEqual(test2, result2)
+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegexp(ValueError,
+ "XML entity declarations are not supported"):
+ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
+
+
def test_main():
test_support.run_unittest(TestPlistlib)
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.

35
CVE-2022-48566-compare_digest-more-constant.patch Normal file
View File

@ -0,0 +1,35 @@
From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Mon, 14 Dec 2020 09:04:57 -0800
Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438)
(GH-23767)
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
---
Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 +
Modules/operator.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
@@ -0,0 +1 @@
+Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely.
\ No newline at end of file
--- a/Modules/operator.c
+++ b/Modules/operator.c
@@ -259,7 +259,7 @@ _tscmp(const unsigned char *a, const uns
volatile const unsigned char *left;
volatile const unsigned char *right;
Py_ssize_t i;
- unsigned char result;
+ volatile unsigned char result;
/* loop count depends on length of b */
length = len_b;

137
CVE-2023-27043-email-parsing-errors.patch
View File

@ -1,137 +0,0 @@
---
Doc/library/email.utils.rst | 24 +++
Lib/email/utils.py | 66 +++++++++-
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4
3 files changed, 88 insertions(+), 6 deletions(-)
--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
@@ -63,6 +63,11 @@ There are several useful utilities provi
:func:`time.mktime`; otherwise ``None`` will be returned. Note that indexes 6,
7, and 8 of the result tuple are not usable.
+ .. versionchanged:: 3.12
+ For security reasons, addresses that were ambiguous and could parse into
+ multiple different addresses now cause ``('', '')`` to be returned
+ instead of only one of the *potential* addresses.
+
.. function:: parsedate_tz(date)
@@ -103,6 +108,25 @@ There are several useful utilities provi
.. versionadded:: 2.4
+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
+ is returned in its place. Other errors in parsing the list of
+ addresses such as a fieldvalue seemingly parsing into multiple
+ addresses may result in a list containing a single empty 2-tuple
+ ``[('', '')]`` being returned rather than returning potentially
+ invalid output.
+
+ Example malformed input parsing:
+
+ .. doctest::
+
+ >>> from email.utils import getaddresses
+ >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
+ [('', '')]
+
+ .. versionchanged:: 3.12
+ The 2-tuple of ``('', '')`` in the returned values when parsing
+ fails were added as to address a security issue.
+
.. function:: make_msgid([idstring])
--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
@@ -101,11 +101,56 @@ def formataddr(pair):
+def _pre_parse_validation(email_header_fields):
+ accepted_values = []
+ for v in email_header_fields:
+ s = v.replace('\\(', '').replace('\\)', '')
+ if s.count('(') != s.count(')'):
+ v = "('', '')"
+ accepted_values.append(v)
+
+ return accepted_values
+
+
+
+def _post_parse_validation(parsed_email_header_tuples):
+ accepted_values = []
+ # The parser would have parsed a correctly formatted domain-literal
+ # The existence of an [ after parsing indicates a parsing failure
+ for v in parsed_email_header_tuples:
+ if '[' in v[1]:
+ v = ('', '')
+ accepted_values.append(v)
+
+ return accepted_values
+
+
+
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
- all = COMMASPACE.join(fieldvalues)
+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
+
+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
+ its place.
+
+ If the resulting list of parsed address is not the same as the number of
+ fieldvalues in the input list a parsing error has occurred. A list
+ containing a single empty 2-tuple [('', '')] is returned in its place.
+ This is done to avoid invalid output.
+ """
+ fieldvalues = [str(v) for v in fieldvalues]
+ fieldvalues = _pre_parse_validation(fieldvalues)
+ all = COMMASPACE.join(v for v in fieldvalues)
a = _AddressList(all)
- return a.addresslist
+ result = _post_parse_validation(a.addresslist)
+
+ n = 0
+ for v in fieldvalues:
+ n += v.count(',') + 1
+
+ if len(result) != n:
+ return [('', '')]
+
+ return result
@@ -217,9 +262,18 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
- addrs = _AddressList(addr).addresslist
- if not addrs:
- return '', ''
+ if isinstance(addr, list):
+ addr = addr[0]
+
+ if not isinstance(addr, str):
+ return ('', '')
+
+ addr = _pre_parse_validation([addr])[0]
+ addrs = _post_parse_validation(_AddressList(addr).addresslist)
+
+ if not addrs or len(addrs) > 1:
+ return ('', '')
+
return addrs[0]
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -0,0 +1,4 @@
+CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
+and :func:`email.utils.getaddresses` from returning the realname portion of an
+invalid RFC2822 email header in the email address portion of the 2-tuple
+returned after being parsed by :class:`email._parseaddr.AddressList`.

