rpm/python38
SHA256
1
0
Fork 0
forked from pool/python38
Code Pull Requests Activity

- Update to 3.8.14:

Browse Source 
- (CVE-2020-10735, bsc#1203125). Converting between int
    and str in bases other than 2 (binary), 4, 8 (octal), 16
    (hexadecimal), or 32 such as base 10 (decimal) now raises a
    ValueError if the number of digits in string form is above a
    limit to avoid potential denial of service attacks due to the
    algorithmic complexity.
    This new limit can be configured or disabled by environment
    variable, command line flag, or sys APIs. See the integer
    string conversion length limitation documentation. The
    default limit is 4300 digits in string form.
  - (CVE-2021-28861, bsc#1202624) http.server: Fix an open
    redirection vulnerability in the HTTP server when an URI path
    starts with //. Vulnerability discovered, and initial fix
    proposed, by Hamza Avvan.
  - Also other bugfixes:
    - Fix contextvars HAMT implementation to handle iteration
      over deep trees. The bug was discovered and fixed by Eli
      Libman. See MagicStack/immutables#84 for more details.
    - Fix ensurepip environment isolation for subprocess running
      pip.
    - Raise ProgrammingError instead of segfaulting on recursive
      usage of cursors in sqlite3 converters. Patch by Sergey
      Fedoseev.
    - Add a new gh role to the documentation to link to GitHub
      issues.
    - Pin Jinja to a version compatible with Sphinx version
      2.4.4.
    - test_ssl is now checking for supported TLS version and
      protocols in more tests.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python38?expand=0&rev=104
This commit is contained in:
Matej Cepl 2022-09-11 09:16:44 +00:00 committed by Git OBS Bridge
parent d36b19ed64
commit 07285bcb8c
10 changed files with 731 additions and 11698 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
CVE-2021-28861-double-slash-path.patch
View File

