Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Adam D. Barratt]

Hi Moritz,

On Thu, 2021-03-18 at 20:17 +0100, Moritz Mühlenhoff wrote:
> Am Sat, Mar 13, 2021 at 06:46:38PM + schrieb Adam D. Barratt:
> > On Fri, 2021-02-26 at 16:30 +0100, Moritz Muehlenhoff wrote:
> > > On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote:
> > > > On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> > > > > +  * CVE-2021-3177
> > > > 
> > > > are all the ctypes tests passing with this patch? See #983516.
> > > 
> > > I'll have a look at Marc' updated patch and revise if needed.
> > 
> > Was there a conclusion on that?
> 
> I won't have time for preparing/testing a revised update, this will
> need to wait for 10.10

Are you still looking at getting this fixed in buster?

Regards,

Adam

Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@debian.org

debdiff below fixes three security issues, which don't warrant a DSA by itself.

Update has been tested on a Buster few systems (and verified with the PoCs).

Cheers,
Moritz

diff -u python2.7-2.7.16/debian/changelog python2.7-2.7.16/debian/changelog
--- python2.7-2.7.16/debian/changelog
+++ python2.7-2.7.16/debian/changelog
@@ -1,3 +1,11 @@
+python2.7 (2.7.16-2+deb10u2) buster; urgency=medium
+
+  * CVE-2020-8492 (Closes: #970099)
+  * CVE-2019-20907 (Closes: #970099)
+  * CVE-2021-3177
+
+ -- Moritz Mühlenhoff   Wed, 24 Feb 2021 20:33:20 +0200
+
 python2.7 (2.7.16-2+deb10u1) buster; urgency=medium
 
   * CVE-2018-20852
diff -u python2.7-2.7.16/debian/patches/series.in 
python2.7-2.7.16/debian/patches/series.in
--- python2.7-2.7.16/debian/patches/series.in
+++ python2.7-2.7.16/debian/patches/series.in
@@ -80,0 +81,3 @@
+CVE-2019-20907.diff
+CVE-2020-8492.diff
+CVE-2021-3177.diff
only in patch2:
unchanged:
--- python2.7-2.7.16.orig/debian/patches/CVE-2019-20907.diff
+++ python2.7-2.7.16/debian/patches/CVE-2019-20907.diff
@@ -0,0 +1,26 @@
+From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Wed, 15 Jul 2020 05:36:36 -0700
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454) (#21485)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile 
module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi 
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index adf91d5..574a6bb 100644
+--- a/Lib/tarfile.py
 b/Lib/tarfile.py
+@@ -1400,6 +1400,8 @@ class TarInfo(object):
+ 
+ length, keyword = match.groups()
+ length = int(length)
++if length == 0:
++raise InvalidHeaderError("invalid header")
+ value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+ keyword = keyword.decode("utf8")
only in patch2:
unchanged:
--- python2.7-2.7.16.orig/debian/patches/CVE-2020-8492.diff
+++ python2.7-2.7.16/debian/patches/CVE-2020-8492.diff
@@ -0,0 +1,26 @@
+Backport of 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4, trimmed down to the
+fix for CVE-2020-8492
+
+Co-Authored-By: Serhiy Storchaka 
+diff --git a/Lib/urllib2.py b/Lib/urllib2.py
+index 8b634ad..11a62a4 100644
+--- a/Lib/urllib2.py
 b/Lib/urllib2.py
+@@ -856,8 +856,15 @@ class AbstractBasicAuthHandler:
+ 
+ # allow for double- and single-quoted realm values
+ # (single quotes are a violation of the RFC, but appear in the wild)
+-rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-'realm=(["\']?)([^"\']*)\\2', re.I)
++rx = re.compile('(?:^|,)'   # start of the string or ','
++'[ \t]*'# optional whitespaces
++'([^ \t]+)' # scheme like "Basic"
++'[ \t]+'# mandatory whitespaces
++# realm=xxx
++# realm='xxx'
++# realm="xxx"
++'realm=(["\']?)([^"\']*)\\2',
++re.I)
+ 
+ # XXX could pre-emptively send auth info already accepted (RFC 2617,
+ # end of section 2, and section 1.2 immediately after "credentials"
only in patch2:
unchanged:
--- python2.7-2.7.16.orig/debian/patches/CVE-2021-3177.diff
+++ python2.7-2.7.16/debian/patches/CVE-2021-3177.diff
@@ -0,0 +1,149 @@
+bpo-42938: Replace snprintf with Python unicode formatting in ctypes param 
reprs.
+--- a/Lib/ctypes/test/test_parameters.py
 b/Lib/ctypes/test/test_parameters.py
+@@ -206,6 +206,49 @@
+ with self.assertRaises(ZeroDivisionError):
+ WorseStruct().__setstate__({}, b'foo')
+ 
++def test_parameter_repr(self):
++from ctypes import (
++c_bool,
++c_char,
++c_wchar,
++c_byte,
++c_ubyte,
++c_short,
++c_ushort,
++c_int,
++c_uint,
++c_long,
++c_ulong,
++c_longlong,
++c_ulonglong,
++c_float,
++c_double,
++c_longdouble,
++c_char_p,
++c_wchar_p,
++c_void_p,
++)
++self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$")
++self.assertEqual(repr(c_char.from_param('a')), "")
++self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$")
++self.assertEqual(repr(c_byte.from_param(98)), "")
++self.assertEqual(repr(c_ubyte.from_param(98)), "")
++self.assertEqual(repr(c_short.from_param(511)), "")
++self.assertEqual(repr(c_ushort.from_param(511)), "")
++self.assertRegexpMatches(repr(c_int.from_param(2)), r"^$")
++self.assertR

Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Matthias Klose]

On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> +  * CVE-2021-3177

are all the ctypes tests passing with this patch? See #983516.

Matthias

Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Moritz Muehlenhoff]

On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote:
> On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> > +  * CVE-2021-3177
> 
> are all the ctypes tests passing with this patch? See #983516.

I'll have a look at Marc' updated patch and revise if needed.

Cheers,
Moritz

Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Adam D. Barratt]

On Fri, 2021-02-26 at 16:30 +0100, Moritz Muehlenhoff wrote:
> On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote:
> > On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> > > +  * CVE-2021-3177
> > 
> > are all the ctypes tests passing with this patch? See #983516.
> 
> I'll have a look at Marc' updated patch and revise if needed.

Was there a conclusion on that?

Regards,

Adam

Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2

[Moritz Mühlenhoff]

Am Sat, Mar 13, 2021 at 06:46:38PM + schrieb Adam D. Barratt:
> On Fri, 2021-02-26 at 16:30 +0100, Moritz Muehlenhoff wrote:
> > On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote:
> > > On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote:
> > > > +  * CVE-2021-3177
> > > 
> > > are all the ctypes tests passing with this patch? See #983516.
> > 
> > I'll have a look at Marc' updated patch and revise if needed.
> 
> Was there a conclusion on that?

I won't have time for preparing/testing a revised update, this will
need to wait for 10.10

Cheers,
Moritz