diff --git a/CVE-2022-37454-sha3-buffer-overflow.patch b/CVE-2022-37454-sha3-buffer-overflow.patch deleted file mode 100644 index 552da81..0000000 --- a/CVE-2022-37454-sha3-buffer-overflow.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 64ab634658a31de4e349c0ba8bc27a81c0c2a1f8 Mon Sep 17 00:00:00 2001 -From: Theo Buehler -Date: Fri, 21 Oct 2022 21:26:01 +0200 -Subject: [PATCH] [3.10] gh-98517: Fix buffer overflows in _sha3 module - (GH-98519) - -This is a port of the applicable part of XKCP's fix [1] for -CVE-2022-37454 and avoids the segmentation fault and the infinite -loop in the test cases published in [2]. - -[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a -[2]: https://mouha.be/sha-3-buffer-overflow/ - -Regression test added by: Gregory P. Smith [Google LLC] -(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) - -Co-authored-by: Theo Buehler ---- - Lib/test/test_hashlib.py | 9 ++++++ - Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 - Modules/_sha3/kcp/KeccakSponge.inc | 15 +++++----- - 3 files changed, 18 insertions(+), 7 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst - ---- a/Lib/test/test_hashlib.py -+++ b/Lib/test/test_hashlib.py -@@ -434,6 +434,15 @@ class HashLibTestCase(unittest.TestCase) - def test_case_md5_uintmax(self, size): - self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') - -+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') -+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) -+ def test_sha3_update_overflow(self, size): -+ """Regression test for gh-98517 CVE-2022-37454.""" -+ h = hashlib.sha3_224() -+ h.update(b'\x01') -+ h.update(b'\x01'*0xffff_ffff) -+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') -+ - # use the three examples from Federal Information Processing Standards - # Publication 180-1, Secure Hash Standard, 1995 April 17 - # http://www.itl.nist.gov/div897/pubs/fip180-1.htm ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst -@@ -0,0 +1 @@ -+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). ---- a/Modules/_sha3/kcp/KeccakSponge.inc -+++ b/Modules/_sha3/kcp/KeccakSponge.inc -@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instanc - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - -@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instanc - } - else { - /* normal lane: using the message queue */ -- -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instan - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instan - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); diff --git a/CVE-2022-45061-DoS-by-IDNA-decode.patch b/CVE-2022-45061-DoS-by-IDNA-decode.patch deleted file mode 100644 index 76ff6e7..0000000 --- a/CVE-2022-45061-DoS-by-IDNA-decode.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 7 Nov 2022 18:57:10 -0800 -Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) - (GH-99222) - -There was an unnecessary quadratic loop in idna decoding. This restores -the behavior to linear. - -(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) - -(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) - -Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> -Co-authored-by: Gregory P. Smith ---- - Lib/encodings/idna.py | 32 ++++------ - Lib/test/test_codecs.py | 6 + - Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 + - 3 files changed, 27 insertions(+), 17 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst - ---- a/Lib/encodings/idna.py -+++ b/Lib/encodings/idna.py -@@ -39,23 +39,21 @@ def nameprep(label): - - # Check bidi - RandAL = [stringprep.in_table_d1(x) for x in label] -- for c in RandAL: -- if c: -- # There is a RandAL char in the string. Must perform further -- # tests: -- # 1) The characters in section 5.8 MUST be prohibited. -- # This is table C.8, which was already checked -- # 2) If a string contains any RandALCat character, the