Bug#966272: buster-pu: package python3.7/3.7.3-2+deb10u2

Sat, 25 Jul 2020 11:24:20 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Fixes three minor security issues, debdiff attached.

Cheers,
        Moritz

diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog    2019-12-20 18:01:46.000000000 +0100
+++ python3.7-3.7.3/debian/changelog    2020-07-25 15:00:39.000000000 +0200
@@ -1,3 +1,11 @@
+python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
+
+  * CVE-2019-20907
+  * CVE-2020-14422
+  * CVE-2020-8492
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Sat, 25 Jul 2020 15:03:44 +0200
+
 python3.7 (3.7.3-2+deb10u1) buster; urgency=medium
 
   * CVE-2019-9740
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 
python3.7-3.7.3/debian/patches/CVE-2019-20907.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-20907.diff  1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-20907.diff  2020-07-22 
18:02:59.000000000 +0200
@@ -0,0 +1,26 @@
+From 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Wed, 15 Jul 2020 05:35:08 -0700
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454) (GH-21484)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile 
module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi <rishi_de...@mail.com>
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3b596cbf49d27..3be5188c8b0a2 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1233,6 +1233,8 @@ def _proc_pax(self, tarfile):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             # Normally, we could just use "utf-8" as the encoding and "strict"
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 
python3.7-3.7.3/debian/patches/CVE-2020-14422.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-14422.diff  1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-14422.diff  2020-07-22 
18:02:59.000000000 +0200
@@ -0,0 +1,62 @@
+From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapak...@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21231)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash 
collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <rvtej...@gmail.com>
+
+Signed-off-by: Tapas Kundu <tku...@vmware.com>
+---
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d73ab..54882934c3dc1 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, 
int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2088,7 +2088,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, 
int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb126f..1fb6a929dc2d9 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ def testsixtofour(self):
+                          sixtofouraddr.sixtofour)
+         self.assertFalse(bad_addr.sixtofour)
+ 
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV4HashIsNotConstant(self):
++        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++        self.assertNotEqual(ipv4_address1.__hash__(), 
ipv4_address2.__hash__())
++
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV6HashIsNotConstant(self):
++        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++        self.assertNotEqual(ipv6_address1.__hash__(), 
ipv6_address2.__hash__())
+ 
+ if __name__ == '__main__':
+     unittest.main()
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-8492.diff 
python3.7-3.7.3/debian/patches/CVE-2020-8492.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-8492.diff   1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-8492.diff   2020-07-25 
14:59:50.000000000 +0200
@@ -0,0 +1,25 @@
+Backport of b57a73694e26e8b2391731b5ee0b1be59437388e to only cover
+the CVE-2020-8492 fix without the AbstractBasicAuthHandler change
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 0d3f9670fef40..4f42919b09eae 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -944,8 +944,15 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-                    'realm=(["\']?)([^"\']*)\\2', re.I)
++    rx = re.compile('(?:^|,)'   # start of the string or ','
++                    '[ \t]*'    # optional whitespaces
++                    '([^ \t]+)' # scheme like "Basic"
++                    '[ \t]+'    # mandatory whitespaces
++                    # realm=xxx
++                    # realm='xxx'
++                    # realm="xxx"
++                    'realm=(["\']?)([^"\']*)\\2',
++                    re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+     # end of section 2, and section 1.2 immediately after "credentials"
diff -Nru python3.7-3.7.3/debian/patches/series 
python3.7-3.7.3/debian/patches/series
--- python3.7-3.7.3/debian/patches/series       2019-12-20 17:58:50.000000000 
+0100
+++ python3.7-3.7.3/debian/patches/series       2020-07-22 18:03:39.000000000 
+0200
@@ -43,3 +43,7 @@
 CVE-2019-10160-2.diff
 CVE-2019-16056.diff
 CVE-2019-16935.diff
+CVE-2019-20907.diff
+CVE-2020-14422.diff
+CVE-2020-8492.diff
+

Reply via email to