@ -1,127 +0,0 @@
From d01648738934922d413b65f2f97951cbab66e0bd Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Tue, 21 Jun 2022 13:16:57 -0700
Subject: [PATCH] gh-87389: Fix an open redirection vulnerability in
http.server. (GH-93879)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
Test and comments authored by Gregory P. Smith [Google].
(cherry picked from commit 4abab6b603dd38bec1168e9a37c40a48ec89508e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
Lib/http/server.py | 7 +++
Lib/test/test_httpservers.py | 53 ++++++++++++++++++-
...2-06-15-20-09-23.gh-issue-87389.QVaC3f.rst | 3 ++
3 files changed, 61 insertions(+), 2 deletions(-)
create mode 100644 Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 38f7accad7a3..39de35458c38 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -332,6 +332,13 @@ def parse_request(self):
return False
self.command, self.path = command, path
+ # gh-87389: The purpose of replacing '//' with '/' is to protect
+ # against open redirect attacks possibly triggered if the path starts
+ # with '//' because http clients treat //path as an absolute URI
+ # without scheme (similar to http://path) rather than a path.
+ if self.path.startswith('//'):
+ self.path = '/' + self.path.lstrip('/') # Reduce to a single /
+
# Examine the headers and look for a Connection directive.
try:
self.headers = http.client.parse_headers(self.rfile,
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index 87d4924a34b3..fb026188f0b4 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -330,7 +330,7 @@ class request_handler(NoLogRequestHandler, SimpleHTTPRequestHandler):
pass
def setUp(self):
- BaseTestCase.setUp(self)
+ super().setUp()
self.cwd = os.getcwd()
basetempdir = tempfile.gettempdir()
os.chdir(basetempdir)
@@ -358,7 +358,7 @@ def tearDown(self):
except:
pass
finally:
- BaseTestCase.tearDown(self)
+ super().tearDown()
def check_status_and_reason(self, response, status, data=None):
def close_conn():
@@ -414,6 +414,55 @@ def test_undecodable_filename(self):
self.check_status_and_reason(response, HTTPStatus.OK,
data=support.TESTFN_UNDECODABLE)
+ def test_get_dir_redirect_location_domain_injection_bug(self):
+ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location.
+
+ //netloc/ in a Location header is a redirect to a new host.
+ https://github.com/python/cpython/issues/87389
+
+ This checks that a path resolving to a directory on our server cannot
+ resolve into a redirect to another server.
+ """
+ os.mkdir(os.path.join(self.tempdir, 'existing_directory'))
+ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory'
+ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash
+ # Canonicalizes to /tmp/tempdir_name/existing_directory which does
+ # exist and is a dir, triggering the 301 redirect logic.
+ response = self.request(url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ self.assertEqual(location, expected_location, msg='non-attack failed!')
+
+ # //python.org... multi-slash prefix, no trailing slash
+ attack_url = f'/{url}'
+ response = self.request(attack_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ self.assertFalse(location.startswith('//'), msg=location)
+ self.assertEqual(location, expected_location,
+ msg='Expected Location header to start with a single / and '
+ 'end with a / as this is a directory redirect.')
+
+ # ///python.org... triple-slash prefix, no trailing slash
+ attack3_url = f'//{url}'
+ response = self.request(attack3_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ self.assertEqual(response.getheader('Location'), expected_location)
+
+ # If the second word in the http request (Request-URI for the http
+ # method) is a full URI, we don't worry about it, as that'll be parsed
+ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head
+ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen.
+ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}'
+ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/'
+ response = self.request(attack_scheme_netloc_2slash_url)
+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY)
+ location = response.getheader('Location')
+ # We're just ensuring that the scheme and domain make it through, if
+ # there are or aren't multiple slashes at the start of the path that
+ # follows that isn't important in this Location: header.
+ self.assertTrue(location.startswith('https://pypi.org/'), msg=location)
+
def test_get(self):
#constructs the path relative to the root directory of the HTTPServer
response = self.request(self.base_url + '/test')
diff --git a/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
new file mode 100644
index 000000000000..029d437190de
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-06-15-20-09-23.gh-issue-87389.QVaC3f.rst
@@ -0,0 +1,3 @@
+:mod:`http.server`: Fix an open redirection vulnerability in the HTTP server
+when an URI path starts with ``//``. Vulnerability discovered, and initial
+fix proposed, by Hamza Avvan.

3
Python-3.8.13.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6f309077012040aa39fe8f0c61db8c0fa1c45136763299d375c9e5756f09cf57
size 19023016

16
Python-3.8.13.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmIx4HAACgkQsmmV4xAl
BWipJQ/9EbtuovqB+22Ol5OWhgC8pUOZaYFSXWFIFCq0I6/SvomdHdU3+Kb95uAL
1YWdC06Su+mz7+d4f0BfGimvSD7AUjvjJXo6HBuhsHxUwYyfB9lqQsgJhn/ZuHc8
ZXZhee72oSc3u59jChNlPA7OJSToMN38ynHLefwnDl60HX/Vdv/l5Hq3qpA1kZdI
j+J4p+vLo2ez/SZu8G/bl0Gii06et8w96Nv2ffOXyyC+DZsSO3ryxqnFMWQXJnop
GLr1eJqFja80fQ4YGpO7KbEgG+vhRoS4xVTJsl3ooeobBHs45kDOk4ud5DIrs0HH
W1M6vydtweyy/MJbCrZsSQBtW/n3FZk7YhsDE1JQYBEk4IP8iYi5KS4+1Iz6Hv/5
WBGe6hcMWMSV+Hmb2CC5/CqZof+uZqIffe4xNHqmilQ4m/tIhiklbxrAGbo6D9ER
CseBEAqultlCRp31dIKoJqpfN6hDJW8NGkek8loA1CSEK0egfYVvaInoXaj5rpC7
456hxAl/cgurybZifoqRZMLaOtJf4pMApdbJqxferCDEYVuKVXwgutVTZc8WfAnk
gCj/3lOrKi3ZVnry6A8uOnCNmgcW8AIC0qEVES+776fWF6K8GrAbXr6/FDTp53ZJ
Hc0h1bkyE2EcA2wVBKdgDlaQp/+8H8ZfNFuBgMzeLgUx8S6DGCc=
=txx+
-----END PGP SIGNATURE-----