string -- # MUST NOT contain any LCat character. -- if any(stringprep.in_table_d2(x) for x in label): -- raise UnicodeError("Violation of BIDI requirement 2") -- -- # 3) If a string contains any RandALCat character, a -- # RandALCat character MUST be the first character of the -- # string, and a RandALCat character MUST be the last -- # character of the string. -- if not RandAL[0] or not RandAL[-1]: -- raise UnicodeError("Violation of BIDI requirement 3") -+ if any(RandAL): -+ # There is a RandAL char in the string. Must perform further -+ # tests: -+ # 1) The characters in section 5.8 MUST be prohibited. -+ # This is table C.8, which was already checked -+ # 2) If a string contains any RandALCat character, the string -+ # MUST NOT contain any LCat character. -+ if any(stringprep.in_table_d2(x) for x in label): -+ raise UnicodeError("Violation of BIDI requirement 2") -+ # 3) If a string contains any RandALCat character, a -+ # RandALCat character MUST be the first character of the -+ # string, and a RandALCat character MUST be the last -+ # character of the string. -+ if not RandAL[0] or not RandAL[-1]: -+ raise UnicodeError("Violation of BIDI requirement 3") - - return label - ---- a/Lib/test/test_codecs.py -+++ b/Lib/test/test_codecs.py -@@ -1532,6 +1532,12 @@ class IDNACodecTest(unittest.TestCase): - self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org") - self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.") - -+ def test_builtin_decode_length_limit(self): -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*1100).decode("idna") -+ with self.assertRaisesRegex(UnicodeError, "too long"): -+ (b"xn--016c"+b"a"*70).decode("idna") -+ - def test_stream(self): - r = codecs.getreader("idna")(io.BytesIO(b"abc")) - r.read(3) ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst -@@ -0,0 +1,6 @@ -+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` -+related name resolution functions no longer involves a quadratic algorithm. -+This prevents a potential CPU denial of service if an out-of-spec excessive -+length hostname involving bidirectional characters were decoded. Some protocols -+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker -+to supply such a name. diff --git a/Python-3.8.15.tar.xz b/Python-3.8.15.tar.xz deleted file mode 100644 index ac6f6b1..0000000 --- a/Python-3.8.15.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5114fc7918a2a5e20eb5aac696b30c36f412c6ef24b13f5c9eb9e056982d9550 -size 19038408 diff --git a/Python-3.8.15.tar.xz.asc b/Python-3.8.15.tar.xz.asc deleted file mode 100644 index 95c97e6..0000000 --- a/Python-3.8.15.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmNFk9MACgkQsmmV4xAl -BWjPyA//dMfeT6hw09rFQtv1w7LrAuLFrQ/03uqYz/MZPZZgMyGvN+bGbR9U9EPA -DSntLM75GjzaXiZ8dMyvi+A/HJCX7CWeJATxVRBo+3GoFTZfmsex7B78oTakHGnZ -3pHRDiXJovD8DPQo3/eNpbQsEri74MOqIIbBZfdrRc4Gqqv/rVRI1qxqYzt3hmHc -NcsZudbvBlUe+5HWaYgXbgnuzixSK4iSftlfwx289bsx12b8jzY5OEP9z5NKGqLu -Sfb0sUWaJptSn1iEKSfLj4AamN0PeeQObOXHz+N1hdqWmWjEBKX37CEnOyHjJyVc -Xb1PH6vJPJbPBXBR3H8YP+jwG8jDIFItJph+NduQnfZ3yLPpjEiCHs/FyUzzIKWB -iptNyVMBvgPiMDgge+kLICywbujtI2UB7tS3YO5rb09LtQiXxkGyDbE6R6Yu7ZMb -qJJMAJUY9zHAN1rTLL7GJHHypwd3UHoXImMvrm15+vy3ctNTA6VDxn7Zw/uym7F/ -gZJY6JaUxsnPiOhtvPYHs6EOGwLFszWvgh7AhXjZ2uncPuZ/qzgWpWsRYsKIWSRz -yVplWRGfXaZ96pWVKmHACZY6BdgZS18Y9FdRLiqYrNG85dfqd3XFrVJqQIFHjaUX -bImNJRcwMpuU9p23CaSeUDRFdELVQ9dXfBq//x0JL2F6/vG1ADw= -=jc+c ------END PGP SIGNATURE----- diff --git a/Python-3.8.16.tar.xz b/Python-3.8.16.tar.xz new file mode 100644 index 0000000..82a560d --- /dev/null +++ b/Python-3.8.16.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562 +size 19046724 diff --git a/Python-3.8.16.tar.xz.asc b/Python-3.8.16.tar.xz.asc new file mode 100644 index 0000000..36a4f3a --- /dev/null +++ b/Python-3.8.16.