From 745f5ba19c5e0564f761afd72641dee9b51fe8a75db0a22975279c9da9a4e266 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 11 Jul 2023 07:36:50 +0000 Subject: [PATCH 1/4] - (bsc#1210638, CVE-2023-27043) Add CVE-2023-27043-email-parsing-errors.patch, which detects email address parsing errors and returns empty tuple to indicate the parsing error (old API). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=153 --- CVE-2023-27043-email-parsing-errors.patch | 241 ++++++++++++++++++++++ python39.changes | 8 + python39.spec | 5 + 3 files changed, 254 insertions(+) create mode 100644 CVE-2023-27043-email-parsing-errors.patch diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch new file mode 100644 index 0000000..24e6079 --- /dev/null +++ b/CVE-2023-27043-email-parsing-errors.patch @@ -0,0 +1,241 @@ +--- + Doc/library/email.utils.rst | 26 +++ + Lib/email/utils.py | 63 +++++++ + Lib/test/test_email/test_email.py | 81 +++++++++- + Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 + 4 files changed, 164 insertions(+), 10 deletions(-) + +--- a/Doc/library/email.utils.rst ++++ b/Doc/library/email.utils.rst +@@ -67,6 +67,11 @@ of the new API. + *email address* parts. Returns a tuple of that information, unless the parse + fails, in which case a 2-tuple of ``('', '')`` is returned. + ++ .. versionchanged:: 3.12 ++ For security reasons, addresses that were ambiguous and could parse into ++ multiple different addresses now cause ``('', '')`` to be returned ++ instead of only one of the *potential* addresses. ++ + + .. function:: formataddr(pair, charset='utf-8') + +@@ -89,7 +94,7 @@ of the new API. + This method returns a list of 2-tuples of the form returned by ``parseaddr()``. + *fieldvalues* is a sequence of header field values as might be returned by + :meth:`Message.get_all `. Here's a simple +- example that gets all the recipients of a message:: ++ example that gets all the recipients of a message: + + from email.utils import getaddresses + +@@ -99,6 +104,25 @@ of the new API. + resent_ccs = msg.get_all('resent-cc', []) + all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) + ++ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` ++ is returned in its place. Other errors in parsing the list of ++ addresses such as a fieldvalue seemingly parsing into multiple ++ addresses may result in a list containing a single empty 2-tuple ++ ``[('', '')]`` being returned rather than returning potentially ++ invalid output. ++ ++ Example malformed input parsing: ++ ++ .. doctest:: ++ ++ >>> from email.utils import getaddresses ++ >>> getaddresses(['alice@example.com ', 'me@example.com']) ++ [('', '')] ++ ++ .. versionchanged:: 3.12 ++ The 2-tuple of ``('', '')`` in the returned values when parsing ++ fails were added as to address a security issue. ++ + + .. function:: parsedate(date) + +--- a/Lib/email/utils.py ++++ b/Lib/email/utils.py +@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): + return address + + ++def _pre_parse_validation(email_header_fields): ++ accepted_values = [] ++ for v in email_header_fields: ++ s = v.replace('\\(', '').replace('\\)', '') ++ if s.count('(') != s.count(')'): ++ v = "('', '')" ++ accepted_values.append(v) ++ ++ return accepted_values ++ ++ ++def _post_parse_validation(parsed_email_header_tuples): ++ accepted_values = [] ++ # The parser would have parsed a correctly formatted domain-literal ++ # The existence of an [ after parsing indicates a parsing failure ++ for v in parsed_email_header_tuples: ++ if '[' in v[1]: ++ v = ('', '') ++ accepted_values.append(v) ++ ++ return accepted_values ++ + + def getaddresses(fieldvalues): +- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" +- all = COMMASPACE.join(str(v) for v in fieldvalues) ++ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. ++ ++ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in ++ its place. ++ ++ If the resulting list of parsed address is not the same as the number of ++ fieldvalues in the input list a parsing error has occurred. A list ++ containing a single empty 2-tuple [('', '')] is returned in its place. ++ This is done to avoid invalid output. ++ """ ++ fieldvalues = [str(v) for v in fieldvalues] ++ fieldvalues = _pre_parse_validation(fieldvalues) ++ all = COMMASPACE.join(v for v in fieldvalues) + a = _AddressList(all) +- return a.addresslist ++ result = _post_parse_validation(a.addresslist) ++ ++ n = 0 ++ for v in fieldvalues: ++ n += v.count(',') + 1 ++ ++ if len(result) != n: ++ return [('', '')] ++ ++ return result + + + def _format_timetuple_and_zone(timetuple, zone): +@@ -209,9 +251,18 @@ def parseaddr(addr): + Return a tuple of realname and email address, unless the parse fails, in + which case