Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked in at 2021-09-30 23:42:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.2443 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Thu Sep 30 23:42:52 2021 rev:158 rq:921455 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2021-09-21 21:12:21.786585740 +0200
+++ /work/SRC/openSUSE:Factory/.python.new.2443/python-base.changes 2021-09-30 23:43:06.772449973 +0200
@@ -1,0 +2,15 @@
+Tue Sep 21 14:54:40 UTC 2021 - Matej Cepl
+
+- Add CVE-2019-20907_tarfile-inf-loop.patch fixing bsc#1174091
+ (CVE-2019-20907, bpo#39017) avoiding possible infinite loop
+ in specifically crafted tarball.
+ Add recursion.tar as a testing tarball for the patch.
+- Provide the newest setuptools wheel (bsc#1176262,
+ CVE-2019-20916) in their correct form (bsc#1180686).
+- Add CVE-2020-26116-httplib-header-injection.patch fixing bsc#1177211
+ (CVE-2020-26116, bpo#39603) no longer allowing special characters in
+ the method parameter of HTTPConnection.putrequest in httplib, stopping
+ injection of headers. Such characters now raise ValueError.
+
+
+-------------------------------------------------------------------
@@ -78,4 +93,3 @@
- - Disallow control characters in hostnames in http.client,
- addressing CVE-2019-18348 (bpo#38576, bsc#1155094). Such
- potentially malicious header injection URLs now cause
- InvalidURL to be raised.
+ - bsc#1155094 (CVE-2019-18348) Disallow control characters in
+ hostnames in http.client. Such potentially malicious header
+ injection URLs now cause a InvalidURL to be raised.
@@ -305,2 +319,3 @@
-- bsc#1109847: add CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch
- fixing bpo-34623.
+- bsc#1109847 (CVE-2018-14647): add
+ CVE-2018-14647_XML_SetHashSalt-in_elementtree.patch fixing
+ bpo-34623.
@@ -325 +340 @@
- fixing bpo-35746.
+ fixing bpo-35746 (CVE-2019-5010).
python-doc.changes: same change
python.changes: same change
New:
----
CVE-2019-20907_tarfile-inf-loop.patch
CVE-2020-26116-httplib-header-injection.patch
pip-20.2.3-py2.py3-none-any.whl
recursion.tar
setuptools-44.1.1-py2.py3-none-any.whl
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.084451475 +0200
+++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.088451480 +0200
@@ -34,6 +34,11 @@
Source2: baselibs.conf
Source3: README.SUSE
Source5: local.pth
+# Fixed bundled wheels
+Source10: setuptools-44.1.1-py2.py3-none-any.whl
+Source11: pip-20.2.3-py2.py3-none-any.whl
+# For Patch 66
+Source66: recursion.tar
Source99: python-base-rpmlintrc
# COMMON-PATCH-BEGIN
Patch1: python-2.7-dirs.patch
@@ -109,6 +114,14 @@
Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch
# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
Patch65: sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66: CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67: CVE-2020-26116-httplib-header-injection.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -239,11 +252,25 @@
%patch63 -p1
%patch64 -p1
%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
# COMMON-PREP-END
+# Replace bundled wheels with the updates ones
+rm -v Lib/ensurepip/_bundled/*.whl
+cp -v %{SOURCE10} %{SOURCE11} Lib/ensurepip/_bundled/
+STVER=$(basename %{SOURCE10}|cut -d- -f2)
+PIPVER=$(basename %{SOURCE11}|cut -d- -f2)
+sed -i -e "s/^\(\s*_SETUPTOOLS_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${STVER}\"/" \
+ -e "s/^\(\s*_PIP_VERSION\s\+=\s\+\)\"[0-9.]\+\"/\1\"${PIPVER}\"/" \
+ Lib/ensurepip/__init__.py
+
%build
%define _lto_cflags %{nil}
export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv"
@@ -320,7 +347,7 @@
if test $(ulimit -v) = unlimited || test $(ulimit -v) -gt 10000000; then
ulimit -v 10000000 || :
fi
-make test TESTOPTS="-l -x $EXCLUDE" TESTPYTHONOPTS="-R"
+make test TESTOPTS="-l -w -x $EXCLUDE" TESTPYTHONOPTS="-R"
# use network, be verbose:
#make test TESTOPTS="-l -u network -v"
%endif
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.124451521 +0200
+++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.124451521 +0200
@@ -31,6 +31,8 @@
#Source3: http://docs.python.org/%{version}/archives/python-%{pyver}-docs-pdf-letter.tar.bz2
Source2: python-%{version}-docs-pdf-a4.tar.bz2
Source3: python-%{version}-docs-pdf-letter.tar.bz2
+# For Patch 66
+Source66: recursion.tar
%if 0%{?suse_version} >= 1500
BuildRequires: python3-Sphinx
%else
@@ -111,6 +113,14 @@
Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch
# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
Patch65: sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66: CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67: CVE-2020-26116-httplib-header-injection.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -183,17 +193,16 @@
%patch63 -p1
%patch64 -p1
%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
# COMMON-PREP-END
-# Update documentation formatting for Sphinx 3.0 (bpo#40204)
-for i in `find Doc/ -type f -name "*.rst"`
-do
- sed -i 's/:c:type:/:c:expr:/g' $i
-done
-
%build
TODAY_DATE=`date -r %{S:0} "+%B %d, %Y"`
# TODO use not date of tarball but date of latest patch
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.sMexpK/_old 2021-09-30 23:43:08.160451562 +0200
+++ /var/tmp/diff_new_pack.sMexpK/_new 2021-09-30 23:43:08.180451586 +0200
@@ -32,6 +32,8 @@
Source50: idle.appdata.xml
Source51: idle.desktop
# issues with copyrighted Unicode testing files
+# For Patch 66
+Source66: recursion.tar
# !!!!!!!!!!!!!!
# do not add or edit patches here. please edit python-base.spec
@@ -111,6 +113,14 @@
Patch64: CVE-2021-3733-fix-ReDoS-in-request.patch
# PATCH-FIX-UPSTREAM sphinx-update-removed-function.patch bpo#35293 gh#python/cpython#22198 -- fix doc build
Patch65: sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
+# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
+# REQUIRES SOURCE 66
+Patch66: CVE-2019-20907_tarfile-inf-loop.patch
+# PATCH-FIX-UPSTREAM CVE-2020-26116-httplib-header-injection.patch bsc#1177211
+# Fixes httplib to disallow control characters in method to avoid header
+# injection
+Patch67: CVE-2020-26116-httplib-header-injection.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -297,6 +307,11 @@
%patch63 -p1
%patch64 -p1
%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+
+# For patch 66
+cp -v %{SOURCE66} Lib/test/recursion.tar
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
++++++ CVE-2019-20907_tarfile-inf-loop.patch ++++++
From 1fa6ef2bc7cee1c8e088dd8b397d9b2d54036dbc Mon Sep 17 00:00:00 2001
From: Rajarishi Devarajan
Date: Sun, 12 Jul 2020 23:47:42 +0200
Subject: [PATCH 1/4] bpo-39017 Fix infinite loop in the tarfile module
Add a check for length = 0 in the _proc_pax function to avoid running into an infinite loop
---
Lib/tarfile.py | 2 ++
Lib/test/test_tarfile.py | 5 +++++
Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
3 files changed, 8 insertions(+)
create mode 100644 Lib/test/recursion.tar
--- a/Lib/tarfile.py
+++ b/Lib/tarfile.py
@@ -1400,6 +1400,8 @@ class TarInfo(object):
length, keyword = match.groups()
length = int(length)
+ if length == 0:
+ raise InvalidHeaderError("invalid header")
value = buf[match.end(2) + 1:match.start(1) + length - 1]
keyword = keyword.decode("utf8")
--- a/Lib/test/test_tarfile.py
+++ b/Lib/test/test_tarfile.py
@@ -321,6 +321,11 @@ class CommonReadTest(ReadTest):
with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"):
tar.extractfile(t).read()
+ def test_length_zero_header(self):
+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
+ # with an exception
+ self.assertRaises(tarfile.ReadError, tarfile.open, test_support.findfile('recursion.tar'))
+
class MiscReadTest(CommonReadTest):
taropen = tarfile.TarFile.taropen
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
++++++ CVE-2020-26116-httplib-header-injection.patch ++++++
---
Lib/httplib.py | 15 +++++++++++++++
Lib/test/test_httplib.py | 22 +++++++++++++++++++++-
2 files changed, 36 insertions(+), 1 deletion(-)
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -262,6 +262,10 @@ _contains_disallowed_url_pchar_re = re.c
_METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+# These characters are not allowed within HTTP method names
+# to prevent http header injection.
+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
+
class HTTPMessage(mimetools.Message):
def addheader(self, key, value):
@@ -940,6 +944,8 @@ class HTTPConnection:
else:
raise CannotSendRequest()
+ self._validate_method(method)
+
# Save the method for use later in the response phase
self._method = method
@@ -1179,6 +1185,15 @@ class HTTPConnection:
response.close()
raise
+ def _validate_method(self, method):
+ """Validate a method name for putrequest."""
+ # prevent http header injection
+ match = _contains_disallowed_method_pchar_re.search(method)
+ if match:
+ raise ValueError(
+ "method can't contain control characters. %r (found at "
+ "least %r)" % (method, match.group()))
+
class HTTP:
"Compatibility class with httplib.py from 1.5."
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -1007,10 +1007,30 @@ class TunnelTests(TestCase):
self.assertTrue('Host: destination.com' in conn.sock.data)
+class HttpMethodTests(TestCase):
+ def test_invalid_method_names(self):
+ methods = (
+ 'GET\r',
+ 'POST\n',
+ 'PUT\n\r',
+ 'POST\nValue',
+ 'POST\nHOST:abc',
+ 'GET\nrHost:abc\n',
+ 'POST\rRemainder:\r',
+ 'GET\rHOST:\n',
+ '\nPUT'
+ )
+
+ for method in methods:
+ conn = httplib.HTTPConnection('example.com')
+ conn.sock = FakeSocket(None)
+ self.assertRaises(ValueError, conn.request, method=method, url="/")
+
+
@test_support.reap_threads
def test_main(verbose=None):
test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
- HTTPTest, HTTPSTest, SourceAddressTest,
+ HTTPTest, HttpMethodTests, HTTPSTest, SourceAddressTest,
TunnelTests)
if __name__ == '__main__':