202
Revert-gh105127-left-tests.patch
View File

@ -1,202 +0,0 @@
From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Jul 2023 20:30:52 -0700
Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
parsing errors ... (GH-105127)" (GH-106733)
This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
Adds a regression test from the issue.
See https://github.com/python/cpython/issues/106669..
(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Doc/library/email.utils.rst | 24 ---
Lib/email/test/test_email.py | 18 ++
Lib/email/test/test_email_renamed.py | 4
Lib/email/utils.py | 66 ----------
Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 5
5 files changed, 32 insertions(+), 85 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
@@ -63,11 +63,6 @@ There are several useful utilities provi
:func:`time.mktime`; otherwise ``None`` will be returned. Note that indexes 6,
7, and 8 of the result tuple are not usable.
- .. versionchanged:: 3.12
- For security reasons, addresses that were ambiguous and could parse into
- multiple different addresses now cause ``('', '')`` to be returned
- instead of only one of the *potential* addresses.
-
.. function:: parsedate_tz(date)
@@ -108,25 +103,6 @@ There are several useful utilities provi
.. versionadded:: 2.4
- When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
- is returned in its place. Other errors in parsing the list of
- addresses such as a fieldvalue seemingly parsing into multiple
- addresses may result in a list containing a single empty 2-tuple
- ``[('', '')]`` being returned rather than returning potentially
- invalid output.
-
- Example malformed input parsing:
-
- .. doctest::
-
- >>> from email.utils import getaddresses
- >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
- [('', '')]
-
- .. versionchanged:: 3.12
- The 2-tuple of ``('', '')`` in the returned values when parsing
- fails were added as to address a security issue.
-
.. function:: make_msgid([idstring])
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@@ -2414,6 +2414,24 @@ Foo
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])
+ def test_getaddresses_comma_in_name(self):
+ """GH-106669 regression test."""
+ self.assertEqual(
+ Utils.getaddresses(
+ [
+ '"Bud, Person" <bperson@dom.ain>',
+ 'aperson@dom.ain (Al Person)',
+ '"Mariusz Felisiak" <to@example.com>',
+ ]
+ ),
+ [
+ ('Bud, Person', 'bperson@dom.ain'),
+ ('Al Person', 'aperson@dom.ain'),
+ ('Mariusz Felisiak', 'to@example.com'),
+ ],
+ )
+
+ @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(Utils.getaddresses(['foo: ;']), [('', '')])
--- a/Lib/email/test/test_email_renamed.py
+++ b/Lib/email/test/test_email_renamed.py
@@ -2275,12 +2275,14 @@ Foo
[('Al Person', 'aperson@dom.ain'),
('Bud Person', 'bperson@dom.ain')])
+ @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
def test_getaddresses_nasty(self):
eq = self.assertEqual
eq(utils.getaddresses(['foo: ;']), [('', '')])
eq(utils.getaddresses(
['[]*-- =~$']),
- [('', ''), ('', ''), ('', '*--')])
+ [('', ''), ('', ''), ('', '*--')]
+ )
eq(utils.getaddresses(
['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
[('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
@@ -101,56 +101,11 @@ def formataddr(pair):
-def _pre_parse_validation(email_header_fields):
- accepted_values = []
- for v in email_header_fields:
- s = v.replace('\\(', '').replace('\\)', '')
- if s.count('(') != s.count(')'):
- v = "('', '')"
- accepted_values.append(v)
-
- return accepted_values
-
-
-
-def _post_parse_validation(parsed_email_header_tuples):
- accepted_values = []
- # The parser would have parsed a correctly formatted domain-literal
- # The existence of an [ after parsing indicates a parsing failure
- for v in parsed_email_header_tuples:
- if '[' in v[1]:
- v = ('', '')
- accepted_values.append(v)
-
- return accepted_values
-
-
-
def getaddresses(fieldvalues):
- """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-
- When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
- its place.
-
- If the resulting list of parsed address is not the same as the number of
- fieldvalues in the input list a parsing error has occurred. A list
- containing a single empty 2-tuple [('', '')] is returned in its place.
- This is done to avoid invalid output.
- """
- fieldvalues = [str(v) for v in fieldvalues]
- fieldvalues = _pre_parse_validation(fieldvalues)
- all = COMMASPACE.join(v for v in fieldvalues)
+ """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+ all = COMMASPACE.join(str(v) for v in fieldvalues)
a = _AddressList(all)
- result = _post_parse_validation(a.addresslist)
-
- n = 0
- for v in fieldvalues:
- n += v.count(',') + 1
-
- if len(result) != n:
- return [('', '')]
-
- return result
+ return a.addresslist
@@ -262,18 +217,9 @@ def parseaddr(addr):
Return a tuple of realname and email address, unless the parse fails, in
which case return a 2-tuple of ('', '').
"""
- if isinstance(addr, list):
- addr = addr[0]
-
- if not isinstance(addr, str):
- return ('', '')
-
- addr = _pre_parse_validation([addr])[0]
- addrs = _post_parse_validation(_AddressList(addr).addresslist)
-
- if not addrs or len(addrs) > 1:
- return ('', '')
-
+ addrs = _AddressList(addr).addresslist
+ if not addrs:
+ return '', ''
return addrs[0]
--- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -1,3 +1,8 @@
+Reverted the :mod:`email.utils` security improvement change released in
+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
+to parse email addresses with a comma in the quoted name field.
+See :gh:`106669`.
+
CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
and :func:`email.utils.getaddresses` from returning the realname portion of an
invalid RFC2822 email header in the email address portion of the 2-tuple

