diff --git a/SOURCES/CVE-2020-26137.patch b/SOURCES/CVE-2020-26137.patch new file mode 100644 index 0000000..1ca32a8 --- /dev/null +++ b/SOURCES/CVE-2020-26137.patch @@ -0,0 +1,37 @@ +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index 02b3665..1ab1890 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -61,6 +62,8 @@ port_by_scheme = { + # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) + RECENT_DATE = datetime.date(2017, 6, 30) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object): + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the diff --git a/SPECS/python-urllib3.spec b/SPECS/python-urllib3.spec index bc1c2e8..16e54ba 100644 --- a/SPECS/python-urllib3.spec +++ b/SPECS/python-urllib3.spec @@ -1,10 +1,10 @@ -%bcond_without python3 +%bcond_with python3 %global srcname urllib3 Name: python-%{srcname} Version: 1.24.2 -Release: 1%{?dist} +Release: 3%{?dist} Summary: Python HTTP library with thread-safe connection pooling and file post License: MIT @@ -24,6 +24,11 @@ BuildArch: noarch # * https://github.com/urllib3/urllib3/pull/1593 Patch1: CVE-2019-11236.patch +# CVE-2020-26137 +# CRLF injection via HTTP request method +# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800 +Patch2: CVE-2020-26137.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -78,6 +83,7 @@ Python3 HTTP module with connection pooling and file POST abilities. %setup -q -n %{srcname}-%{version} %patch1 -p1 +%patch2 -p1 # Drop the dummyserver tests in koji. # These require tornado, a Web framework otherwise unused in the distro. @@ -94,6 +100,26 @@ rm -rf test/contrib/ # fail when combined with the unbundling of backports-ssl_match_hostname rm -f test/test_no_ssl.py +# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. +# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date +# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, +# since a user's system time could be set to a little in the past from what build time is (because of timezones, +# corner cases, etc). As stated in the comment in src/urllib3/connection.py: +# When updating RECENT_DATE, move it to within two years of the current date, +# and not less than 6 months ago. +# Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or +# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) +# There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if +# user's system time isn't set as too far in the past, because it could lead to SSL verification errors. +# That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would +# result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being +# set to some time in the past, but not to far away from the present). +# Next few lines update RECENT_DATE dynamically. + +recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") +sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py + + %build %py2_build %if %{with python3} @@ -162,6 +188,14 @@ py.test-3 %changelog +* Thu Nov 12 2020 Tomas Orsava - 1.24.2-3 +- Update RECENT_DATE dynamically +Related: rhbz#1883890 rhbz#1761380 + +* Fri Oct 09 2020 Charalampos Stratakis - 1.24.2-2 +- Security fix for CVE-2020-26137 +Resolves: rhbz#1883890 + * Fri May 03 2019 Tomas Orsava - 1.24.2-1 - Rebased to 1.24.2 to fix CVE-2019-11324 - Added patches for CVE-2019-11236 (AKA CVE-2019-9740)