return a 2-tuple of ('', ''). + """ +- addrs = _AddressList(addr).addresslist +- if not addrs: +- return '', '' ++ if isinstance(addr, list): ++ addr = addr[0] ++ ++ if not isinstance(addr, str): ++ return ('', '') ++ ++ addr = _pre_parse_validation([addr])[0] ++ addrs = _post_parse_validation(_AddressList(addr).addresslist) ++ ++ if not addrs or len(addrs) > 1: ++ return ('', '') ++ + return addrs[0] + + +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -3263,15 +3263,90 @@ Foo + [('Al Person', 'aperson@dom.ain'), + ('Bud Person', 'bperson@dom.ain')]) + ++ def test_getaddresses_parsing_errors(self): ++ """Test for parsing errors from CVE-2023-27043""" ++ eq = self.assertEqual ++ eq(utils.getaddresses(['alice@example.org(']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org)']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org<']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org>']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org@']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org,']), ++ [('', 'alice@example.org'), ('', 'bob@example.com')]) ++ eq(utils.getaddresses(['alice@example.org;']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org:']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org.']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org"']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org[']), ++ [('', '')]) ++ eq(utils.getaddresses(['alice@example.org]']), ++ [('', '')]) ++ ++ def test_parseaddr_parsing_errors(self): ++ """Test for parsing errors from CVE-2023-27043""" ++ eq = self.assertEqual ++ eq(utils.parseaddr(['alice@example.org(']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org)']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org<']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org>']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org@']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org,']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org;']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org:']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org.']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org"']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org[']), ++ ('', '')) ++ eq(utils.parseaddr(['alice@example.org]']), ++ ('', '')) ++ + def test_getaddresses_nasty(self): + eq = self.assertEqual + eq(utils.getaddresses(['foo: ;']), [('', '')]) +- eq(utils.getaddresses( +- ['[]*-- =~$']), +- [('', ''), ('', ''), ('', '*--')]) ++ eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) + eq(utils.getaddresses( + ['foo: ;', '"Jason R. Mastaler" ']), + [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) ++ eq(utils.getaddresses( ++ [r'Pete(A nice \) chap) ']), ++ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) ++ eq(utils.getaddresses( ++ ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), ++ [('', '')]) ++ eq(utils.getaddresses( ++ ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), ++ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) ++ eq(utils.getaddresses( ++ ['John Doe ']), ++ [('John Doe (comment)', 'jdoe@machine.example')]) ++ eq(utils.getaddresses( ++ ['"Mary Smith: Personal Account" ']), ++ [('Mary Smith: Personal Account', 'smith@home.example')]) ++ eq(utils.getaddresses( ++ ['Undisclosed recipients:;']), ++ [('', '')]) ++ eq(utils.getaddresses( ++ [r', "Giant; \"Big\" Box" ']), ++ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) + + def test_getaddresses_embedded_comment(self): + """Test proper handling of a nested comment""" +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst +@@ -0,0 +1,4 @@ ++CVE-2023-27043: Prevent :func:`email.utils.parseaddr` ++and :func:`email.utils.getaddresses` from returning the realname portion of an ++invalid RFC2822 email header in the email address portion of the 2-tuple ++returned after being parsed by :class:`email._parseaddr.AddressList`. diff --git a/python39.changes b/python39.changes index d954c25..d47c3d6 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl + +- (bsc#1210638, CVE-2023-27043) Add + CVE-2023-27043-email-parsing-errors.patch, which detects email + address parsing errors and returns empty tuple to indicate the + parsing error (old API). + ------------------------------------------------------------------- Fri Jun 30 20:23:43 UTC 2023 - Matej Cepl diff --git a/python39.spec b/python39.spec index 52ef175..6f4c2d1 100644 --- a/python39.spec +++ b/python39.spec @@ -167,6 +167,10 @@ Patch40: 99366-patch.dict-can-decorate-async.patch # PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mcepl@suse.com # Make documentation build with older Sphinx Patch41: downport-Sphinx-features.patch +# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com +# Detect email address parsing errors and return empty tuple to +# indicate the parsing error (old API) +Patch42: CVE-2023-27043-email-parsing-errors.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -429,6 +433,7 @@ other applications. %if 0%{?sle_version} && 0%{?sle_version} <= 150500 %patch41 -p1 %endif +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac From 4182a0867258233d58641198b39f7f309ee99a7dac509975f95e180fef9d4aa9 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 14 Jul 2023 10:24:55 +0000 Subject: [PATCH 2/4] Accepting request 1098657 from devel:languages:python:Factory revert OBS-URL: https://build.opensuse.org/request/show/1098657 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=154 --- CVE-2023-27043-email-parsing-errors.patch | 241 ---------------------- python39.changes | 8 - python39.spec | 5 - 3 files changed, 254 deletions(-) delete mode 100644 CVE-2023-27043-email-parsing-errors.patch diff --git a/CVE-2023-27043-email-parsing-errors.patch b/CVE-2023-27043-email-parsing-errors.patch deleted file mode 100644 index 24e6079..0000000 --- a/CVE-2023-27043-email-parsing-errors.patch +++ /dev/null @@ -1,241 +0,0 @@ ---- - Doc/library/email.utils.rst | 26 +++ - Lib/email/utils.py | 63 +++++++ - Lib/test/test_email/test_email.py | 81 +++++++++- - Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst | 4 - 4 files changed, 164 insertions(+), 10 deletions(-) - ---- a/Doc/library/email.utils.rst -+++ b/Doc/library/email.utils.rst -@@ -67,6 +67,11 @@ of the new API. - *email address* parts. Returns a tuple of that information, unless the parse - fails, in which case a 2-tuple of ``('', '')`` is returned. - -+ .. versionchanged:: 3.12 -+ For security reasons, addresses that were ambiguous and could parse into -+ multiple different addresses now cause ``('', '')`` to be returned -+ instead of only one of the *potential* addresses. -+ - - .. function:: formataddr(pair, charset='utf-8') - -@@ -89,7 +94,7 @@ of the new API. - This method returns a list of 2-tuples of the form returned by ``parseaddr()``. - *fieldvalues* is a sequence of header field values as might be returned by - :meth:`Message.get_all `. Here's a simple -- example that gets all the recipients of a message:: -+ example that gets all the recipients of a message: - - from email.utils import getaddresses - -@@ -99,6 +104,25 @@ of the new API. - resent_ccs = msg.get_all('resent-cc', []) - all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs) - -+ When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')`` -+ is returned in its place. Other errors in parsing the list of -+ addresses such as a fieldvalue seemingly parsing into multiple -+ addresses may result in a list containing a single empty 2-tuple -+ ``[('', '')]`` being returned rather than returning potentially -+ invalid output. -+ -+ Example malformed input parsing: -+ -+ .. doctest:: -+ -+ >>> from email.utils import getaddresses -+ >>> getaddresses(['alice@example.com ', 'me@example.com']) -+ [('', '')] -+ -+ .. versionchanged:: 3.12 -+ The 2-tuple of ``('', '')`` in the returned values when parsing -+ fails were added as to address a security issue. -+ - - .. function:: parsedate(date) - ---- a/Lib/email/utils.py -+++ b/Lib/email/utils.py -@@ -106,12 +106,54 @@ def formataddr(pair, charset='utf-8'): - return address - - -+def _pre_parse_validation(email_header_fields): -+ accepted_values = [] -+ for v in email_header_fields: -+ s = v.replace('\\(', '').replace('\\)', '') -+ if s.count('(') != s.count(')'): -+ v = "('', '')" -+ accepted_values.append(v) -+ -+ return accepted_values -+ -+ -+def _post_parse_validation(parsed_email_header_tuples): -+ accepted_values = [] -+ # The parser would have parsed a correctly formatted domain-literal -+ # The existence of an [ after parsing indicates a parsing failure -+ for v in parsed_email_header_tuples: -+ if '[' in v[1]: -+ v = ('', '') -+ accepted_values.append(v) -+ -+ return accepted_values -+ - - def getaddresses(fieldvalues): -- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" -- all = COMMASPACE.join(str(v) for v in fieldvalues) -+ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. -+ -+ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in -+ its place. -+ -+ If the resulting list of parsed address is not the same as the number of -+ fieldvalues in the input list a parsing error has occurred. A list -+ containing a single empty 2-tuple [('', '')] is returned in its place. -+ This is done to avoid invalid output. -+ """ -+ fieldvalues = [str(v) for v in fieldvalues] -+ fieldvalues = _pre_parse_validation(fieldvalues) -+ all = COMMASPACE.join(v for v in fieldvalues) - a = _AddressList(all) -- return a.addresslist -+ result = _post_parse_validation(a.addresslist) -+ -+ n = 0 -+ for v in fieldvalues: -+ n += v.count(',') + 1 -+ -+ if len(result) != n: -+ return [('', '')] -+ -+ return result - - - def _format_timetuple_and_zone(timetuple, zone): -@@ -209,9 +251,18 @@ def parseaddr(addr): - Return a tuple of realname and email address, unless the parse fails, in - which case return a 2-tuple of ('', ''). - """ -- addrs = _AddressList(addr).addresslist -- if not addrs: -- return '', '' -+ if isinstance(addr, list): -+ addr = addr[0] -+ -+ if not isinstance(addr, str): -+ return ('', '') -+ -+ addr = _pre_parse_validation([addr])[0] -+ addrs = _post_parse_validation(_AddressList(addr).addresslist) -+ -+ if not addrs or len(addrs) > 1: -+ return ('', '') -+ - return addrs[0] - - ---- a/Lib/test/test_email/test_email.py -+++ b/Lib/test/test_email/test_email.py -@@ -3263,15 +3263,90 @@ Foo - [('Al Person', 'aperson@dom.ain'), - ('Bud Person', 'bperson@dom.ain')]) - -+ def test_getaddresses_parsing_errors(self): -+ """Test for parsing errors from CVE-2023-27043""" -+ eq = self.assertEqual -+ eq(utils.getaddresses(['alice@example.org(']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org)']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org<']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org>']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org@']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org,']), -+ [('', 'alice@example.org'), ('', 'bob@example.com')]) -+ eq(utils.getaddresses(['alice@example.org;']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org:']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org.']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org"']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org[']), -+ [('', '')]) -+ eq(utils.getaddresses(['alice@example.org]']), -+ [('', '')]) -+ -+ def test_parseaddr_parsing_errors(self): -+ """Test for parsing errors from CVE-2023-27043""" -+ eq = self.assertEqual -+ eq(utils.parseaddr(['alice@example.org(']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org)']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org<']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org>']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org@']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org,']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org;']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org:']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org.']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org"']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org[']), -+ ('', '')) -+ eq(utils.parseaddr(['alice@example.org]']), -+ ('', '')) -+ - def test_getaddresses_nasty(self): - eq = self.assertEqual - eq(utils.getaddresses(['foo: ;']), [('', '')]) -- eq(utils.getaddresses( -- ['[]*-- =~$']), -- [('', ''), ('', ''), ('', '*--')]) -+ eq(utils.getaddresses(['[]*-- =~$']), [('', '')]) - eq(utils.getaddresses( - ['foo: ;', '"Jason R. Mastaler" ']), - [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]) -+ eq(utils.getaddresses( -+ [r'Pete(A nice \) chap) ']), -+ [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]) -+ eq(utils.getaddresses( -+ ['(Empty list)(start)Undisclosed recipients :(nobody(I know))']), -+ [('', '')]) -+ eq(utils.getaddresses( -+ ['Mary <@machine.tld:mary@example.net>, , jdoe@test . example']), -+ [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]) -+ eq(utils.getaddresses( -+ ['John Doe ']), -+ [('John Doe (comment)', 'jdoe@machine.example')]) -+ eq(utils.getaddresses( -+ ['"Mary Smith: Personal Account" ']), -+ [('Mary Smith: Personal Account', 'smith@home.example')]) -+ eq(utils.getaddresses( -+ ['Undisclosed recipients:;']), -+ [('', '')]) -+ eq(utils.getaddresses( -+ [r', "Giant; \"Big\" Box" ']), -+ [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]) - - def test_getaddresses_embedded_comment(self): - """Test proper handling of a nested comment""" ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst -@@ -0,0 +1,4 @@ -+CVE-2023-27043: Prevent :func:`email.utils.parseaddr` -+and :func:`email.utils.getaddresses` from returning the realname portion of an -+invalid RFC2822 email header in the email address portion of the 2-tuple -+returned after being parsed by :class:`email._parseaddr.AddressList`. diff --git a/python39.changes b/python39.changes index d47c3d6..d954c25 100644 --- a/python39.changes +++ b/python39.changes @@ -1,11 +1,3 @@ -------------------------------------------------------------------- -Tue Jul 11 07:35:18 UTC 2023 - Matej Cepl - -- (bsc#1210638, CVE-2023-27043) Add - CVE-2023-27043-email-parsing-errors.patch, which detects email - address parsing errors and returns empty tuple to indicate the - parsing error (old API). - ------------------------------------------------------------------- Fri Jun 30 20:23:43 UTC 2023 - Matej Cepl diff --git a/python39.spec b/python39.spec index 6f4c2d1..52ef175 100644 --- a/python39.spec +++ b/python39.spec @@ -167,10 +167,6 @@ Patch40: 99366-patch.dict-can-decorate-async.patch # PATCH-FIX-OPENSUSE downport-Sphinx-features.patch mcepl@suse.com # Make documentation build with older Sphinx Patch41: downport-Sphinx-features.patch -# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638 mcepl@suse.com -# Detect email address parsing errors and return empty tuple to -# indicate the parsing error (old API) -Patch42: CVE-2023-27043-email-parsing-errors.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -433,7 +429,6 @@ other applications. %if 0%{?sle_version} && 0%{?sle_version} <= 150500 %patch41 -p1 %endif -%patch42 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac From 9d7c3614b4120368263e55241cd6b0bf44317b54b45ba38f9556c17d7e3cf09e Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 14 Jul 2023 10:26:09 +0000 Subject: [PATCH 3/4] - Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=155 --- python39.changes | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python39.changes b/python39.changes index d954c25..37e8a00 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jul 14 10:25:54 UTC 2023 - Matej Cepl + +- Revert faulty fix for CVE-2023-27043 (gh#python/cpython#106669) + ------------------------------------------------------------------- Fri Jun 30 20:23:43 UTC 2023 - Matej Cepl From b5917212a3b79d2ccfdbbf1f8b4375fe1689b80d8afd7fd639a305011e51f9fc Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 26 Jul 2023 14:05:15 +0000 Subject: [PATCH 4/4] - Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for stabilizing FLAG_REF usage (required for reproduceability; bsc#1213463). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=156 --- gh-78214-marshal_stabilize_FLAG_REF.patch | 28 +++++++++++++++++++++++ python39.changes | 7 ++++++ python39.spec | 4 ++++ 3 files changed, 39 insertions(+) create mode 100644 gh-78214-marshal_stabilize_FLAG_REF.patch diff --git a/gh-78214-marshal_stabilize_FLAG_REF.patch b/gh-78214-marshal_stabilize_FLAG_REF.patch new file mode 100644 index 0000000..d255f3c --- /dev/null +++ b/gh-78214-marshal_stabilize_FLAG_REF.patch @@ -0,0 +1,28 @@ +From 6c8ea7c1dacd42f3ba00440231ec0e6b1a38300d Mon Sep 17 00:00:00 2001 +From: Inada Naoki +Date: Sat, 14 Jul 2018 00:46:11 +0900 +Subject: [PATCH] Use FLAG_REF always for interned strings + +--- + Python/marshal.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/Python/marshal.c ++++ b/Python/marshal.c +@@ -298,9 +298,14 @@ w_ref(PyObject *v, char *flag, WFILE *p) + if (p->version < 3 || p->hashtable == NULL) + return 0; /* not writing object references */ + +- /* if it has only one reference, it definitely isn't shared */ +- if (Py_REFCNT(v) == 1) ++ /* If it has only one reference, it definitely isn't shared. ++ * But we use TYPE_REF always for interned string, to PYC file stable ++ * as possible. ++ */ ++ if (Py_REFCNT(v) == 1 && ++ !(PyUnicode_CheckExact(v) && PyUnicode_CHECK_INTERNED(v))) { + return 0; ++ } + + entry = _Py_hashtable_get_entry(p->hashtable, v); + if (entry != NULL) { diff --git a/python39.changes b/python39.changes index 37e8a00..ea75588 100644 --- a/python39.changes +++ b/python39.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Jul 19 11:15:39 UTC 2023 - Matej Cepl + +- Add gh-78214-marshal_stabilize_FLAG_REF.patch to marshal.c for + stabilizing FLAG_REF usage (required for reproduceability; + bsc#1213463). + ------------------------------------------------------------------- Fri Jul 14 10:25:54 UTC 2023 - Matej Cepl diff --git a/python39.spec b/python39.spec index 52ef175..f6e85fb 100644 --- a/python39.spec +++ b/python39.spec @@ -161,6 +161,9 @@ Patch35: support-expat-CVE-2022-25236-patched.patch # PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch gh#python/cpython#98366 mcepl@suse.com # this patch makes things totally awesome Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch +# PATCH-FIX-UPSTREAM gh-78214-marshal_stabilize_FLAG_REF.patch bsc#1213463 mcepl@suse.com +# marshal: Stabilize FLAG_REF usage +Patch39: gh-78214-marshal_stabilize_FLAG_REF.patch # PATCH-FIX-UPSTREAM 99366-patch.dict-can-decorate-async.patch bsc#[0-9]+ mcepl@suse.com # Patch for gh#python/cpython#98086 Patch40: 99366-patch.dict-can-decorate-async.patch @@ -425,6 +428,7 @@ other applications. %endif %patch35 -p1 %patch37 -p1 +%patch39 -p1 %patch40 -p1 %if 0%{?sle_version} && 0%{?sle_version} <= 150500 %patch41 -p1