3
Python-3.8.14.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5d77e278271ba803e9909a41a4f3baca006181c93ada682a5e5fe8dc4a24c5f3
size 19031932

16
Python-3.8.14.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXt3cACgkQsmmV4xAl
BWhwsg/7BJyqcgE7Zdk5Pjm/uFSbWXeAUYuYn11m0cHvUu47rxalj3nR3sct5759
MJO+GyvsoqIwoFHOY0Kre17lVdRAB06Au3q+bcWcxRPOYv8jdHBCHj7Um/p1yVxW
z0EUl75rzSK5Fugj8DXirW94YpYaQSN0YOJoH371DHsBs5zy5nP3Rt329FwR6gqz
LaiIgE2IgxtXjs+2e6xcI1idm/K39wbEbIv2NqW8zDcd/9cFsECEb2VRzWZibHxB
WGK8sCTLAojFT7Me3Q/Zk6QnP8x6sA+QgtyfXJu5hIBDmJVIeWpmUUfx+c9IQxSU
TdO8oh4T1rX2V5h6DpLMkzJ3DNn5u1evDvU8esZuSNQ9KKdoH97aGv+0vJszs3BF
49QrF5ojxCEmeE3jqaetaVqSJRXiVL/VbBXlufQvP9CGyVlaEYXZzxeN4V3Obd6T
8cx3cBJhEdnNI/gTGCRFliFS0/OdiBEw6xApzTsNw3pqvTZcPa6hGPhXAXgodTEG
At7Ge5ZC9IpRvTGN2IKzWVaT96GOSfXACScprO978Y2TX6TzQrLbkh53SNC/COU+
EAt2P5XZ+nhW8mYGJxClvdKgrBQyuQSj5J3QLubxQWOeFT3l6QUL6D1S5diTjhxn
aoiUEcTCcm005lX3vvgLWBzoYo4hOpGNFcUx8ROMYCMPqFgaBFQ=
=pVji
-----END PGP SIGNATURE-----

8
bpo-31046_ensurepip_honours_prefix.patch
View File

@ -55,7 +55,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
.. note::
--- a/Lib/ensurepip/__init__.py
+++ b/Lib/ensurepip/__init__.py
@@ -50,27 +50,27 @@ def _disable_pip_configuration_settings(
@@ -55,27 +55,27 @@ def _disable_pip_configuration_settings(
os.environ['PIP_CONFIG_FILE'] = os.devnull
@ -88,7 +88,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
Note that calling this function will alter both sys.path and os.environ.
"""
@@ -113,6 +113,8 @@ def _bootstrap(*, root=None, upgrade=Fal
@@ -118,6 +118,8 @@ def _bootstrap(*, root=None, upgrade=Fal
args = ["install", "--no-cache-dir", "--no-index", "--find-links", tmpdir]
if root:
args += ["--root", root]
@ -97,7 +97,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
if upgrade:
args += ["--upgrade"]
if user:
@@ -185,6 +187,11 @@ def _main(argv=None):
@@ -190,6 +192,11 @@ def _main(argv=None):
help="Install everything relative to this alternate root directory.",
)
parser.add_argument(
@ -109,7 +109,7 @@ Co-Authored-By: Xavier de Gaye <xdegaye@gmail.com>
"--altinstall",
action="store_true",
default=False,
@@ -203,6 +210,7 @@ def _main(argv=None):
@@ -208,6 +215,7 @@ def _main(argv=None):
return _bootstrap(
root=args.root,

