Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2024-08-10 19:06:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python310" Sat Aug 10 19:06:06 2024 rev:47 rq:1192675 version:3.10.14 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2024-07-25 12:09:11.690752220 +0200 +++ /work/SRC/openSUSE:Factory/.python310.new.7232/python310.changes 2024-08-10 19:06:10.965752631 +0200 @@ -1,0 +2,13 @@ +Wed Aug 7 13:40:44 UTC 2024 - Matej Cepl <mcepl@cepl.eu> + +- Add CVE-2024-6923-email-hdr-inject.patch to prevent email + header injection due to unquoted newlines (bsc#1228780, + CVE-2024-6923). +- Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 + adding reproducibility patches from gh#python/cpython!121872 + and gh#python/cpython!121883. +- %{profileopt} variable is set according to the variable + %{do_profiling} (bsc#1227999) +- Update bluez-devel-vendor.tar.xz + +------------------------------------------------------------------- New: ---- CVE-2024-6923-email-hdr-inject.patch bso1227999-reproducible-builds.patch BETA DEBUG BEGIN: New: - Add CVE-2024-6923-email-hdr-inject.patch to prevent email header injection due to unquoted newlines (bsc#1228780, New: CVE-2024-6923). - Adding bso1227999-reproducible-builds.patch fixing bsc#1227999 adding reproducibility patches from gh#python/cpython!121872 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.cd7KQi/_old 2024-08-10 19:06:13.565860593 +0200 +++ /var/tmp/diff_new_pack.cd7KQi/_new 2024-08-10 19:06:13.569860759 +0200 @@ -36,6 +36,12 @@ %bcond_without general %endif +%if 0%{?do_profiling} +%bcond_without profileopt +%else +%bcond_with profileopt +%endif + %define python_pkg_name python310 %if "%{python_pkg_name}" == "%{primary_python}" %define primary_interpreter 1 @@ -101,7 +107,6 @@ # pyexpat.cpython-35m-armv7-linux-gnueabihf # _md5.cpython-38m-x86_64-linux-gnu.so %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so -%bcond_without profileopt Name: %{python_pkg_name}%{psuffix} Version: 3.10.14 Release: 0 @@ -198,6 +203,12 @@ # PATCH-FIX-UPSTREAM CVE-2024-4032-private-IP-addrs.patch bsc#1226448 mcepl@suse.com # rearrange definition of private v global IP addresses Patch23: CVE-2024-4032-private-IP-addrs.patch +# PATCH-FIX-UPSTREAM bso1227999-reproducible-builds.patch bsc#1227999 mcepl@suse.com +# reproducibility patches +Patch24: bso1227999-reproducible-builds.patch +# PATCH-FIX-UPSTREAM CVE-2024-6923-email-hdr-inject.patch bsc#1228780 mcepl@suse.com +# prevent email header injection, patch from gh#python/cpython!122608 +Patch25: CVE-2024-6923-email-hdr-inject.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: fdupes @@ -476,6 +487,8 @@ %patch -p1 -P 21 %patch -p1 -P 22 %patch -p1 -P 23 +%patch -p1 -P 24 +%patch -p1 -P 25 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2024-6923-email-hdr-inject.patch ++++++ From ff3629b3cedf5e50a7a5f567283778fe5539a11e Mon Sep 17 00:00:00 2001 From: Petr Viktorin <encukou@gmail.com> Date: Wed, 31 Jul 2024 00:19:48 +0200 Subject: [PATCH] [3.10] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) Per RFC 2047:

[...] these encoding schemes allow the encoding of arbitrary octet values, mail readers that implement this decoding should also ensure that display of the decoded data on the recipient's terminal will not cause unwanted side-effects

It seems that the "quoted-word" scheme is a valid way to include a newline character in a header value, just like we already allow undecodable bytes or control characters. They do need to be properly quoted when serialized to text, though. This should fail for custom fold() implementations that aren't careful about newlines. (cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384) Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> --- Doc/library/email.errors.rst | 6 Doc/library/email.policy.rst | 18 ++ Doc/whatsnew/3.10.rst | 12 + Lib/email/_header_value_parser.py | 12 + Lib/email/_policybase.py | 8 + Lib/email/errors.py | 4 Lib/email/generator.py | 13 +- Lib/test/test_email/test_generator.py | 62 ++++++++++ Lib/test/test_email/test_policy.py | 26 ++++ Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst | 5 10 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst --- a/Doc/library/email.errors.rst +++ b/Doc/library/email.errors.rst @@ -59,6 +59,12 @@ The following exception classes are defi :class:`~email.mime.image.MIMEImage`). +.. exception:: HeaderWriteError() + + Raised when an error occurs when the :mod:`~email.generator` outputs + headers. + + Here is the list of the defects that the :class:`~email.parser.FeedParser` can find while parsing messages. Note that the defects are added to the message where the problem was found, so for example, if a message nested inside a --- a/Doc/library/email.policy.rst +++ b/Doc/library/email.policy.rst @@ -229,6 +229,24 @@ added matters. To illustrate:: .. versionadded:: 3.6 + + .. attribute:: verify_generated_headers + + If ``True`` (the default), the generator will raise + :exc:`~email.errors.HeaderWriteError` instead of writing a header + that is improperly folded or delimited, such that it would + be parsed as multiple headers or joined with adjacent data. + Such headers can be generated by custom header classes or bugs + in the ``email`` module. + + As it's a security feature, this defaults to ``True`` even in the + :class:`~email.policy.Compat32` policy. + For backwards compatible, but unsafe, behavior, it must be set to + ``False`` explicitly. + + .. versionadded:: 3.10.15 + + The following :class:`Policy` method is intended to be called by code using the email library to create policy instances with custom settings: --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -2357,3 +2357,15 @@ ipaddress * Fixed ``is_global`` and ``is_private`` behavior in ``IPv4Address``, ``IPv6Address``, ``IPv4Network`` and ``IPv6Network``. + +email +----- + +* Headers with embedded newlines are now quoted on output. + + The :mod:`~email.generator` will now refuse to serialize (write) headers + that are improperly folded or delimited, such that they would be parsed as + multiple headers or joined with adjacent data. + If you need to turn this safety feature off, + set :attr:`~email.policy.Policy.verify_generated_headers`. + (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`.) --- a/Lib/email/_header_value_parser.py +++ b/Lib/email/_header_value_parser.py @@ -92,6 +92,8 @@ TOKEN_ENDS = TSPECIALS | WSP ASPECIALS = TSPECIALS | set("*'%") ATTRIBUTE_ENDS = ASPECIALS | WSP EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%') +NLSET = {'\n', '\r'} +SPECIALSNL = SPECIALS | NLSET def quote_string(value): return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"' @@ -2778,9 +2780,13 @@ def _refold_parse_tree(parse_tree, *, po wrap_as_ew_blocked -= 1 continue tstr = str(part) - if part.token_type == 'ptext' and set(tstr) & SPECIALS: - # Encode if tstr contains special characters. - want_encoding = True + if not want_encoding: + if part.token_type == 'ptext': + # Encode if tstr contains special characters. + want_encoding = not SPECIALSNL.isdisjoint(tstr) + else: + # Encode if tstr contains newlines. + want_encoding = not NLSET.isdisjoint(tstr) try: tstr.encode(encoding) charset = encoding --- a/Lib/email/_policybase.py +++ b/Lib/email/_policybase.py @@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc. message_factory -- the class to use to create new message objects. If the value is None, the default is Message. + verify_generated_headers + -- if true, the generator verifies that each header + they are properly folded, so that a parser won't + treat it as multiple headers, start-of-body, or + part of another header. + This is a check against custom Header & fold() + implementations. """ raise_on_defect = False @@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc. max_line_length = 78 mangle_from_ = False message_factory = None + verify_generated_headers = True def handle_defect(self, obj, defect): """Based on policy, either raise defect or call register_defect. --- a/Lib/email/errors.py +++ b/Lib/email/errors.py @@ -29,6 +29,10 @@ class CharsetError(MessageError): """An illegal charset was given.""" +class HeaderWriteError(MessageError): + """Error while writing headers.""" + + # These are parsing defects which the parser was able to work around. class MessageDefect(ValueError): """Base class for a message defect.""" --- a/Lib/email/generator.py +++ b/Lib/email/generator.py @@ -14,12 +14,14 @@ import random from copy import deepcopy from io import StringIO, BytesIO from email.utils import _has_surrogates +from email.errors import HeaderWriteError UNDERSCORE = '_' NL = '\n' # XXX: no longer used by the code below. NLCRE = re.compile(r'\r\n|\r|\n') fcre = re.compile(r'^From ', re.MULTILINE) +NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')  @@ -223,7 +225,16 @@ class Generator: def _write_headers(self, msg): for h, v in msg.raw_items(): - self.write(self.policy.fold(h, v)) + folded = self.policy.fold(h, v) + if self.policy.verify_generated_headers: + linesep = self.policy.linesep + if not folded.endswith(self.policy.linesep): + raise HeaderWriteError( + f'folded header does not end with {linesep!r}: {folded!r}') + if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)): + raise HeaderWriteError( + f'folded header contains newline: {folded!r}') + self.write(folded) # A blank line always separates headers from body self.write(self._NL) --- a/Lib/test/test_email/test_generator.py +++ b/Lib/test/test_email/test_generator.py @@ -6,6 +6,7 @@ from email.message import EmailMessage from email.generator import Generator, BytesGenerator from email.headerregistry import Address from email import policy +import email.errors from test.test_email import TestEmailBase, parameterize @@ -216,6 +217,44 @@ class TestGeneratorBase: g.flatten(msg) self.assertEqual(s.getvalue(), self.typ(expected)) + def test_keep_encoded_newlines(self): + msg = self.msgmaker(self.typ(textwrap.dedent("""\ + To: nobody + Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com + + None + """))) + expected = textwrap.dedent("""\ + To: nobody + Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com + + None + """) + s = self.ioclass() + g = self.genclass(s, policy=self.policy.clone(max_line_length=80)) + g.flatten(msg) + self.assertEqual(s.getvalue(), self.typ(expected)) + + def test_keep_long_encoded_newlines(self): + msg = self.msgmaker(self.typ(textwrap.dedent("""\ + To: nobody + Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com + + None + """))) + expected = textwrap.dedent("""\ + To: nobody + Subject: Bad subject + =?utf-8?q?=0A?=Bcc: + injection@example.com + + None + """) + s = self.ioclass() + g = self.genclass(s, policy=self.policy.clone(max_line_length=30)) + g.flatten(msg) + self.assertEqual(s.getvalue(), self.typ(expected)) + class TestGenerator(TestGeneratorBase, TestEmailBase): @@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, T ioclass = io.StringIO typ = str + def test_verify_generated_headers(self): + """gh-121650: by default the generator prevents header injection""" + class LiteralHeader(str): + name = 'Header' + def fold(self, **kwargs): + return self + + for text in ( + 'Value\r\nBad Injection\r\n', + 'NoNewLine' + ): + with self.subTest(text=text): + message = message_from_string( + "Header: Value\r\n\r\nBody", + policy=self.policy, + ) + + del message['Header'] + message['Header'] = LiteralHeader(text) + + with self.assertRaises(email.errors.HeaderWriteError): + message.as_string() + class TestBytesGenerator(TestGeneratorBase, TestEmailBase): --- a/Lib/test/test_email/test_policy.py +++ b/Lib/test/test_email/test_policy.py @@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase): 'raise_on_defect': False, 'mangle_from_': True, 'message_factory': None, + 'verify_generated_headers': True, } # These default values are the ones set on email.policy.default. # If any of these defaults change, the docs must be updated. @@ -277,6 +278,31 @@ class PolicyAPITests(unittest.TestCase): with self.assertRaises(email.errors.HeaderParseError): policy.fold("Subject", subject) + def test_verify_generated_headers(self): + """Turning protection off allows header injection""" + policy = email.policy.default.clone(verify_generated_headers=False) + for text in ( + 'Header: Value\r\nBad: Injection\r\n', + 'Header: NoNewLine' + ): + with self.subTest(text=text): + message = email.message_from_string( + "Header: Value\r\n\r\nBody", + policy=policy, + ) + class LiteralHeader(str): + name = 'Header' + def fold(self, **kwargs): + return self + + del message['Header'] + message['Header'] = LiteralHeader(text) + + self.assertEqual( + message.as_string(), + f"{text}\nBody", + ) + # XXX: Need subclassing tests. # For adding subclassed objects, make sure the usual rules apply (subclass # wins), but that the order still works (right overrides left). --- /dev/null +++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst @@ -0,0 +1,5 @@ +:mod:`email` headers with embedded newlines are now quoted on output. The +:mod:`~email.generator` will now refuse to serialize (write) headers that +are unsafely folded or delimited; see +:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas +Bloemsaat and Petr Viktorin in :gh:`121650`.) ++++++ bluez-devel-vendor.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vendor/bluetooth/bluetooth.h new/Vendor/bluetooth/bluetooth.h --- old/Vendor/bluetooth/bluetooth.h 2022-08-02 19:10:37.342670733 +0200 +++ new/Vendor/bluetooth/bluetooth.h 2024-08-07 15:40:00.319405460 +0200 @@ -6,6 +6,7 @@ * Copyright (C) 2000-2001 Qualcomm Incorporated * Copyright (C) 2002-2003 Maxim Krasnyansky <maxk@qualcomm.com> * Copyright (C) 2002-2010 Marcel Holtmann <marcel@holtmann.org> + * Copyright 2023 NXP * * */ @@ -37,6 +38,7 @@ #define BTPROTO_CMTP 5 #define BTPROTO_HIDP 6 #define BTPROTO_AVDTP 7 +#define BTPROTO_ISO 8 #define SOL_HCI 0 #define SOL_L2CAP 6 @@ -140,7 +142,68 @@ #define BT_SCM_PKT_STATUS 0x03 -#define BT_CODEC 19 +#define BT_ISO_QOS 17 + +#define BT_ISO_QOS_CIG_UNSET 0xff +#define BT_ISO_QOS_CIS_UNSET 0xff + +#define BT_ISO_QOS_BIG_UNSET 0xff +#define BT_ISO_QOS_BIS_UNSET 0xff + +#define BT_ISO_QOS_GROUP_UNSET 0xff +#define BT_ISO_QOS_STREAM_UNSET 0xff + +struct bt_iso_io_qos { + uint32_t interval; + uint16_t latency; + uint16_t sdu; + uint8_t phy; + uint8_t rtn; +}; + +struct bt_iso_ucast_qos { + uint8_t cig; + uint8_t cis; + uint8_t sca; + uint8_t packing; + uint8_t framing; + struct bt_iso_io_qos in; + struct bt_iso_io_qos out; +}; + +struct bt_iso_bcast_qos { + uint8_t big; + uint8_t bis; + uint8_t sync_factor; + uint8_t packing; + uint8_t framing; + struct bt_iso_io_qos in; + struct bt_iso_io_qos out; + uint8_t encryption; + uint8_t bcode[16]; + uint8_t options; + uint16_t skip; + uint16_t sync_timeout; + uint8_t sync_cte_type; + uint8_t mse; + uint16_t timeout; +}; + +/* (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH) */ +#define BASE_MAX_LENGTH 248 +struct bt_iso_base { + uint8_t base_len; + uint8_t base[BASE_MAX_LENGTH]; +}; + +struct bt_iso_qos { + union { + struct bt_iso_ucast_qos ucast; + struct bt_iso_bcast_qos bcast; + }; +}; + +#define BT_CODEC 19 struct bt_codec { uint8_t id; uint16_t cid; @@ -158,6 +221,7 @@ struct bt_codec codecs[]; } __attribute__((packed)); + /* Connection and socket states */ enum { BT_CONNECTED = 1, /* Equal to TCP_ESTABLISHED to make net code happy */ @@ -171,6 +235,8 @@ BT_CLOSED }; +#define BT_ISO_BASE 20 + /* Byte order conversions */ #if __BYTE_ORDER == __LITTLE_ENDIAN #define htobs(d) (d) @@ -378,6 +444,10 @@ const char *bt_compidtostr(int id); typedef struct { + uint8_t data[3]; +} uint24_t; + +typedef struct { uint8_t data[16]; } uint128_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vendor/bluetooth/l2cap.h new/Vendor/bluetooth/l2cap.h --- old/Vendor/bluetooth/l2cap.h 2022-08-02 19:10:37.342670733 +0200 +++ new/Vendor/bluetooth/l2cap.h 2024-08-07 15:40:00.322738820 +0200 @@ -184,6 +184,8 @@ #define L2CAP_MODE_FLOWCTL 0x02 #define L2CAP_MODE_ERTM 0x03 #define L2CAP_MODE_STREAMING 0x04 +#define L2CAP_MODE_LE_FLOWCTL 0x80 +#define L2CAP_MODE_ECRED 0x81 #define L2CAP_SERVTYPE_NOTRAFFIC 0x00 #define L2CAP_SERVTYPE_BESTEFFORT 0x01 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Vendor/bluetooth/sdp_lib.h new/Vendor/bluetooth/sdp_lib.h --- old/Vendor/bluetooth/sdp_lib.h 2022-08-02 19:10:37.342670733 +0200 +++ new/Vendor/bluetooth/sdp_lib.h 2024-08-07 15:40:00.322738820 +0200 @@ -141,7 +141,8 @@ /* flexible extraction of basic attributes - Jean II */ int sdp_get_int_attr(const sdp_record_t *rec, uint16_t attr, int *value); -int sdp_get_string_attr(const sdp_record_t *rec, uint16_t attr, char *value, int valuelen); +int sdp_get_string_attr(const sdp_record_t *rec, uint16_t attr, char *value, + size_t valuelen); /* * Basic sdp data functions @@ -543,32 +544,38 @@ int sdp_get_service_ttl(const sdp_record_t *rec, uint32_t *svcTTLInfo); int sdp_get_database_state(const sdp_record_t *rec, uint32_t *svcDBState); -static inline int sdp_get_service_name(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_service_name(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_SVCNAME_PRIMARY, str, len); } -static inline int sdp_get_service_desc(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_service_desc(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_SVCDESC_PRIMARY, str, len); } -static inline int sdp_get_provider_name(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_provider_name(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_PROVNAME_PRIMARY, str, len); } -static inline int sdp_get_doc_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_doc_url(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_DOC_URL, str, len); } -static inline int sdp_get_clnt_exec_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_clnt_exec_url(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_CLNT_EXEC_URL, str, len); } -static inline int sdp_get_icon_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_icon_url(const sdp_record_t *rec, char *str, + size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_ICON_URL, str, len); } ++++++ bso1227999-reproducible-builds.patch ++++++ From ac2b8869724d7a57d9b5efbdce2f20423214e8bb Mon Sep 17 00:00:00 2001 From: "Bernhard M. Wiedemann" <bwiedemann@suse.de> Date: Tue, 16 Jul 2024 21:39:33 +0200 Subject: [PATCH] Allow to override build date with SOURCE_DATE_EPOCH to make builds reproducible. See https://reproducible-builds.org/ for why this is good and https://reproducible-builds.org/specs/source-date-epoch/ for the definition of this variable. --- Doc/conf.py | 3 ++- Doc/library/functions.rst | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) --- a/Doc/conf.py +++ b/Doc/conf.py @@ -89,7 +89,8 @@ html_short_title = '%s Documentation' % # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. -html_last_updated_fmt = '%b %d, %Y' +html_time = int(os.environ.get('SOURCE_DATE_EPOCH', time.time())) +html_last_updated_fmt = time.strftime('%b %d, %Y (%H:%M UTC)', time.gmtime(html_time)) # Path to find HTML templates. templates_path = ['tools/templates'] --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -1320,7 +1320,7 @@ are always available. They are listed h (where :func:`open` is declared), :mod:`os`, :mod:`os.path`, :mod:`tempfile`, and :mod:`shutil`. - .. audit-event:: open file,mode,flags open + .. audit-event:: open path,mode,flags open The ``mode`` and ``flags`` arguments may have been modified or inferred from the original call.