From ce22076769bf01abe5341b496984031bd150e289 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 04 2019 15:41:16 +0000 Subject: import python-2.7.5-79.el7_6 --- diff --git a/SOURCES/00320-CVE-2019-9636.patch b/SOURCES/00320-CVE-2019-9636.patch new file mode 100644 index 0000000..e181540 --- /dev/null +++ b/SOURCES/00320-CVE-2019-9636.patch @@ -0,0 +1,145 @@ +diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst +index efd112d..61022f7 100644 +--- a/Doc/library/urlparse.rst ++++ b/Doc/library/urlparse.rst +@@ -118,6 +118,12 @@ The :mod:`urlparse` module defines the following functions: + See section :ref:`urlparse-result-object` for more information on the result + object. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. ++ + .. versionchanged:: 2.5 + Added attributes to return value. + +@@ -125,6 +131,11 @@ The :mod:`urlparse` module defines the following functions: + Added IPv6 URL parsing capabilities. + + ++ .. versionchanged:: 2.7.17 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ ++ + .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing]]) + + Parse a query string given as a string argument (data of type +@@ -219,11 +230,21 @@ The :mod:`urlparse` module defines the following functions: + See section :ref:`urlparse-result-object` for more information on the result + object. + ++ Characters in the :attr:`netloc` attribute that decompose under NFKC ++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, ++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is ++ decomposed before parsing, or is not a Unicode string, no error will be ++ raised. ++ + .. versionadded:: 2.2 + + .. versionchanged:: 2.5 + Added attributes to return value. + ++ .. versionchanged:: 2.7.17 ++ Characters that affect netloc parsing under NFKC normalization will ++ now raise :exc:`ValueError`. ++ + + .. function:: urlunsplit(parts) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 72ebfaa..d04ea55 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1,6 +1,8 @@ + #! /usr/bin/env python + + from test import test_support ++import sys ++import unicodedata + import unittest + import urlparse + +@@ -564,6 +566,35 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(urlparse.urlparse("http://www.python.org:80"), + ('http','www.python.org:80','','','','')) + ++ def test_urlsplit_normalization(self): ++ # Certain characters should never occur in the netloc, ++ # including under normalization. ++ # Ensure that ALL of them are detected and cause an error ++ illegal_chars = u'/:#?@' ++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} ++ denorm_chars = [ ++ c for c in map(unichr, range(128, sys.maxunicode)) ++ if (hex_chars & set(unicodedata.decomposition(c).split())) ++ and c not in illegal_chars ++ ] ++ # Sanity check that we found at least one such character ++ self.assertIn(u'\u2100', denorm_chars) ++ self.assertIn(u'\uFF03', denorm_chars) ++ ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urlparse.urlsplit(u'http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(u'http://\u30d5\u309a\ufe1380') ++ ++ for scheme in [u"http", u"https", u"ftp"]: ++ for c in denorm_chars: ++ url = u"{}://netloc{}false.netloc/path".format(scheme, c) ++ if test_support.verbose: ++ print "Checking %r" % url ++ with self.assertRaises(ValueError): ++ urlparse.urlsplit(url) ++ + def test_main(): + test_support.run_unittest(UrlParseTestCase) + +diff --git a/Lib/urlparse.py b/Lib/urlparse.py +index 4ce982e..73f43a6 100644 +--- a/Lib/urlparse.py ++++ b/Lib/urlparse.py +@@ -164,6 +164,24 @@ def _splitnetloc(url, start=0): + delim = min(delim, wdelim) # use earliest delim position + return url[start:delim], url[delim:] # return (domain, rest) + ++def _checknetloc(netloc): ++ if not netloc or not isinstance(netloc, unicode): ++ return ++ # looking for characters like \u2100 that expand to 'a/c' ++ # IDNA uses NFKC equivalence, so normalize for this check ++ import unicodedata ++ n = netloc.rpartition('@')[2] # ignore anything to the left of '@' ++ n = n.replace(':', '') # ignore characters already included ++ n = n.replace('#', '') # but not the surrounding text ++ n = n.replace('?', '') ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: ++ return ++ for c in '/?#@:': ++ if c in netloc2: ++ raise ValueError("netloc '" + netloc + "' contains invalid " + ++ "characters under NFKC normalization") ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# +@@ -192,6 +210,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return v +@@ -215,6 +234,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) ++ _checknetloc(netloc) + v = SplitResult(scheme, netloc, url, query, fragment) + _parse_cache[key] = v + return v diff --git a/SPECS/python.spec b/SPECS/python.spec index 5277f37..9d5df01 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -114,7 +114,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python-docs when changing this: Version: 2.7.5 -Release: 76%{?dist} +Release: 79%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -1276,6 +1276,12 @@ Patch305: 00305-CVE-2016-2183.patch # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1579432 Patch306: 00306-fix-oserror-17-upon-semaphores-creation.patch +# 00320 # +# Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization +# FIXED UPSTREAM: https://bugs.python.org/issue36216 and https://bugs.python.org/issue36742 +# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1689316 +Patch320: 00320-CVE-2019-9636.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -1390,8 +1396,9 @@ Requires: pkgconfig # package Conflicts: %{python} < %{version}-%{release} %if %{main_python} -Obsoletes: python2-devel +Obsoletes: python2-devel < %{version}-%{release} Provides: python2-devel = %{version}-%{release} +Provides: python2-devel%{?_isa} = %{version}-%{release} %endif %description devel @@ -1411,7 +1418,7 @@ Group: Development/Tools Requires: %{name} = %{version}-%{release} Requires: %{tkinter} = %{version}-%{release} %if %{main_python} -Obsoletes: python2-tools +Obsoletes: python2-tools < %{version}-%{release} Provides: python2-tools = %{version} %endif @@ -1425,7 +1432,7 @@ Summary: A graphical user interface for the Python scripting language Group: Development/Languages Requires: %{name} = %{version}-%{release} %if %{main_python} -Obsoletes: tkinter2 +Obsoletes: tkinter2 < %{version}-%{release} Provides: tkinter2 = %{version} %endif @@ -1708,6 +1715,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c %patch303 -p1 %patch305 -p1 %patch306 -p1 +%patch320 -p1 # This shouldn't be necesarry, but is right now (2.2a3) @@ -2588,6 +2596,18 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Mon May 20 2019 Charalampos Stratakis - 2.7.5-79 +- Updated fix for CVE-2019-9636 +Resolves: rhbz#1711166 + +* Thu May 09 2019 Charalampos Stratakis - 2.7.5-78 +- Remove unversioned obsoletes +Resolves: rhbz#1708674 + +* Tue Mar 26 2019 Charalampos Stratakis - 2.7.5-77 +- Security fix for CVE-2019-9636 +Resolves: rhbz#1689316 + * Mon Sep 10 2018 Charalampos Stratakis - 2.7.5-76 - Remove an unversioned obsoletes tag Resolves: rhbz#1627059