12200
python.keyring
View File

File diff suppressed because it is too large Load Diff

41
python38.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Sun Sep 11 09:07:38 UTC 2022 - Matej Cepl <mcepl@suse.com>
- Update to 3.8.14:
- (CVE-2020-10735, bsc#1203125). Converting between int
and str in bases other than 2 (binary), 4, 8 (octal), 16
(hexadecimal), or 32 such as base 10 (decimal) now raises a
ValueError if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the
algorithmic complexity.
This new limit can be configured or disabled by environment
variable, command line flag, or sys APIs. See the integer
string conversion length limitation documentation. The
default limit is 4300 digits in string form.
- (CVE-2021-28861, bsc#1202624) http.server: Fix an open
redirection vulnerability in the HTTP server when an URI path
starts with //. Vulnerability discovered, and initial fix
proposed, by Hamza Avvan.
- Also other bugfixes:
- Fix contextvars HAMT implementation to handle iteration
over deep trees. The bug was discovered and fixed by Eli
Libman. See MagicStack/immutables#84 for more details.
- Fix ensurepip environment isolation for subprocess running
pip.
- Raise ProgrammingError instead of segfaulting on recursive
usage of cursors in sqlite3 converters. Patch by Sergey
Fedoseev.
- Add a new gh role to the documentation to link to GitHub
issues.
- Pin Jinja to a version compatible with Sphinx version
2.4.4.
- test_ssl is now checking for supported TLS version and
protocols in more tests.
- Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses
0xMNN00PP0L.
- Removed upstreamed patches:
- CVE-2021-28861-double-slash-path.patch
- Readjusted patches:
- bpo-31046_ensurepip_honours_prefix.patch
- sphinx-update-removed-function.patch
-------------------------------------------------------------------
Sat Sep 3 02:20:54 UTC 2022 - Matej Cepl <mcepl@suse.com>

9
python38.spec
View File

@ -92,7 +92,7 @@
%define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
%bcond_without profileopt
Name: %{python_pkg_name}%{psuffix}
Version: 3.8.13
Version: 3.8.14
Release: 0
Summary: Python 3 Interpreter
License: Python-2.0
@ -108,7 +108,8 @@ Source10: pre_checkin.sh
Source11: skipped_tests.py
Source19: idle3.desktop
Source20: idle3.appdata.xml
Source99: https://www.python.org/static/files/pubkeys.txt#/python.keyring
# Used to be https://www.python.org/static/files/pubkeys.txt#/python.keyring
Source99: python.keyring
# The following files are not used in the build.
# They are listed here to work around missing functionality in rpmbuild,
# which would otherwise exclude them from distributed src.rpm files.
@ -167,9 +168,6 @@ Patch33: bpo44426-complex-keyword-sphinx.patch
# PATCH-FIX-UPSTREAM bpo34990-2038-problem-compileall.patch gh#python/cpython#79171 mcepl@suse.com
# Make compileall.py compatible with year 2038
Patch34: bpo34990-2038-problem-compileall.patch
# PATCH-FIX-UPSTREAM CVE-2021-28861 bsc#1202624 gh#python/cpython#94094
# Coerce // to / in Lib/http/server.py
Patch35: CVE-2021-28861-double-slash-path.patch
# PATCH-FIX-UPSTREAM gh#python/cpython#90967 gh#python/cpython#93900 mcepl@suse.com
# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
Patch36: support-expat-CVE-2022-25236-patched.patch
@ -438,7 +436,6 @@ other applications.
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
# drop Autoconf version requirement

6
sphinx-update-removed-function.patch
View File

@ -5,12 +5,12 @@ Subject: [PATCH] Fix sphinx deprecation warning about env.note_versionchange()
(GH-13236)
---
Doc/tools/extensions/pyspecific.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Doc/tools/extensions/pyspecific.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/Doc/tools/extensions/pyspecific.py
+++ b/Doc/tools/extensions/pyspecific.py
@@ -361,7 +361,12 @@ class DeprecatedRemoved(Directive):
@@ -384,7 +384,12 @@ class DeprecatedRemoved(Directive):
translatable=False)
node.append(para)
env = self.state.document.settings.env