Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: d...@debian.org
debdiff below fixes two security issues, which don't warrant a DSA by itself. Update has been tested on a Buster few systems (and verified with the PoC). Cheers, Moritz diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog --- python3.7-3.7.3/debian/changelog 2020-07-25 15:00:39.000000000 +0200 +++ python3.7-3.7.3/debian/changelog 2021-01-22 20:05:45.000000000 +0100 @@ -1,3 +1,10 @@ +python3.7 (3.7.3-2+deb10u3) buster; urgency=medium + + * CVE-2020-26116 + * CVE-2021-3177 + + -- Moritz Mühlenhoff <j...@debian.org> Fri, 22 Jan 2021 21:04:44 +0100 + python3.7 (3.7.3-2+deb10u2) buster; urgency=medium * CVE-2019-20907 diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-26116.patch python3.7-3.7.3/debian/patches/CVE-2020-26116.patch --- python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 1970-01-01 01:00:00.000000000 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 2021-01-22 15:32:43.000000000 +0100 @@ -0,0 +1,84 @@ +Fixes CVE-2020-26116: + +From ca75fec1ed358f7324272608ca952b2d8226d11a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Sun, 19 Jul 2020 02:27:35 -0700 +Subject: [PATCH] bpo-39603: Prevent header injection in http methods + (GH-18485) (GH-21538) + +reject control chars in http method in http.client.putrequest to prevent http header injection +(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) + +Co-authored-by: AMIR <31338382+amiremoham...@users.noreply.github.com> + +--- python3.7-3.7.3.orig/Lib/http/client.py ++++ python3.7-3.7.3/Lib/http/client.py +@@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.c + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1107,6 +1111,8 @@ class HTTPConnection: + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method we use, we need it later in the response phase + self._method = method + if not url: +@@ -1197,6 +1203,16 @@ class HTTPConnection: + # For HTTP/1.0, the server will assume "not chunked" + pass + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ ++ + def putheader(self, header, *values): + """Send a request header line to the server. + +--- python3.7-3.7.3.orig/Lib/test/test_httplib.py ++++ python3.7-3.7.3/Lib/test/test_httplib.py +@@ -360,6 +360,28 @@ class HeaderTests(TestCase): + self.assertEqual(lines[2], "header: Second: val") + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ with self.assertRaisesRegex( ++ ValueError, "method can't contain control characters"): ++ conn = client.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ conn.request(method=method, url="/") ++ ++ + class TransferEncodingTest(TestCase): + expected_body = b"It's just a flesh wound" + diff -Nru python3.7-3.7.3/debian/patches/CVE-2021-3177.patch python3.7-3.7.3/debian/patches/CVE-2021-3177.patch --- python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 1970-01-01 01:00:00.000000000 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 2021-01-22 15:33:44.000000000 +0100 @@ -0,0 +1,169 @@ +Fixes CVE-2021-3177: + +From d9b8f138b7df3b455b54653ca59f491b4840d6fa Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson <benja...@python.org> +Date: Mon, 18 Jan 2021 15:24:02 -0600 +Subject: [PATCH] [3.7] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24249) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson <benja...@python.org> + +--- python3.7-3.7.3.orig/Lib/ctypes/test/test_parameters.py ++++ python3.7-3.7.3/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ class SimpleTypesTestCase(unittest.TestC + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") ++ + ################################################################ + + if __name__ == '__main__': +--- python3.7-3.7.3.orig/Modules/_ctypes/callproc.c ++++ python3.7-3.7.3/Modules/_ctypes/callproc.c +@@ -461,58 +461,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "<cparam '%c' (%I64d)>", +-#else +- "<cparam '%c' (%lld)>", +-#endif ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "<cparam '%c' ('%c')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -521,22 +510,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "<cparam '%c' at %p>", +- (unsigned char)self->tag, self); ++ return PyUnicode_FromFormat("<cparam '%c' at %p>", ++ (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "<cparam 0x%02x at %p>", +- (unsigned char)self->tag, self); ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", ++ (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff -Nru python3.7-3.7.3/debian/patches/series python3.7-3.7.3/debian/patches/series --- python3.7-3.7.3/debian/patches/series 2020-07-22 18:03:39.000000000 +0200 +++ python3.7-3.7.3/debian/patches/series 2021-01-22 15:33:15.000000000 +0100 @@ -47,3 +47,5 @@ CVE-2020-14422.diff CVE-2020-8492.diff +CVE-2020-26116.patch +CVE-2021-3177.patch