Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python310 for openSUSE:Factory 
checked in at 2022-06-23 10:22:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
 and      /work/SRC/openSUSE:Factory/.python310.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python310"

Thu Jun 23 10:22:00 2022 rev:16 rq:983936 version:3.10.5

Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes      2022-06-15 
00:31:48.774483589 +0200
+++ /work/SRC/openSUSE:Factory/.python310.new.1548/python310.changes    
2022-06-23 10:22:01.779593901 +0200
@@ -1,0 +2,9 @@
+Thu Jun  9 16:43:30 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
+  CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
+  command injection in the mailcap module.
+- Fix building of documentation and the universal configuration of the
+  %primary_interpreter.
+
+-------------------------------------------------------------------
@@ -243 +252,2 @@
-- Switch primary_interpreter from python38 to python310
+- Switch primary_interpreter from python38 to python310 for
+  Factory (only)
@@ -526,2 +536,7 @@
-- Remove upstreamed patches:
-  - support-expat-245.patch
+-------------------------------------------------------------------
+Thu Mar 24 18:55:46 UTC 2022 - David Anes <david.a...@suse.com>
+
+- (bsc#1196784, CVE-2022-25236) Rename patch:
+  support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch
+  and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5
+  as it was fully patched against CVE-2022-25236.

New:
----
  CVE-2015-20107-mailcap-unsafe-filenames.patch
  support-expat-CVE-2022-25236-patched.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.sgzkMp/_old  2022-06-23 10:22:02.671594870 +0200
+++ /var/tmp/diff_new_pack.sgzkMp/_new  2022-06-23 10:22:02.675594875 +0200
@@ -62,7 +62,11 @@
 %define         python_pkg_name python310
 # Will provide the python3-* provides
 # Will do the /usr/bin/python3 and all the core links
+%if 0%{?sle_version} || 0%{?suse_version} < 1550
+%define primary_interpreter 0
+%else
 %define         primary_interpreter 1
+%endif
 # We don't process beta signs well
 %define         folderversion 3.10.5
 %define         tarname    Python-%{tarversion}
@@ -160,6 +164,12 @@
 # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mc...@suse.com
 # remove duplicate link targets and make documentation with old Sphinx in SLE
 Patch35:        fix_configure_rst.patch
+# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com
+# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236
+Patch36:        support-expat-CVE-2022-25236-patched.patch
+# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 
mc...@suse.com
+# avoid the command injection in the mailcap module.
+Patch37:        CVE-2015-20107-mailcap-unsafe-filenames.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -187,7 +197,11 @@
 BuildRequires:  mpdecimal-devel
 %endif
 %if %{with doc}
+%if 0%{?sle_version} && 0%{?sle_version} <= 150300
 BuildRequires:  python3-Sphinx
+%else
+BuildRequires:  python3-Sphinx >= 3.2.0
+%endif
 %if 0%{?suse_version} >= 1500
 BuildRequires:  python3-python-docs-theme >= 2022.1
 %endif
@@ -418,13 +432,13 @@
 %patch09 -p1
 %patch15 -p1
 %patch29 -p1
-%if 0%{?suse_version} <= 1500
-%patch33 -p1
-%endif
 %if 0%{?sle_version} && 0%{?sle_version} <= 150300
+%patch33 -p1
 %patch34 -p1
 %endif
 %patch35 -p1
+%patch36 -p1
+%patch37 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ CVE-2015-20107-mailcap-unsafe-filenames.patch ++++++
>From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <encu...@gmail.com>
Date: Wed, 27 Apr 2022 18:17:33 +0200
Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe
 filenames/types/params

---
 Doc/library/mailcap.rst                                                 |   12 
++++
 Lib/mailcap.py                                                          |   26 
+++++++++-
 Lib/test/test_mailcap.py                                                |    8 
++-
 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |    4 
+
 4 files changed, 46 insertions(+), 4 deletions(-)

--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard.  However, mailcap files are su
    use) to determine whether or not the mailcap line applies.  
:func:`findmatch`
    will automatically check such conditions and skip the entry if the check 
fails.
 
+   .. versionchanged:: 3.11
+
+      To prevent security issues with shell metacharacters (symbols that have
+      special effects in a shell command line), ``findmatch`` will refuse
+      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+      into the returned command line.
+
+      If a disallowed character appears in *filename*, ``findmatch`` will 
always
+      return ``(None, None)`` as if no entry was found.
+      If such a character appears elsewhere (a value in *plist* or in 
*MIMEtype*),
+      ``findmatch`` will ignore all mailcap entries which use that value.
+      A :mod:`warning <warnings>` will be raised in either case.
 
 .. function:: getcaps()
 
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
 
 import os
 import warnings
+import re
 
 __all__ = ["getcaps","findmatch"]
 
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
     else:
         return 1, 0
 
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+    """Warning raised when refusing unsafe input"""
+
 
 # Part 1: top-level interface.
 
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view'
     entry to use.
 
