Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2023-03-03 22:24:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Fri Mar 3 22:24:42 2023 rev:178 rq:1068978 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2023-01-29
14:13:40.948031266 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.31432/python-base.changes
2023-03-03 22:25:00.474646819 +0100
@@ -1,0 +2,7 @@
+Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+ bsc#1208471) blocklists bypass via the urllib.parse component
+ when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/python/python-doc.changes 2023-01-27
10:19:20.652488960 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.31432/python-doc.changes
2023-03-03 22:25:00.518646986 +0100
@@ -1,0 +2,12 @@
+Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+ bsc#1208471) blocklists bypass via the urllib.parse component
+ when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
+Fri Jan 27 15:00:21 UTC 2023 - Thorsten Kukuk <ku...@suse.com>
+
+- Disable NIS for new products, it's deprecated and gets removed
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/python/python.changes 2023-01-29
14:13:40.964031353 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.31432/python.changes 2023-03-03
22:25:00.542647078 +0100
@@ -1,0 +2,7 @@
+Wed Mar 1 14:43:31 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
+ bsc#1208471) blocklists bypass via the urllib.parse component
+ when supplying a URL that starts with blank characters
+
+-------------------------------------------------------------------
New:
----
CVE-2023-24329-blank-URL-bypass.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.502654526 +0100
+++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.510654555 +0100
@@ -142,6 +142,10 @@
# PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com
# switching verification off on the old SLE doesn't work
Patch74: skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471
mc...@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75: CVE-2023-24329-blank-URL-bypass.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -287,6 +291,7 @@
%if 0%{?sle_version} && 0%{?sle_version} < 150000
%patch74 -p1
%endif
+%patch75 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.542654677 +0100
+++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.550654707 +0100
@@ -141,6 +141,10 @@
# PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com
# switching verification off on the old SLE doesn't work
Patch74: skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471
mc...@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75: CVE-2023-24329-blank-URL-bypass.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -224,6 +228,7 @@
%if 0%{?sle_version} && 0%{?sle_version} < 150000
%patch74 -p1
%endif
+%patch75 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.1SxP1S/_old 2023-03-03 22:25:02.586654844 +0100
+++ /var/tmp/diff_new_pack.1SxP1S/_new 2023-03-03 22:25:02.590654860 +0100
@@ -141,6 +141,10 @@
# PATCH-FIX-UPSTREAM skip_unverified_test.patch mc...@suse.com
# switching verification off on the old SLE doesn't work
Patch74: skip_unverified_test.patch
+# PATCH-FIX-UPSTREAM CVE-2023-24329-blank-URL-bypass.patch bsc#1208471
mc...@suse.com
+# blocklist bypass via the urllib.parse component when supplying
+# a URL that starts with blank characters
+Patch75: CVE-2023-24329-blank-URL-bypass.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -342,6 +346,7 @@
%if 0%{?sle_version} && 0%{?sle_version} < 150000
%patch74 -p1
%endif
+%patch75 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ CVE-2023-24329-blank-URL-bypass.patch ++++++
---
Lib/test/test_urlparse.py | 21
++++++++++
Lib/urlparse.py | 9
+++-
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs | 2
3 files changed, 30 insertions(+), 2 deletions(-)
Index: Python-2.7.18/Lib/test/test_urlparse.py
===================================================================
--- Python-2.7.18.orig/Lib/test/test_urlparse.py
+++ Python-2.7.18/Lib/test/test_urlparse.py
@@ -1,4 +1,5 @@
from test import test_support
+from urlparse import isascii
import sys
import unicodedata
import unittest
@@ -592,6 +593,26 @@ class UrlParseTestCase(unittest.TestCase
self.assertEqual(p.netloc, "www.example.net:foo")
self.assertRaises(ValueError, lambda: p.port)
+ def do_attributes_bad_scheme(self, bytes, parse, scheme):
+ url = scheme + "://www.example.net"
+ if bytes:
+ if isascii(url):
+ url = url.encode("ascii")
+ else:
+ return
+ p = parse(url)
+ if bytes:
+ self.assertEqual(p.scheme, b"")
+ else:
+ self.assertEqual(p.scheme, "")
+
+ def test_attributes_bad_scheme(self):
+ """Check handling of invalid schemes."""
+ for bytes in (False, True):
+ for parse in (urlparse.urlsplit, urlparse.urlparse):
+ for scheme in (".", "+", "-", "0", "http&"):
+ self.do_attributes_bad_scheme(bytes, parse, scheme)
+
def test_attributes_without_netloc(self):
# This example is straight from RFC 3261. It looks like it
# should allow the username, hostname, and port to be filled
Index: Python-2.7.18/Lib/urlparse.py
===================================================================
--- Python-2.7.18.orig/Lib/urlparse.py
+++ Python-2.7.18/Lib/urlparse.py
@@ -31,7 +31,8 @@ test_urlparse.py provides a good indicat
import re
__all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag",
- "urlsplit", "urlunsplit", "parse_qs", "parse_qsl"]
+ "urlsplit", "urlunsplit", "parse_qs", "parse_qsl",
+ "isascii"]
# A classification of schemes ('' means apply by default)
uses_relative = ['ftp', 'http', 'gopher', 'nntp', 'imap',
@@ -68,6 +69,10 @@ _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r
MAX_CACHE_SIZE = 20
_parse_cache = {}
+# Py3k shim
+def isascii(word):
+ return all([ord(c) < 128 for c in word])
+
def clear_cache():
"""Clear the parse cache."""
_parse_cache.clear()
@@ -211,7 +216,7 @@ def urlsplit(url, scheme='', allow_fragm
clear_cache()
netloc = query = fragment = ''
i = url.find(':')
- if i > 0:
+ if i > 0 and isascii(url[0]) and url[0].isalpha():
if url[:i] == 'http': # optimize the common case
scheme = url[:i].lower()
url = url[i+1:]
Index:
Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
===================================================================
--- /dev/null
+++
Python-2.7.18/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rs
@@ -0,0 +1,2 @@
+Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
+with a digit, a plus sign, or a minus sign to be parsed incorrectly.