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPlyYACgkQsmmV4xAl +BWhZ3RAAhtzObFVyAJIjaNHSnYClAq39NFOvAA2oFmTbNorF/sHAbV///9Zmm2we +prT8gWUJJtPeX1+J3lj0GokthB/YggLIF6MjTL9klamXUWZrdsv8jM00T+nXMHU3 +Y4pgi0zXX4fhb5iOWeLli99T40+a/8AgbqVC0cv5d6Yk+CncYY2XsNoBuNC4dOoL +FaSQMZUsTYf4CoZyHbAN3hs5kshaZRufAJ/LGDlZU3+luuy1PU4uNzqSSY6XMw4L +Ar+tukCXwqIOu4baq2BYUF5VjfZrgviC7NxHZBeKuGQ3v7X0HmOWOxG59s1cmJkA +CbyK3z/LRVmA33YyhU60QaqfUYHXhNZaMgEku2m3XTRaRkjF+Wg/LAtu01usOrYG +BYivpD7yhVqXXvwWV3Y+lpcu8DhZTtXM3hTrN6XErLiYnN1G7sduSNabnOke6Td/ +p0Ki1UE4Ts+P8yN85/uHiGbjDejU2SRlAuWeSmeIKIyTUNPJoM5OSK9K6FgqxZef +OYFDWVZg0Dll5bLU+f/Lw8mXVwF7dX2OUPeXauPm3LhKRHIYpfeuQ+PkP9KeIJn5 +DwfdvcKw3jVttopWgTS/pT6vu8zgOAZ6kuzhf/s+q8mB3cQRjfn7BMq/PFcNNZJG +iLzJ2C5Q7tNn/5elUaV8TOPa2JwmiPViitE4OHqB+sH591JIh+g= +=DwHA +-----END PGP SIGNATURE----- diff --git a/platlibdir-in-sys.patch b/platlibdir-in-sys.patch index e7e00f9..b9d25f5 100644 --- a/platlibdir-in-sys.patch +++ b/platlibdir-in-sys.patch @@ -1,19 +1,13 @@ -Index: Python-3.8.15/Python/sysmodule.c -=================================================================== ---- Python-3.8.15.orig/Python/sysmodule.c -+++ Python-3.8.15/Python/sysmodule.c -@@ -2979,6 +2979,7 @@ _PySys_InitMain(_PyRuntimeState *runtime - SET_SYS_FROM_WSTR("base_prefix", config->base_prefix); - SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix); - SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix); -+ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir); - - if (config->pycache_prefix != NULL) { - SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix); -Index: Python-3.8.15/Include/cpython/initconfig.h -=================================================================== ---- Python-3.8.15.orig/Include/cpython/initconfig.h -+++ Python-3.8.15/Include/cpython/initconfig.h +--- + Include/cpython/initconfig.h | 1 + + Lib/test/test_embed.py | 1 + + Makefile.pre.in | 5 +++++ + Python/initconfig.c | 21 +++++++++++++++++++++ + Python/sysmodule.c | 1 + + 5 files changed, 29 insertions(+) + +--- a/Include/cpython/initconfig.h ++++ b/Include/cpython/initconfig.h @@ -381,6 +381,7 @@ typedef struct { wchar_t *base_prefix; /* sys.base_prefix */ wchar_t *exec_prefix; /* sys.exec_prefix */ @@ -22,10 +16,32 @@ Index: Python-3.8.15/Include/cpython/initconfig.h /* --- Parameter only used by Py_Main() ---------- */ -Index: Python-3.8.15/Python/initconfig.c -=================================================================== ---- Python-3.8.15.orig/Python/initconfig.c -+++ Python-3.8.15/Python/initconfig.c +--- a/Lib/test/test_embed.py ++++ b/Lib/test/test_embed.py +@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi + 'exec_prefix': GET_DEFAULT_CONFIG, + 'base_exec_prefix': GET_DEFAULT_CONFIG, + 'module_search_paths': GET_DEFAULT_CONFIG, ++ 'platlibdir': sys.platlibdir, + + 'site_import': 1, + 'bytes_warning': 0, +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys + $(MULTIARCH_CPPFLAGS) \ + -o $@ $(srcdir)/Python/sysmodule.c + ++Python/initconfig.o: $(srcdir)/Python/initconfig.c ++ $(CC) -c $(PY_CORE_CFLAGS) \ ++ -DPLATLIBDIR='"$(platsubdir)"' \ ++ -o $@ $(srcdir)/Python/initconfig.c ++ + $(IO_OBJS): $(IO_H) + + .PHONY: regen-grammar +--- a/Python/initconfig.c ++++ b/Python/initconfig.c @@ -596,6 +596,7 @@ PyConfig_Clear(PyConfig *config) CLEAR(config->base_prefix); CLEAR(config->exec_prefix); @@ -96,31 +112,13 @@ Index: Python-3.8.15/Python/initconfig.c DUMP_SYS(executable); DUMP_SYS(prefix); DUMP_SYS(exec_prefix); -Index: Python-3.8.15/Makefile.pre.in -=================================================================== ---- Python-3.8.15.orig/Makefile.pre.in -+++ Python-3.8.15/Makefile.pre.in -@@ -811,6 +811,11 @@ Python/sysmodule.o: $(srcdir)/Python/sys - $(MULTIARCH_CPPFLAGS) \ - -o $@ $(srcdir)/Python/sysmodule.c +--- a/Python/sysmodule.c ++++ b/Python/sysmodule.c +@@ -2981,6 +2981,7 @@ _PySys_InitMain(_PyRuntimeState *runtime + SET_SYS_FROM_WSTR("base_prefix", config->base_prefix); + SET_SYS_FROM_WSTR("exec_prefix", config->exec_prefix); + SET_SYS_FROM_WSTR("base_exec_prefix", config->base_exec_prefix); ++ SET_SYS_FROM_WSTR("platlibdir", config->platlibdir); -+Python/initconfig.o: $(srcdir)/Python/initconfig.c -+ $(CC) -c $(PY_CORE_CFLAGS) \ -+ -DPLATLIBDIR='"$(platsubdir)"' \ -+ -o $@ $(srcdir)/Python/initconfig.c -+ - $(IO_OBJS): $(IO_H) - - .PHONY: regen-grammar -Index: Python-3.8.15/Lib/test/test_embed.py -=================================================================== ---- Python-3.8.15.orig/Lib/test/test_embed.py -+++ Python-3.8.15/Lib/test/test_embed.py -@@ -382,6 +382,7 @@ class InitConfigTests(EmbeddingTestsMixi - 'exec_prefix': GET_DEFAULT_CONFIG, - 'base_exec_prefix': GET_DEFAULT_CONFIG, - 'module_search_paths': GET_DEFAULT_CONFIG, -+ 'platlibdir': sys.platlibdir, - - 'site_import': 1, - 'bytes_warning': 0, + if (config->pycache_prefix != NULL) { + SET_SYS_FROM_WSTR("pycache_prefix", config->pycache_prefix); diff --git a/python38.changes b/python38.changes index 649cb0e..b4382a1 100644 --- a/python38.changes +++ b/python38.changes @@ -1,3 +1,35 @@ +------------------------------------------------------------------- +Thu Dec 8 10:32:15 UTC 2022 - Matej Cepl + +- Update to 3.8.16: + - python -m http.server no longer allows terminal + control characters sent within a garbage request to be + printed to the stderr server log. + This is done by changing the http.server + BaseHTTPRequestHandler .log_message method to replace control + characters with a \xHH hex escape before printing. + - Avoid publishing list of active per-interpreter + audit hooks via the gc module + - The IDNA codec decoder used on DNS hostnames by + socket or asyncio related name resolution functions no + longer involves a quadratic algorithm. This prevents a + potential CPU denial of service if an out-of-spec excessive + length hostname involving bidirectional characters were + decoded. Some protocols such as urllib http 3xx redirects + potentially allow for an attacker to supply such a + name (CVE-2022-45061). + - Update bundled libexpat to 2.5.0 + - Port XKCP’s fix for the buffer overflows in SHA-3 + (CVE-2022-37454). + - The deprecated mailcap module now refuses to inject + unsafe text (filenames, MIME types, parameters) into shell + commands. Instead of using such text, it will warn and act + as if a match was not found (or for test commands, as if the + test failed). +- Removed upstream patches: + - CVE-2022-37454-sha3-buffer-overflow.patch + - CVE-2022-45061-DoS-by-IDNA-decode.patch + ------------------------------------------------------------------- Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl diff --git a/python38.spec b/python38.spec index 5fa135e..c4e6b73 100644 --- a/python38.spec +++ b/python38.spec @@ -92,7 +92,7 @@ %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so %bcond_without profileopt Name: %{python_pkg_name}%{psuffix} -Version: 3.8.15 +Version: 3.8.16 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -176,13 +176,6 @@ Patch37: platlibdir-in-sys.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com # this patch makes things totally awesome Patch38: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch -# PATCH-FIX-UPSTREAM CVE-2022-37454-sha3-buffer-overflow.patch bsc#1204577 mcepl@suse.com -# Fix original buffer overflow -# Originally from gh#python/cpython#98528 -Patch39: CVE-2022-37454-sha3-buffer-overflow.patch -# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244 mcepl@suse.com -# Avoid DoS by decoding IDNA for too long domain names -Patch40: CVE-2022-45061-DoS-by-IDNA-decode.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -451,8 +444,6 @@ other applications. %patch36 -p1 %patch37 -p1 %patch38 -p1 -%patch39 -p1 -%patch40 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac