From fe93386c91f1a0711ad80b690eb24872a33a9777cb6a6f79814bfa647e6d3af1 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 14 Sep 2023 21:54:10 +0000 Subject: [PATCH 1/5] - (bsc#1214685, CVE-2022-48565) Add CVE-2022-48565-plistlib-XML-vulns.patch (from gh#python/cpython#86217) reject XML entity declarations in plist files. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=384 --- CVE-2022-48565-plistlib-XML-vulns.patch | 80 +++++++++++++++++++++++++ python-base.changes | 11 ++++ python-base.spec | 16 ++--- python-doc.changes | 11 ++++ python-doc.spec | 16 ++--- python.changes | 11 ++++ python.spec | 16 ++--- 7 files changed, 137 insertions(+), 24 deletions(-) create mode 100644 CVE-2022-48565-plistlib-XML-vulns.patch diff --git a/CVE-2022-48565-plistlib-XML-vulns.patch b/CVE-2022-48565-plistlib-XML-vulns.patch new file mode 100644 index 0000000..94a4dd8 --- /dev/null +++ b/CVE-2022-48565-plistlib-XML-vulns.patch @@ -0,0 +1,80 @@ +From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001 +From: Ned Deily +Date: Mon, 19 Oct 2020 22:36:27 -0400 +Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files + (GH-22760) (GH-22801) + +Co-authored-by: Ronald Oussoren +(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc) + +Co-authored-by: Ned Deily +--- + Lib/plistlib.py | 10 +++++ + Lib/test/test_plistlib.py | 19 ++++++++++ + Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 + + 3 files changed, 32 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst + +--- a/Lib/plistlib.py ++++ b/Lib/plistlib.py +@@ -403,9 +403,19 @@ class PlistParser: + parser.StartElementHandler = self.handleBeginElement + parser.EndElementHandler = self.handleEndElement + parser.CharacterDataHandler = self.handleData ++ parser.EntityDeclHandler = self.handle_entity_decl + parser.ParseFile(fileobj) + return self.root + ++ def handle_entity_decl(self, entity_name, is_parameter_entity, value, ++ base, system_id, public_id, notation_name): ++ # Reject plist files with entity declarations to avoid XML ++ # vulnerabilies in expat. Regular plist files don't contain ++ # those declerations, and Apple's plutil tool does not accept ++ # them either. ++ raise InvalidFileException( ++ "XML entity declarations are not supported in plist files") ++ + def handleBeginElement(self, element, attrs): + self.data = [] + handler = getattr(self, "begin_" + element, None) +--- a/Lib/test/test_plistlib.py ++++ b/Lib/test/test_plistlib.py +@@ -86,6 +86,19 @@ TESTDATA = """ + """.replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs + ++XML_PLIST_WITH_ENTITY=b'''\ ++ ++ ++ ]> ++ ++ ++ A ++ &entity; ++ ++ ++''' ++ + + class TestPlistlib(unittest.TestCase): + +@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase): + self.assertEqual(test1, result1) + self.assertEqual(test2, result2) + ++ def test_xml_plist_with_entity_decl(self): ++ with self.assertRaisesRegexp(plistlib.InvalidFileException, ++ "XML entity declarations are not supported"): ++ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY) ++ ++ + + def test_main(): + test_support.run_unittest(TestPlistlib) +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst +@@ -0,0 +1,3 @@ ++The :mod:`plistlib` module no longer accepts entity declarations in XML ++plist files to avoid XML vulnerabilities. This should not affect users as ++entity declarations are not used in regular plist files. diff --git a/python-base.changes b/python-base.changes index c331d3b..ab2c6e0 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl + +- (bsc#1214685, CVE-2022-48565) Add + CVE-2022-48565-plistlib-XML-vulns.patch (from + gh#python/cpython#86217) reject XML entity declarations in + plist files. +- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and + Revert-gh105127-left-tests.patch (as per discussion on + bsc#1210638). + ------------------------------------------------------------------- Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia diff --git a/python-base.spec b/python-base.spec index 254a0ae..700832b 100644 --- a/python-base.spec +++ b/python-base.spec @@ -149,13 +149,13 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com # Build documentation even without PygmentsBridge.trim_doctest_flags Patch76: PygmentsBridge-trime_doctest_flags.patch -# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com -# Detect email address parsing errors and return empty tuple to -# indicate the parsing error (old API) -Patch77: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com -# Partially revert previous patch -Patch78: Revert-gh105127-left-tests.patch +# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com +# # Detect email address parsing errors and return empty tuple to +# # indicate the parsing error (old API) +# Patch77: CVE-2023-27043-email-parsing-errors.patch +# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com +# Reject entity declarations in plists +Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # COMMON-PATCH-END @@ -310,7 +310,7 @@ other applications. %endif %patch75 -p1 %patch76 -p1 -%patch77 -p1 +# %%patch77 -p1 %patch78 -p1 %patch79 -p1 diff --git a/python-doc.changes b/python-doc.changes index c331d3b..ab2c6e0 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl + +- (bsc#1214685, CVE-2022-48565) Add + CVE-2022-48565-plistlib-XML-vulns.patch (from + gh#python/cpython#86217) reject XML entity declarations in + plist files. +- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and + Revert-gh105127-left-tests.patch (as per discussion on + bsc#1210638). + ------------------------------------------------------------------- Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia diff --git a/python-doc.spec b/python-doc.spec index 9575e3f..6dbf161 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -148,13 +148,13 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com # Build documentation even without PygmentsBridge.trim_doctest_flags Patch76: PygmentsBridge-trime_doctest_flags.patch -# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com -# Detect email address parsing errors and return empty tuple to -# indicate the parsing error (old API) -Patch77: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com -# Partially revert previous patch -Patch78: Revert-gh105127-left-tests.patch +# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com +# # Detect email address parsing errors and return empty tuple to +# # indicate the parsing error (old API) +# Patch77: CVE-2023-27043-email-parsing-errors.patch +# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com +# Reject entity declarations in plists +Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # COMMON-PATCH-END @@ -244,7 +244,7 @@ Python, and Macintosh Module Reference in PDF format. %endif %patch75 -p1 %patch76 -p1 -%patch77 -p1 +# %%patch77 -p1 %patch78 -p1 %patch79 -p1 diff --git a/python.changes b/python.changes index c331d3b..ab2c6e0 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl + +- (bsc#1214685, CVE-2022-48565) Add + CVE-2022-48565-plistlib-XML-vulns.patch (from + gh#python/cpython#86217) reject XML entity declarations in + plist files. +- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and + Revert-gh105127-left-tests.patch (as per discussion on + bsc#1210638). + ------------------------------------------------------------------- Tue Sep 12 07:55:52 UTC 2023 - Daniel Garcia diff --git a/python.spec b/python.spec index acdca74..ee2c945 100644 --- a/python.spec +++ b/python.spec @@ -148,13 +148,13 @@ Patch75: CVE-2023-24329-blank-URL-bypass.patch # PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mcepl@suse.com # Build documentation even without PygmentsBridge.trim_doctest_flags Patch76: PygmentsBridge-trime_doctest_flags.patch -# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com -# Detect email address parsing errors and return empty tuple to -# indicate the parsing error (old API) -Patch77: CVE-2023-27043-email-parsing-errors.patch -# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638 mcepl@suse.com -# Partially revert previous patch -Patch78: Revert-gh105127-left-tests.patch +# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com +# # Detect email address parsing errors and return empty tuple to +# # indicate the parsing error (old API) +# Patch77: CVE-2023-27043-email-parsing-errors.patch +# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685 mcepl@suse.com +# Reject entity declarations in plists +Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch # COMMON-PATCH-END @@ -364,7 +364,7 @@ that rely on earlier non-verification behavior. %endif %patch75 -p1 %patch76 -p1 -%patch77 -p1 +# %%patch77 -p1 %patch78 -p1 %patch79 -p1 From 10bb24e52755a7deec8ad7a13d487aed9cee9b7b62d8a926b50cffe4203cf588 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 16 Sep 2023 16:30:00 +0000 Subject: [PATCH 2/5] - (bsc#1214691, CVE-2022-48566) Add CVE-2022-48566-compare_digest-more-constant.patch to make compare_digest more constant-time. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=385 --- ...2-48566-compare_digest-more-constant.patch | 35 +++++++++++++++++++ python-base.changes | 7 ++++ python-base.spec | 4 +++ python-doc.changes | 7 ++++ python-doc.spec | 4 +++ python.changes | 7 ++++ python.spec | 4 +++ 7 files changed, 68 insertions(+) create mode 100644 CVE-2022-48566-compare_digest-more-constant.patch diff --git a/CVE-2022-48566-compare_digest-more-constant.patch b/CVE-2022-48566-compare_digest-more-constant.patch new file mode 100644 index 0000000..f87f3f9 --- /dev/null +++ b/CVE-2022-48566-compare_digest-more-constant.patch @@ -0,0 +1,35 @@ +From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 14 Dec 2020 09:04:57 -0800 +Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438) + (GH-23767) + +The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. + +(This is change GH-1 from https://bugs.python.org/issue40791 .) +(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28) + +Co-authored-by: Devin Jeanpierre +--- + Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 + + Modules/_operator.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst + +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst +@@ -0,0 +1 @@ ++Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely. +\ No newline at end of file +--- a/Modules/_operator.c ++++ b/Modules/_operator.c +@@ -182,7 +182,7 @@ _tscmp(const unsigned char *a, const uns + volatile const unsigned char *left; + volatile const unsigned char *right; + Py_ssize_t i; +- unsigned char result; ++ volatile unsigned char result; + + /* loop count depends on length of b */ + length = len_b; diff --git a/python-base.changes b/python-base.changes index ab2c6e0..9f6b63b 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl + +- (bsc#1214691, CVE-2022-48566) Add + CVE-2022-48566-compare_digest-more-constant.patch to make + compare_digest more constant-time. + ------------------------------------------------------------------- Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl diff --git a/python-base.spec b/python-base.spec index 700832b..9ce7853 100644 --- a/python-base.spec +++ b/python-base.spec @@ -158,6 +158,9 @@ Patch76: PygmentsBridge-trime_doctest_flags.patch Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch +# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com +# Make compare_digest more constant-time +Patch80: CVE-2022-48566-compare_digest-more-constant.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -313,6 +316,7 @@ other applications. # %%patch77 -p1 %patch78 -p1 %patch79 -p1 +%patch80 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python-doc.changes b/python-doc.changes index ab2c6e0..9f6b63b 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl + +- (bsc#1214691, CVE-2022-48566) Add + CVE-2022-48566-compare_digest-more-constant.patch to make + compare_digest more constant-time. + ------------------------------------------------------------------- Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl diff --git a/python-doc.spec b/python-doc.spec index 6dbf161..699adbe 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -157,6 +157,9 @@ Patch76: PygmentsBridge-trime_doctest_flags.patch Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch +# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com +# Make compare_digest more constant-time +Patch80: CVE-2022-48566-compare_digest-more-constant.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -247,6 +250,7 @@ Python, and Macintosh Module Reference in PDF format. # %%patch77 -p1 %patch78 -p1 %patch79 -p1 +%patch80 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar diff --git a/python.changes b/python.changes index ab2c6e0..9f6b63b 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl + +- (bsc#1214691, CVE-2022-48566) Add + CVE-2022-48566-compare_digest-more-constant.patch to make + compare_digest more constant-time. + ------------------------------------------------------------------- Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl diff --git a/python.spec b/python.spec index ee2c945..2cefccb 100644 --- a/python.spec +++ b/python.spec @@ -157,6 +157,9 @@ Patch76: PygmentsBridge-trime_doctest_flags.patch Patch78: CVE-2022-48565-plistlib-XML-vulns.patch # PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch gh#python/cpython#108315 Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch +# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch bsc#1214691 mcepl@suse.com +# Make compare_digest more constant-time +Patch80: CVE-2022-48566-compare_digest-more-constant.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -367,6 +370,7 @@ that rely on earlier non-verification behavior. # %%patch77 -p1 %patch78 -p1 %patch79 -p1 +%patch80 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar From debb82ab6f0ff026246e72db7d134870a69dda764ec38161ba323c4596fbf7b8 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 16 Sep 2023 17:04:43 +0000 Subject: [PATCH 3/5] Update patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=386 --- CVE-2022-48566-compare_digest-more-constant.patch | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CVE-2022-48566-compare_digest-more-constant.patch b/CVE-2022-48566-compare_digest-more-constant.patch index f87f3f9..5a44c03 100644 --- a/CVE-2022-48566-compare_digest-more-constant.patch +++ b/CVE-2022-48566-compare_digest-more-constant.patch @@ -13,7 +13,7 @@ The existing volatile `left`/`right` pointers guarantee that the reads will all Co-authored-by: Devin Jeanpierre --- Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 + - Modules/_operator.c | 2 +- + Modules/operator.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst @@ -22,9 +22,9 @@ Co-authored-by: Devin Jeanpierre @@ -0,0 +1 @@ +Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely. \ No newline at end of file ---- a/Modules/_operator.c -+++ b/Modules/_operator.c -@@ -182,7 +182,7 @@ _tscmp(const unsigned char *a, const uns +--- a/Modules/operator.c ++++ b/Modules/operator.c +@@ -259,7 +259,7 @@ _tscmp(const unsigned char *a, const uns volatile const unsigned char *left; volatile const unsigned char *right; Py_ssize_t i; From e20f9250e8127d8a184275a81983bae1d18b4301c2a2ff582613da34ce5d8acc Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 16 Sep 2023 17:06:07 +0000 Subject: [PATCH 4/5] Remove unused patches OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=387 --- CVE-2023-27043-email-parsing-errors.patch | 137 --------------- Revert-gh105127-left-tests.patch | 202 ---------------------- 2 files changed, 339 deletions(-) delete mode 100644 CVE-2023-27043-email-parsing-errors.patch delete mode 100644 Revert-gh105127-left-tests.patch diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch deleted file mode 100644 index 860c178..0000000 --- a/CVE-2023-27043-email-parsing-errors.patch +++ /dev/null @@ -1,137 +0,0 @@ ---- - Doc/library/email.utils.rst | 24 +++ - Lib/email/utils.py | 66 +++++++++- - Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 - 3 files changed, 88 insertions(+), 6 deletions(-) - ---- a/Doc/library/email.utils.rst -+++ b/Doc/library/email.utils.rst -@@ -63,6 +63,11 @@ There are several useful utilities provi - :func:`time.mktime`; otherwise ``None`` will be returned. Note that indexes 6, - 7, and 8 of the result tuple are not usable. - -+ .. versionchanged:: 3.12 -+ For security reasons, addresses that were ambiguous and could parse into -+ multiple different addresses now cause ``('', '')`` to be returned -+ instead of only one of the *potential* addresses. -+ - - .. function:: parsedate_tz(date) - -@@ -103,6 +108,25 @@ There are several useful utilities provi - - .. versionadded:: 2.4 - -+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` -+ is returned in its place. Other errors in parsing the list of -+ addresses such as a fieldvalue seemingly parsing into multiple -+ addresses may result in a list containing a single empty 2-tuple -+ ``[('', '')]`` being returned rather than returning potentially -+ invalid output. -+ -+ Example malformed input parsing: -+ -+ .. doctest:: -+ -+ >>> from email.utils import getaddresses -+ >>> getaddresses(['alice@example.com ', 'me@example.com']) -+ [('', '')] -+ -+ .. versionchanged:: 3.12 -+ The 2-tuple of ``('', '')`` in the returned values when parsing -+ fails were added as to address a security issue. -+ - - .. function:: make_msgid([idstring]) - ---- a/Lib/email/utils.py -+++ b/Lib/email/utils.py -@@ -101,11 +101,56 @@ def formataddr(pair): - - - -+def _pre_parse_validation(email_header_fields): -+ accepted_values = [] -+ for v in email_header_fields: -+ s = v.replace('\\(', '').replace('\\)', '') -+ if s.count('(') != s.count(')'): -+ v = "('', '')" -+ accepted_values.append(v) -+ -+ return accepted_values -+ -+ -+ -+def _post_parse_validation(parsed_email_header_tuples): -+ accepted_values = [] -+ # The parser would have parsed a correctly formatted domain-literal -+ # The existence of an [ after parsing indicates a parsing failure -+ for v in parsed_email_header_tuples: -+ if '[' in v[1]: -+ v = ('', '') -+ accepted_values.append(v) -+ -+ return accepted_values -+ -+ -+ - def getaddresses(fieldvalues): -- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -- all = COMMASPACE.join(fieldvalues) -+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. -+ -+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in -+ its place. -+ -+ If the resulting list of parsed address is not the same as the number of -+ fieldvalues in the input list a parsing error has occurred. A list -+ containing a single empty 2-tuple [('', '')] is returned in its place. -+ This is done to avoid invalid output. -+ """ -+ fieldvalues = [str(v) for v in fieldvalues] -+ fieldvalues = _pre_parse_validation(fieldvalues) -+ all = COMMASPACE.join(v for v in fieldvalues) - a = _AddressList(all) -- return a.addresslist -+ result = _post_parse_validation(a.addresslist) -+ -+ n = 0 -+ for v in fieldvalues: -+ n += v.count(',') + 1 -+ -+ if len(result) != n: -+ return [('', '')] -+ -+ return result - - - -@@ -217,9 +262,18 @@ def parseaddr(addr): - Return a tuple of realname and email address, unless the parse fails, in - which case return a 2-tuple of ('', ''). - """ -- addrs = _AddressList(addr).addresslist -- if not addrs: -- return '', '' -+ if isinstance(addr, list): -+ addr = addr[0] -+ -+ if not isinstance(addr, str): -+ return ('', '') -+ -+ addr = _pre_parse_validation([addr])[0] -+ addrs = _post_parse_validation(_AddressList(addr).addresslist) -+ -+ if not addrs or len(addrs) > 1: -+ return ('', '') -+ - return addrs[0] - - ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -@@ -0,0 +1,4 @@ -+CVE-2023-27043: Prevent :func:`email.utils.parseaddr` -+and :func:`email.utils.getaddresses` from returning the realname portion of an -+invalid RFC2822 email header in the email address portion of the 2-tuple -+returned after being parsed by :class:`email._parseaddr.AddressList`. diff --git a/Revert-gh105127-left-tests.patch b/Revert-gh105127-left-tests.patch deleted file mode 100644 index 074ed41..0000000 --- a/Revert-gh105127-left-tests.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001 -From: "Gregory P. Smith" -Date: Thu, 20 Jul 2023 20:30:52 -0700 -Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address - parsing errors ... (GH-105127)" (GH-106733) - -This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00. -Adds a regression test from the issue. - -See https://github.com/python/cpython/issues/106669.. -(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d) - -Co-authored-by: Gregory P. Smith ---- - Doc/library/email.utils.rst | 24 --- - Lib/email/test/test_email.py | 18 ++ - Lib/email/test/test_email_renamed.py | 4 - Lib/email/utils.py | 66 ---------- - Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 5 - 5 files changed, 32 insertions(+), 85 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst - ---- a/Doc/library/email.utils.rst -+++ b/Doc/library/email.utils.rst -@@ -63,11 +63,6 @@ There are several useful utilities provi - :func:`time.mktime`; otherwise ``None`` will be returned. Note that indexes 6, - 7, and 8 of the result tuple are not usable. - -- .. versionchanged:: 3.12 -- For security reasons, addresses that were ambiguous and could parse into -- multiple different addresses now cause ``('', '')`` to be returned -- instead of only one of the *potential* addresses. -- - - .. function:: parsedate_tz(date) - -@@ -108,25 +103,6 @@ There are several useful utilities provi - - .. versionadded:: 2.4 - -- When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` -- is returned in its place. Other errors in parsing the list of -- addresses such as a fieldvalue seemingly parsing into multiple -- addresses may result in a list containing a single empty 2-tuple -- ``[('', '')]`` being returned rather than returning potentially -- invalid output. -- -- Example malformed input parsing: -- -- .. doctest:: -- -- >>> from email.utils import getaddresses -- >>> getaddresses(['alice@example.com ', 'me@example.com']) -- [('', '')] -- -- .. versionchanged:: 3.12 -- The 2-tuple of ``('', '')`` in the returned values when parsing -- fails were added as to address a security issue. -- - - .. function:: make_msgid([idstring]) - ---- a/Lib/email/test/test_email.py -+++ b/Lib/email/test/test_email.py -@@ -2414,6 +2414,24 @@ Foo - [('Al Person', 'aperson@dom.ain'), - ('Bud Person', 'bperson@dom.ain')]) - -+ def test_getaddresses_comma_in_name(self): -+ """GH-106669 regression test.""" -+ self.assertEqual( -+ Utils.getaddresses( -+ [ -+ '"Bud, Person" ', -+ 'aperson@dom.ain (Al Person)', -+ '"Mariusz Felisiak" ', -+ ] -+ ), -+ [ -+ ('Bud, Person', 'bperson@dom.ain'), -+ ('Al Person', 'aperson@dom.ain'), -+ ('Mariusz Felisiak', 'to@example.com'), -+ ], -+ ) -+ -+ @unittest.skip("Results are too irregular with patches for CVE-2023-27043") - def test_getaddresses_nasty(self): - eq = self.assertEqual - eq(Utils.getaddresses(['foo: ;']), [('', '')]) ---- a/Lib/email/test/test_email_renamed.py -+++ b/Lib/email/test/test_email_renamed.py -@@ -2275,12 +2275,14 @@ Foo - [('Al Person', 'aperson@dom.ain'), - ('Bud Person', 'bperson@dom.ain')]) - -+ @unittest.skip("Results are too irregular with patches for CVE-2023-27043") - def test_getaddresses_nasty(self): - eq = self.assertEqual - eq(utils.getaddresses(['foo: ;']), [('', '')]) - eq(utils.getaddresses( - ['[]*-- =~$']), -- [('', ''), ('', ''), ('', '*--')]) -+ [('', ''), ('', ''), ('', '*--')] -+ ) - eq(utils.getaddresses( - ['foo: ;', '"Jason R. Mastaler" ']), - [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) ---- a/Lib/email/utils.py -+++ b/Lib/email/utils.py -@@ -101,56 +101,11 @@ def formataddr(pair): - - - --def _pre_parse_validation(email_header_fields): -- accepted_values = [] -- for v in email_header_fields: -- s = v.replace('\\(', '').replace('\\)', '') -- if s.count('(') != s.count(')'): -- v = "('', '')" -- accepted_values.append(v) -- -- return accepted_values -- -- -- --def _post_parse_validation(parsed_email_header_tuples): -- accepted_values = [] -- # The parser would have parsed a correctly formatted domain-literal -- # The existence of an [ after parsing indicates a parsing failure -- for v in parsed_email_header_tuples: -- if '[' in v[1]: -- v = ('', '') -- accepted_values.append(v) -- -- return accepted_values -- -- -- - def getaddresses(fieldvalues): -- """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. -- -- When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in -- its place. -- -- If the resulting list of parsed address is not the same as the number of -- fieldvalues in the input list a parsing error has occurred. A list -- containing a single empty 2-tuple [('', '')] is returned in its place. -- This is done to avoid invalid output. -- """ -- fieldvalues = [str(v) for v in fieldvalues] -- fieldvalues = _pre_parse_validation(fieldvalues) -- all = COMMASPACE.join(v for v in fieldvalues) -+ """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -+ all = COMMASPACE.join(str(v) for v in fieldvalues) - a = _AddressList(all) -- result = _post_parse_validation(a.addresslist) -- -- n = 0 -- for v in fieldvalues: -- n += v.count(',') + 1 -- -- if len(result) != n: -- return [('', '')] -- -- return result -+ return a.addresslist - - - -@@ -262,18 +217,9 @@ def parseaddr(addr): - Return a tuple of realname and email address, unless the parse fails, in - which case return a 2-tuple of ('', ''). - """ -- if isinstance(addr, list): -- addr = addr[0] -- -- if not isinstance(addr, str): -- return ('', '') -- -- addr = _pre_parse_validation([addr])[0] -- addrs = _post_parse_validation(_AddressList(addr).addresslist) -- -- if not addrs or len(addrs) > 1: -- return ('', '') -- -+ addrs = _AddressList(addr).addresslist -+ if not addrs: -+ return '', '' - return addrs[0] - - ---- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -@@ -1,3 +1,8 @@ -+Reverted the :mod:`email.utils` security improvement change released in -+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail -+to parse email addresses with a comma in the quoted name field. -+See :gh:`106669`. -+ - CVE-2023-27043: Prevent :func:`email.utils.parseaddr` - and :func:`email.utils.getaddresses` from returning the realname portion of an - invalid RFC2822 email header in the email address portion of the 2-tuple From 58f17582085ba213528fc31f40d23c45239ce85de93728b07a7d14f4b40c7f2d Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Sat, 16 Sep 2023 21:37:01 +0000 Subject: [PATCH 5/5] There is no InvalidFileException OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=388 --- CVE-2022-48565-plistlib-XML-vulns.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CVE-2022-48565-plistlib-XML-vulns.patch b/CVE-2022-48565-plistlib-XML-vulns.patch index 94a4dd8..a23e66a 100644 --- a/CVE-2022-48565-plistlib-XML-vulns.patch +++ b/CVE-2022-48565-plistlib-XML-vulns.patch @@ -31,7 +31,7 @@ Co-authored-by: Ned Deily + # vulnerabilies in expat. Regular plist files don't contain + # those declerations, and Apple's plutil tool does not accept + # them either. -+ raise InvalidFileException( ++ raise ValueError( + "XML entity declarations are not supported in plist files") + def handleBeginElement(self, element, attrs): @@ -64,7 +64,7 @@ Co-authored-by: Ned Deily self.assertEqual(test2, result2) + def test_xml_plist_with_entity_decl(self): -+ with self.assertRaisesRegexp(plistlib.InvalidFileException, ++ with self.assertRaisesRegexp(ValueError, + "XML entity declarations are not supported"): + plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY) +