Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2023-03-03 22:24:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Fri Mar 3 22:24:42 2023 rev:178 rq:1068978 version:2.7.18 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2023-01-29 14:13:40.948031266 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.31432/python-base.changes 2023-03-03 22:25:00.474646819 +0100 @@ -1,0 +2,7 @@ +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com> + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python-doc.changes 2023-01-27 10:19:20.652488960 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.31432/python-doc.changes 2023-03-03 22:25:00.518646986 +0100 @@ -1,0 +2,12 @@ +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com> + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + +------------------------------------------------------------------- +Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <ku...@suse.com> + +- Disable NIS for new products, it's deprecated and gets removed + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python.changes 2023-01-29 14:13:40.964031353 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.31432/python.changes 2023-03-03 22:25:00.542647078 +0100 @@ -1,0 +2,7 @@ +Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com> + +- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329, + bsc#1208471) blocklists bypass via the urllib.parse component + when supplying a URL that starts with blank characters + +------------------------------------------------------------------- New: ---- CVE-2023-24329-blank-URL-bypass.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.502654526 +0100 +++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.510654555 +0100 @@ -142,6 +142,10 @@ # PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mc...@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -287,6 +291,7 @@ %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.542654677 +0100 +++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.550654707 +0100 @@ -141,6 +141,10 @@ # PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mc...@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -224,6 +228,7 @@ %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.586654844 +0100 +++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.590654860 +0100 @@ -141,6 +141,10 @@ # PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com # switching verification off on the old SLE doesn't work Patch74: skip_unverified_test.patch +# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471 mc...@suse.com +# blocklist bypass via the urllib.parse component when supplying +# a URL that starts with blank characters +Patch75: CVE-2023-24329-blank-URL-bypass.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -342,6 +346,7 @@ %if 0%{?sle_version} && 0%{?sle_version} < 150000 %patch74 -p1 %endif +%patch75 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ CVE-2023-24329-blank-URL-bypass.patch ++++++ --- Lib/test/test_urlparse.py | 21 ++++++++++ Lib/urlparse.py | 9 +++- Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2 3 files changed, 30 insertions(+), 2 deletions(-) Index: Python-2.7.18/Lib/test/test_urlparse.py =================================================================== --- Python-2.7.18.orig/Lib/test/test_urlparse.py +++ Python-2.7.18/Lib/test/test_urlparse.py @@ -1,4 +1,5 @@ from test import test_support +from urlparse import isascii import sys import unicodedata import unittest @@ -592,6 +593,26 @@ class UrlParseTestCase(unittest.TestCase self.assertEqual(p.netloc, "www.example.net:foo") self.assertRaises(ValueError, lambda: p.port) + def do_attributes_bad_scheme(self, bytes, parse, scheme): + url = scheme + "://www.example.net" + if bytes: + if isascii(url): + url = url.encode("ascii") + else: + return + p = parse(url) + if bytes: + self.assertEqual(p.scheme, b"") + else: + self.assertEqual(p.scheme, "") + + def test_attributes_bad_scheme(self): + """Check handling of invalid schemes.""" + for bytes in (False, True): + for parse in (urlparse.urlsplit, urlparse.urlparse): + for scheme in (".", "+", "-", "0", "http&"): + self.do_attributes_bad_scheme(bytes, parse, scheme) + def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled Index: Python-2.7.18/Lib/urlparse.py =================================================================== --- Python-2.7.18.orig/Lib/urlparse.py +++ Python-2.7.18/Lib/urlparse.py @@ -31,7 +31,8 @@ test_urlparse.py provides a good indicat import re __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag", - "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"] + "urlsplit", "urlunsplit", "parse_qs", "parse_qsl", + "isascii"] # A classification of schemes ('' means apply by default) uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap', @@ -68,6 +69,10 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r MAX_CACHE_SIZE = 20 _parse_cache = {} +# Py3k shim +def isascii(word): + return all([ord(c) < 128 for c in word]) + def clear_cache(): """Clear the parse cache.""" _parse_cache.clear() @@ -211,7 +216,7 @@ def urlsplit(url, scheme='', allow_fragm clear_cache() netloc = query = fragment = '' i = url.find(':') - if i > 0: + if i > 0 and isascii(url[0]) and url[0].isalpha(): if url[:i] == 'http': # optimize the common case scheme = url[:i].lower() url = url[i+1:] Index: Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs =================================================================== --- /dev/null +++ Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs @@ -0,0 +1,2 @@ +Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin +with a digit, a plus sign, or a minus sign to be parsed incorrectly.