     """
+    if _find_unsafe(filename):
+        msg = "Refusing to use mailcap with filename %r. Use a safe temporary 
filename." % (filename,)
+        warnings.warn(msg, UnsafeMailcapInput)
+        return None, None
     entries = lookup(caps, MIMEtype, key)
     # XXX This code should somehow check for the needsterminal flag.
     for e in entries:
         if 'test' in e:
             test = subst(e['test'], filename, plist)
+            if test is None:
+                continue
             if test and os.system(test) != 0:
                 continue
         command = subst(e[key], MIMEtype, filename, plist)
-        return command, e
+        if command is not None:
+            return command, e
     return None, None
 
 def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli
             elif c == 's':
                 res = res + filename
             elif c == 't':
+                if _find_unsafe(MIMEtype):
+                    msg = "Refusing to substitute MIME type %r into a shell 
command." % (MIMEtype,)
+                    warnings.warn(msg, UnsafeMailcapInput)
+                    return None
                 res = res + MIMEtype
             elif c == '{':
                 start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli
                     i = i+1
                 name = field[start:i]
                 i = i+1
-                res = res + findparam(name, plist)
+                param = findparam(name, plist)
+                if _find_unsafe(param):
+                    msg = "Refusing to substitute parameter %r (%s) into a 
shell command" % (param, name)
+                    warnings.warn(msg, UnsafeMailcapInput)
+                    return None
+                res = res + param
             # XXX To do:
             # %n == number of parts if type is multipart/*
             # %F == list of alternating type and filename for parts
--- a/Lib/test/test_mailcap.py
+++ b/Lib/test/test_mailcap.py
@@ -123,7 +123,8 @@ class HelperFunctionTest(unittest.TestCa
             (["", "audio/*", "foo.txt"], ""),
             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
+            (["echo %t", "audio/*", "foo.txt"], None),
+            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -207,7 +208,10 @@ class FindmatchTest(unittest.TestCase):
              ('"An audio fragment"', audio_basic_entry)),
             ([c, "audio/*"],
              {"filename": fname},
-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
+             (None, None)),
+            ([c, "audio/wav"],
+             {"filename": fname},
+             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
             ([c, "message/external-body"],
              {"plist": plist},
              ("showexternal /dev/null default john python.org     /tmp foo 
bar", message_entry))
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).



++++++ support-expat-CVE-2022-25236-patched.patch ++++++
>From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-isling...@users.noreply.github.com>
Date: Mon, 21 Feb 2022 08:16:09 -0800
Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453)
 (GH-31472)

Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.

libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.

References:
- https://datatracker.ietf.org/doc/html/rfc3968
- https://www.w3.org/TR/xml-names/

Also, test_minidom.py: Support Expat >=2.4.5
(cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e)

Co-authored-by: Sebastian Pipping <sebast...@pipping.org>
---
 Lib/test/test_minidom.py |   25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)
 create mode 100644 
Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst

--- a/Lib/test/test_minidom.py
+++ b/Lib/test/test_minidom.py
@@ -6,7 +6,6 @@ import io
 from test import support
 import unittest
 
-import pyexpat
 import xml.dom.minidom
 
 from xml.dom.minidom import parse, Node, Document, parseString
@@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase):
 
         # Verify that character decoding errors raise exceptions instead
         # of crashing
-        if pyexpat.version_info >= (2, 4, 5):
-            self.assertRaises(ExpatError, parseString,
-                    b'<fran\xe7ais></fran\xe7ais>')
-            self.assertRaises(ExpatError, parseString,
-                    b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>')
-        else:
-            self.assertRaises(UnicodeDecodeError, parseString,
+        # It doesn???t make any sense to insist on the exact text of the
+        # error message, or even the exact Exception ??? it is enough that
+        # the error has been discovered.
+        with self.assertRaises((UnicodeDecodeError, ExpatError)):
+            parseString(
                 b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien 
?</fran\xe7ais>')
 
         doc.unlink()
@@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase):
         self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE)
 
     def testExceptionOnSpacesInXMLNSValue(self):
-        if pyexpat.version_info >= (2, 4, 5):
-            context = self.assertRaisesRegex(ExpatError, 'syntax error')
-        else:
-            context = self.assertRaisesRegex(ValueError, 'Unsupported syntax')
-
-        with context:
+        # It doesn???t make any sense to insist on the exact text of the
+        # error message, or even the exact Exception ??? it is enough that
+        # the error has been discovered.
+        with self.assertRaises((ExpatError, ValueError)):
             parseString('<element xmlns:abc="http:abc.com/de f g/hi/j 
k"><abc:foo /></element>')
 
     def testDocRemoveChild(self):

Reply via email to