Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2022-06-23 10:22:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Thu Jun 23 10:22:00 2022 rev:16 rq:983936 version:3.10.5 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2022-06-15 00:31:48.774483589 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.1548/python310.changes 2022-06-23 10:22:01.779593901 +0200 @@ -1,0 +2,9 @@ +Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mc...@suse.com> + +- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid + CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the + command injection in the mailcap module. +- Fix building of documentation and the universal configuration of the + %primary_interpreter. + +------------------------------------------------------------------- @@ -243 +252,2 @@ -- Switch primary_interpreter from python38 to python310 +- Switch primary_interpreter from python38 to python310 for + Factory (only) @@ -526,2 +536,7 @@ -- Remove upstreamed patches: - - support-expat-245.patch +------------------------------------------------------------------- +Thu Mar 24 18:55:46 UTC 2022 - David Anes <david.a...@suse.com> + +- (bsc#1196784, CVE-2022-25236) Rename patch: + support-expat-245.patch to support-expat-CVE-2022-25236-patched.patch + and update the patch to detect expat >= 2.4.4 instead of >= 2.4.5 + as it was fully patched against CVE-2022-25236. New: ---- CVE-2015-20107-mailcap-unsafe-filenames.patch support-expat-CVE-2022-25236-patched.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.sgzkMp/_old 2022-06-23 10:22:02.671594870 +0200 +++ /var/tmp/diff_new_pack.sgzkMp/_new 2022-06-23 10:22:02.675594875 +0200 @@ -62,7 +62,11 @@ %define python_pkg_name python310 # Will provide the python3-* provides # Will do the /usr/bin/python3 and all the core links +%if 0%{?sle_version} || 0%{?suse_version} < 1550 +%define primary_interpreter 0 +%else %define primary_interpreter 1 +%endif # We don't process beta signs well %define folderversion 3.10.5 %define tarname Python-%{tarversion} @@ -160,6 +164,12 @@ # PATCH-FIX-SLE fix_configure_rst.patch bpo#43774 mc...@suse.com # remove duplicate link targets and make documentation with old Sphinx in SLE Patch35: fix_configure_rst.patch +# PATCH-FIX-UPSTREAM bpo-46811 gh#python/cpython#7da97f61816f mc...@suse.com +# NOTE: SUSE version of expat 2.4.4 is patched in SUSE for CVE-2022-25236 +Patch36: support-expat-CVE-2022-25236-patched.patch +# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511 mc...@suse.com +# avoid the command injection in the mailcap module. +Patch37: CVE-2015-20107-mailcap-unsafe-filenames.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -187,7 +197,11 @@ BuildRequires: mpdecimal-devel %endif %if %{with doc} +%if 0%{?sle_version} && 0%{?sle_version} <= 150300 BuildRequires: python3-Sphinx +%else +BuildRequires: python3-Sphinx >= 3.2.0 +%endif %if 0%{?suse_version} >= 1500 BuildRequires: python3-python-docs-theme >= 2022.1 %endif @@ -418,13 +432,13 @@ %patch09 -p1 %patch15 -p1 %patch29 -p1 -%if 0%{?suse_version} <= 1500 -%patch33 -p1 -%endif %if 0%{?sle_version} && 0%{?sle_version} <= 150300 +%patch33 -p1 %patch34 -p1 %endif %patch35 -p1 +%patch36 -p1 +%patch37 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2015-20107-mailcap-unsafe-filenames.patch ++++++ >From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <encu...@gmail.com> Date: Wed, 27 Apr 2022 18:17:33 +0200 Subject: [PATCH 1/4] gh-68966: Make mailcap refuse to match unsafe filenames/types/params --- Doc/library/mailcap.rst | 12 ++++ Lib/mailcap.py | 26 +++++++++- Lib/test/test_mailcap.py | 8 ++- Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 + 4 files changed, 46 insertions(+), 4 deletions(-) --- a/Doc/library/mailcap.rst +++ b/Doc/library/mailcap.rst @@ -60,6 +60,18 @@ standard. However, mailcap files are su use) to determine whether or not the mailcap line applies. :func:`findmatch` will automatically check such conditions and skip the entry if the check fails. + .. versionchanged:: 3.11 + + To prevent security issues with shell metacharacters (symbols that have + special effects in a shell command line), ``findmatch`` will refuse + to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` + into the returned command line. + + If a disallowed character appears in *filename*, ``findmatch`` will always + return ``(None, None)`` as if no entry was found. + If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), + ``findmatch`` will ignore all mailcap entries which use that value. + A :mod:`warning <warnings>` will be raised in either case. .. function:: getcaps() --- a/Lib/mailcap.py +++ b/Lib/mailcap.py @@ -2,6 +2,7 @@ import os import warnings +import re __all__ = ["getcaps","findmatch"] @@ -13,6 +14,11 @@ def lineno_sort_key(entry): else: return 1, 0 +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search + +class UnsafeMailcapInput(Warning): + """Warning raised when refusing unsafe input""" + # Part 1: top-level interface. @@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view' entry to use. """ + if _find_unsafe(filename): + msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) + warnings.warn(msg, UnsafeMailcapInput) + return None, None entries = lookup(caps, MIMEtype, key) # XXX This code should somehow check for the needsterminal flag. for e in entries: if 'test' in e: test = subst(e['test'], filename, plist) + if test is None: + continue if test and os.system(test) != 0: continue command = subst(e[key], MIMEtype, filename, plist) - return command, e + if command is not None: + return command, e return None, None def lookup(caps, MIMEtype, key=None): @@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, pli elif c == 's': res = res + filename elif c == 't': + if _find_unsafe(MIMEtype): + msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) + warnings.warn(msg, UnsafeMailcapInput) + return None res = res + MIMEtype elif c == '{': start = i @@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, pli i = i+1 name = field[start:i] i = i+1 - res = res + findparam(name, plist) + param = findparam(name, plist) + if _find_unsafe(param): + msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) + warnings.warn(msg, UnsafeMailcapInput) + return None + res = res + param # XXX To do: # %n == number of parts if type is multipart/* # %F == list of alternating type and filename for parts --- a/Lib/test/test_mailcap.py +++ b/Lib/test/test_mailcap.py @@ -123,7 +123,8 @@ class HelperFunctionTest(unittest.TestCa (["", "audio/*", "foo.txt"], ""), (["echo foo", "audio/*", "foo.txt"], "echo foo"), (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), - (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), + (["echo %t", "audio/*", "foo.txt"], None), + (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") @@ -207,7 +208,10 @@ class FindmatchTest(unittest.TestCase): ('"An audio fragment"', audio_basic_entry)), ([c, "audio/*"], {"filename": fname}, - ("/usr/local/bin/showaudio audio/*", audio_entry)), + (None, None)), + ([c, "audio/wav"], + {"filename": fname}, + ("/usr/local/bin/showaudio audio/wav", audio_entry)), ([c, "message/external-body"], {"plist": plist}, ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst @@ -0,0 +1,4 @@ +The deprecated mailcap module now refuses to inject unsafe text (filenames, +MIME types, parameters) into shell commands. Instead of using such text, it +will warn and act as if a match was not found (or for test commands, as if +the test failed). ++++++ support-expat-CVE-2022-25236-patched.patch ++++++ >From 7da97f61816f3cadaa6788804b22a2434b40e8c5 Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-isling...@users.noreply.github.com> Date: Mon, 21 Feb 2022 08:16:09 -0800 Subject: [PATCH] bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31472) Curly brackets were never allowed in namespace URIs according to RFC 3986, and so-called namespace-validating XML parsers have the right to reject them a invalid URIs. libexpat >=2.4.5 has become strcter in that regard due to related security issues; with ET.XML instantiating a namespace-aware parser under the hood, this test has no future in CPython. References: - https://datatracker.ietf.org/doc/html/rfc3968 - https://www.w3.org/TR/xml-names/ Also, test_minidom.py: Support Expat >=2.4.5 (cherry picked from commit 2cae93832f46b245847bdc252456ddf7742ef45e) Co-authored-by: Sebastian Pipping <sebast...@pipping.org> --- Lib/test/test_minidom.py | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst --- a/Lib/test/test_minidom.py +++ b/Lib/test/test_minidom.py @@ -6,7 +6,6 @@ import io from test import support import unittest -import pyexpat import xml.dom.minidom from xml.dom.minidom import parse, Node, Document, parseString @@ -1149,13 +1148,11 @@ class MinidomTest(unittest.TestCase): # Verify that character decoding errors raise exceptions instead # of crashing - if pyexpat.version_info >= (2, 4, 5): - self.assertRaises(ExpatError, parseString, - b'<fran\xe7ais></fran\xe7ais>') - self.assertRaises(ExpatError, parseString, - b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>') - else: - self.assertRaises(UnicodeDecodeError, parseString, + # It doesn???t make any sense to insist on the exact text of the + # error message, or even the exact Exception ??? it is enough that + # the error has been discovered. + with self.assertRaises((UnicodeDecodeError, ExpatError)): + parseString( b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>') doc.unlink() @@ -1617,12 +1614,10 @@ class MinidomTest(unittest.TestCase): self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) def testExceptionOnSpacesInXMLNSValue(self): - if pyexpat.version_info >= (2, 4, 5): - context = self.assertRaisesRegex(ExpatError, 'syntax error') - else: - context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') - - with context: + # It doesn???t make any sense to insist on the exact text of the + # error message, or even the exact Exception ??? it is enough that + # the error has been discovered. + with self.assertRaises((ExpatError, ValueError)): parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>') def testDocRemoveChild(self):