Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2023-09-22 21:46:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.1770 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Fri Sep 22 21:46:40 2023 rev:188 rq:1111680 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2023-09-14
16:26:44.720896373 +0200
+++ /work/SRC/openSUSE:Factory/.python.new.1770/python-base.changes
2023-09-22 21:46:48.671547081 +0200
@@ -1,0 +2,18 @@
+Sat Sep 16 12:40:52 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- (bsc#1214691, CVE-2022-48566) Add
+ CVE-2022-48566-compare_digest-more-constant.patch to make
+ compare_digest more constant-time.
+
+-------------------------------------------------------------------
+Thu Sep 14 20:45:36 UTC 2023 - Matej Cepl <mc...@suse.com>
+
+- (bsc#1214685, CVE-2022-48565) Add
+ CVE-2022-48565-plistlib-XML-vulns.patch (from
+ gh#python/cpython#86217) reject XML entity declarations in
+ plist files.
+- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
+ Revert-gh105127-left-tests.patch (as per discussion on
+ bsc#1210638).
+
+-------------------------------------------------------------------
python-doc.changes: same change
python.changes: same change
Old:
----
CVE-2023-27043-email-parsing-errors.patch
Revert-gh105127-left-tests.patch
New:
----
CVE-2022-48565-plistlib-XML-vulns.patch
CVE-2022-48566-compare_digest-more-constant.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.FdUjTJ/_old 2023-09-22 21:46:55.715802808 +0200
+++ /var/tmp/diff_new_pack.FdUjTJ/_new 2023-09-22 21:46:55.715802808 +0200
@@ -149,15 +149,18 @@
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mc...@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
-# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
-Patch77: CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638
mc...@suse.com
-# Partially revert previous patch
-Patch78: Revert-gh105127-left-tests.patch
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
+# # Detect email address parsing errors and return empty tuple to
+# # indicate the parsing error (old API)
+# Patch77: CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
+# Reject entity declarations in plists
+Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch
gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
+# Make compare_digest more constant-time
+Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -310,9 +313,10 @@
%endif
%patch75 -p1
%patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
%patch78 -p1
%patch79 -p1
+%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.FdUjTJ/_old 2023-09-22 21:46:55.751804115 +0200
+++ /var/tmp/diff_new_pack.FdUjTJ/_new 2023-09-22 21:46:55.751804115 +0200
@@ -148,15 +148,18 @@
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mc...@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
-# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
-Patch77: CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638
mc...@suse.com
-# Partially revert previous patch
-Patch78: Revert-gh105127-left-tests.patch
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
+# # Detect email address parsing errors and return empty tuple to
+# # indicate the parsing error (old API)
+# Patch77: CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
+# Reject entity declarations in plists
+Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch
gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
+# Make compare_digest more constant-time
+Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -244,9 +247,10 @@
%endif
%patch75 -p1
%patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
%patch78 -p1
%patch79 -p1
+%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.FdUjTJ/_old 2023-09-22 21:46:55.783805277 +0200
+++ /var/tmp/diff_new_pack.FdUjTJ/_new 2023-09-22 21:46:55.787805422 +0200
@@ -148,15 +148,18 @@
# PATCH-FIX-OPENSUSE PygmentsBridge-trime_doctest_flags.patch mc...@suse.com
# Build documentation even without PygmentsBridge.trim_doctest_flags
Patch76: PygmentsBridge-trime_doctest_flags.patch
-# PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
-# Detect email address parsing errors and return empty tuple to
-# indicate the parsing error (old API)
-Patch77: CVE-2023-27043-email-parsing-errors.patch
-# PATCH-FIX-UPSTREAM Revert-gh105127-left-tests.patch bsc#1210638
mc...@suse.com
-# Partially revert previous patch
-Patch78: Revert-gh105127-left-tests.patch
+# # PATCH-FIX-UPSTREAM CVE-2023-27043-email-parsing-errors.patch bsc#1210638
mc...@suse.com
+# # Detect email address parsing errors and return empty tuple to
+# # indicate the parsing error (old API)
+# Patch77: CVE-2023-27043-email-parsing-errors.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48565-plistlib-XML-vulns.patch bsc#1214685
mc...@suse.com
+# Reject entity declarations in plists
+Patch78: CVE-2022-48565-plistlib-XML-vulns.patch
# PATCH-FIX-UPSTREAM CVE-2023-40217-avoid-ssl-pre-close.patch
gh#python/cpython#108315
Patch79: CVE-2023-40217-avoid-ssl-pre-close.patch
+# PATCH-FIX-UPSTREAM CVE-2022-48566-compare_digest-more-constant.patch
bsc#1214691 mc...@suse.com
+# Make compare_digest more constant-time
+Patch80: CVE-2022-48566-compare_digest-more-constant.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -364,9 +367,10 @@
%endif
%patch75 -p1
%patch76 -p1
-%patch77 -p1
+# %%patch77 -p1
%patch78 -p1
%patch79 -p1
+%patch80 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ CVE-2022-48565-plistlib-XML-vulns.patch ++++++
>From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001
From: Ned Deily <n...@python.org>
Date: Mon, 19 Oct 2020 22:36:27 -0400
Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files
(GH-22760) (GH-22801)
Co-authored-by: Ronald Oussoren <ronaldousso...@mac.com>
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc)
Co-authored-by: Ned Deily <n...@python.org>
---
Lib/plistlib.py | 10 +++++
Lib/test/test_plistlib.py | 19
++++++++++
Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 +
3 files changed, 32 insertions(+)
create mode 100644
Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
@@ -403,9 +403,19 @@ class PlistParser:
parser.StartElementHandler = self.handleBeginElement
parser.EndElementHandler = self.handleEndElement
parser.CharacterDataHandler = self.handleData
+ parser.EntityDeclHandler = self.handle_entity_decl
parser.ParseFile(fileobj)
return self.root
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value,
+ base, system_id, public_id, notation_name):
+ # Reject plist files with entity declarations to avoid XML
+ # vulnerabilies in expat. Regular plist files don't contain
+ # those declerations, and Apple's plutil tool does not accept
+ # them either.
+ raise ValueError(
+ "XML entity declarations are not supported in plist files")
+
def handleBeginElement(self, element, attrs):
self.data = []
handler = getattr(self, "begin_" + element, None)
--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi
</plist>
""".replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs
+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd"; [
+ <!ENTITY entity "replacement text">
+ ]>
+<plist version="1.0">
+ <dict>
+ <key>A</key>
+ <string>&entity;</string>
+ </dict>
+</plist>
+'''
+
class TestPlistlib(unittest.TestCase):
@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase):
self.assertEqual(test1, result1)
self.assertEqual(test2, result2)
+ def test_xml_plist_with_entity_decl(self):
+ with self.assertRaisesRegexp(ValueError,
+ "XML entity declarations are not
supported"):
+ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
+
+
def test_main():
test_support.run_unittest(TestPlistlib)
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.
++++++ CVE-2022-48566-compare_digest-more-constant.patch ++++++
>From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-isling...@users.noreply.github.com>
Date: Mon, 14 Dec 2020 09:04:57 -0800
Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438)
(GH-23767)
The existing volatile `left`/`right` pointers guarantee that the reads will all
occur, but does not guarantee that they will be _used_. So a compiler can still
short-circuit the loop, saving e.g. the overhead of doing the xors and
especially the overhead of the data dependency between `result` and the reads.
That would change performance depending on where the first unequal byte occurs.
This change removes that optimization.
(This is change GH-1 from https://bugs.python.org/issue40791 .)
(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28)
Co-authored-by: Devin Jeanpierre <jeanpierr...@google.com>
---
Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 +
Modules/operator.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
create mode 100644
Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst
@@ -0,0 +1 @@
+Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``,
making constant-time-defeating optimizations less likely.
\ No newline at end of file
--- a/Modules/operator.c
+++ b/Modules/operator.c
@@ -259,7 +259,7 @@ _tscmp(const unsigned char *a, const uns
volatile const unsigned char *left;
volatile const unsigned char *right;
Py_ssize_t i;
- unsigned char result;
+ volatile unsigned char result;
/* loop count depends on length of b */
length = len_b;