18
python-base.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
-------------------------------------------------------------------
Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
-------------------------------------------------------------------
Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

20
python-base.spec
View File

@ -149,15 +149,18 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API)
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
# Partially revert previous patch
Patch78: Revert-gh105127-left-tests.patch
# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# # Detect email address parsing errors and return empty tuple to
# # indicate the parsing error (old API)
# Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
# Reject entity declarations in plists
Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -310,9 +313,10 @@ other applications.
%endif
%patch75 -p1
%patch76 -p1
%patch77 -p1
# %%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

18
python-doc.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
-------------------------------------------------------------------
Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
-------------------------------------------------------------------
Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

20
python-doc.spec
View File

@ -148,15 +148,18 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API)
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
# Partially revert previous patch
Patch78: Revert-gh105127-left-tests.patch
# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# # Detect email address parsing errors and return empty tuple to
# # indicate the parsing error (old API)
# Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
# Reject entity declarations in plists
Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@ -244,9 +247,10 @@ Python, and Macintosh Module Reference in PDF format.
%endif
%patch75 -p1
%patch76 -p1
%patch77 -p1
# %%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar

18
python.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
-------------------------------------------------------------------
Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
-------------------------------------------------------------------
Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

20
python.spec
View File

@ -148,15 +148,18 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# Detect email address parsing errors and return empty tuple to
# indicate the parsing error (old API)
Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com
# Partially revert previous patch
Patch78: Revert-gh105127-left-tests.patch
# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com
# # Detect email address parsing errors and return empty tuple to
# # indicate the parsing error (old API)
# Patch77: CVE-2023-27043-email-parsing-errors.patch
# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com
# Reject entity declarations in plists
Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com
# Make compare_digest more constant-time
Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -364,9 +367,10 @@ that rely on earlier non-verification behavior.
%endif
%patch75 -p1
%patch76 -p1
%patch77 -p1
# %%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar