Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2021-09-30 23:42:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Thu Sep 30 23:42:52 2021 rev:158 rq:921455 version:2.7.18 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2021-09-21 21:12:21.786585740 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.2443/python-base.changes 2021-09-30 23:43:06.772449973 +0200 @@ -1,0 +2,15 @@ +Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl <[email protected]> + +- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091 + (CVE-2019-20907, bpo#39017) avoiding possible infinite loop + in specifically crafted tarball. + Add recursion.tar as a testing tarball for the patch. +- Provide the newest setuptools wheel (bsc#1176262, + CVE-2019-20916) in their correct form (bsc#1180686). +- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211 + (CVE-2020-26116, bpo#39603) no longer allowing special characters in + the method parameter of HTTPConnection.putrequest in httplib, stopping + injection of headers. Such characters now raise ValueError. + + +------------------------------------------------------------------- @@ -78,4 +93,3 @@ - - Disallow control characters in hostnames in http.client, - addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such - potentially malicious header injection URLs now cause - InvalidURL to be raised. + - bsc#1155094 (CVE-2019-18348) Disallow control characters in + hostnames in http.client. Such potentially malicious header + injection URLs now cause a InvalidURL to be raised. @@ -305,2 +319,3 @@ -- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch - fixing bpo-34623. +- bsc#1109847 (CVE-2018-14647): add + CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing + bpo-34623. @@ -325 +340 @@ - fixing bpo-35746. + fixing bpo-35746 (CVE-2019-5010). python-doc.changes: same change python.changes: same change New: ---- CVE-2019-20907_tarfile-inf-loop.patch CVE-2020-26116-httplib-header-injection.patch pip-20.2.3-py2.py3-none-any.whl recursion.tar setuptools-44.1.1-py2.py3-none-any.whl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.084451475 +0200 +++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.088451480 +0200 @@ -34,6 +34,11 @@ Source2: baselibs.conf Source3: README.SUSE Source5: local.pth +# Fixed bundled wheels +Source10: setuptools-44.1.1-py2.py3-none-any.whl +Source11: pip-20.2.3-py2.py3-none-any.whl +# For Patch 66 +Source66: recursion.tar Source99: python-base-rpmlintrc # COMMON-PATCH-BEGIN Patch1: python-2.7-dirs.patch @@ -109,6 +114,14 @@ Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 [email protected] +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -239,11 +252,25 @@ %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END +# Replace bundled wheels with the updates ones +rm -v Lib/ensurepip/_bundled/*.whl +cp -v %{SOURCE10} %{SOURCE11} Lib/ensurepip/_bundled/ +STVER=$(basename %{SOURCE10}|cut -d- -f2) +PIPVER=$(basename %{SOURCE11}|cut -d- -f2) +sed -i -e "s/^\(\s*_SETUPTOOLS_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${STVER}\"/" \ + -e "s/^\(\s*_PIP_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${PIPVER}\"/" \ + Lib/ensurepip/__init__.py + %build %define _lto_cflags %{nil} export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv" @@ -320,7 +347,7 @@ if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then ulimit -v 10000000 || : fi -make test TESTOPTS="-l -x $EXCLUDE" TESTPYTHONOPTS="-R" +make test TESTOPTS="-l -w -x $EXCLUDE" TESTPYTHONOPTS="-R" # use network, be verbose: #make test TESTOPTS="-l -u network -v" %endif ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.124451521 +0200 +++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.124451521 +0200 @@ -31,6 +31,8 @@ #Source3: http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2 Source2: python-%{version}-docs-pdf-a4.tar.bz2 Source3: python-%{version}-docs-pdf-letter.tar.bz2 +# For Patch 66 +Source66: recursion.tar %if 0%{?suse_version} >= 1500 BuildRequires: python3-Sphinx %else @@ -111,6 +113,14 @@ Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 [email protected] +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -183,17 +193,16 @@ %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END -# Update documentation formatting for Sphinx 3.0 (bpo#40204) -for i in `find Doc/ -type f -name "*.rst"` -do - sed -i 's/:c:type:/:c:expr:/g' $i -done - %build TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"` # TODO use not date of tarball but date of latest patch ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.160451562 +0200 +++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.180451586 +0200 @@ -32,6 +32,8 @@ Source50: idle.appdata.xml Source51: idle.desktop # issues with copyrighted Unicode testing files +# For Patch 66 +Source66: recursion.tar # !!!!!!!!!!!!!! # do not add or edit patches here. please edit python-base.spec @@ -111,6 +113,14 @@ Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch # PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build Patch65: sphinx-update-removed-function.patch +# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 [email protected] +# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) +# REQUIRES SOURCE 66 +Patch66: CVE-2019-20907_tarfile-inf-loop.patch +# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211 +# Fixes httplib to disallow control characters in method to avoid header +# injection +Patch67: CVE-2020-26116-httplib-header-injection.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -297,6 +307,11 @@ %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 + +# For patch 66 +cp -v %{SOURCE66} Lib/test/recursion.tar # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2019-20907_tarfile-inf-loop.patch ++++++ >From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001 From: Rajarishi Devarajan <[email protected]> Date: Sun, 12 Jul 2020 23:47:42 +0200 Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop --- Lib/tarfile.py | 2 ++ Lib/test/test_tarfile.py | 5 +++++ Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + 3 files changed, 8 insertions(+) create mode 100644 Lib/test/recursion.tar --- a/Lib/tarfile.py +++ b/Lib/tarfile.py @@ -1400,6 +1400,8 @@ class TarInfo(object): length, keyword = match.groups() length = int(length) + if length == 0: + raise InvalidHeaderError("invalid header") value = buf[match.end(2) + 1:match.start(1) + length - 1] keyword = keyword.decode("utf8") --- a/Lib/test/test_tarfile.py +++ b/Lib/test/test_tarfile.py @@ -321,6 +321,11 @@ class CommonReadTest(ReadTest): with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"): tar.extractfile(t).read() + def test_length_zero_header(self): + # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail + # with an exception + self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar')) + class MiscReadTest(CommonReadTest): taropen = tarfile.TarFile.taropen --- /dev/null +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst @@ -0,0 +1 @@ +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). ++++++ CVE-2020-26116-httplib-header-injection.patch ++++++ --- Lib/httplib.py | 15 +++++++++++++++ Lib/test/test_httplib.py | 22 +++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) --- a/Lib/httplib.py +++ b/Lib/httplib.py @@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +# These characters are not allowed within HTTP method names +# to prevent http header injection. +_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') + class HTTPMessage(mimetools.Message): def addheader(self, key, value): @@ -940,6 +944,8 @@ class HTTPConnection: else: raise CannotSendRequest() + self._validate_method(method) + # Save the method for use later in the response phase self._method = method @@ -1179,6 +1185,15 @@ class HTTPConnection: response.close() raise + def _validate_method(self, method): + """Validate a method name for putrequest.""" + # prevent http header injection + match = _contains_disallowed_method_pchar_re.search(method) + if match: + raise ValueError( + "method can't contain control characters. %r (found at " + "least %r)" % (method, match.group())) + class HTTP: "Compatibility class with httplib.py from 1.5." --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -1007,10 +1007,30 @@ class TunnelTests(TestCase): self.assertTrue('Host: destination.com' in conn.sock.data) +class HttpMethodTests(TestCase): + def test_invalid_method_names(self): + methods = ( + 'GET\r', + 'POST\n', + 'PUT\n\r', + 'POST\nValue', + 'POST\nHOST:abc', + 'GET\nrHost:abc\n', + 'POST\rRemainder:\r', + 'GET\rHOST:\n', + '\nPUT' + ) + + for method in methods: + conn = httplib.HTTPConnection('example.com') + conn.sock = FakeSocket(None) + self.assertRaises(ValueError, conn.request, method=method, url="/") + + @test_support.reap_threads def test_main(verbose=None): test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, - HTTPTest, HTTPSTest, SourceAddressTest, + HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest, TunnelTests) if __name__ == '__main__':
