From 96031f3daf8f635de8f54e9b3b93daf1e463959b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 27 2022 19:52:44 +0000 Subject: import python3-3.6.8-47.el8 --- diff --git a/SOURCES/00377-CVE-2022-0391.patch b/SOURCES/00377-CVE-2022-0391.patch new file mode 100644 index 0000000..aebe53d --- /dev/null +++ b/SOURCES/00377-CVE-2022-0391.patch @@ -0,0 +1,170 @@ +From 6c472d3a1d334d4eeb4a25eba7bf3b01611bf667 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Thu, 6 May 2021 09:56:01 -0700 +Subject: [PATCH] [3.6] bpo-43882 - urllib.parse should sanitize urls + containing ASCII newline and tabs (GH-25924) + +Co-authored-by: Gregory P. Smith +Co-authored-by: Serhiy Storchaka +(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4) +Co-authored-by: Senthil Kumaran +(cherry picked from commit 515a7bc4e13645d0945b46a8e1d9102b918cd407) + +Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> +--- + Doc/library/urllib.parse.rst | 13 +++++ + Lib/test/test_urlparse.py | 48 +++++++++++++++++++ + Lib/urllib/parse.py | 10 ++++ + .../2021-04-25-07-46-37.bpo-43882.Jpwx85.rst | 6 +++ + 4 files changed, 77 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst + +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index 3c2e37ef2093a..b717d7cc05b2e 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -288,6 +288,9 @@ or on combining URL components into a URL string. + ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is + decomposed before parsing, no error will be raised. + ++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline ++ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL. ++ + .. versionchanged:: 3.6 + Out-of-range port numbers now raise :exc:`ValueError`, instead of + returning :const:`None`. +@@ -296,6 +299,10 @@ or on combining URL components into a URL string. + Characters that affect netloc parsing under NFKC normalization will + now raise :exc:`ValueError`. + ++ .. versionchanged:: 3.6.14 ++ ASCII newline and tab characters are stripped from the URL. ++ ++.. _WHATWG spec: https://url.spec.whatwg.org/#concept-basic-url-parser + + .. function:: urlunsplit(parts) + +@@ -633,6 +640,10 @@ task isn't already covered by the URL parsing functions above. + + .. seealso:: + ++ `WHATWG`_ - URL Living standard ++ Working Group for the URL Standard that defines URLs, domains, IP addresses, the ++ application/x-www-form-urlencoded format, and their API. ++ + :rfc:`3986` - Uniform Resource Identifiers + This is the current standard (STD66). Any changes to urllib.parse module + should conform to this. Certain deviations could be observed, which are +@@ -656,3 +667,5 @@ task isn't already covered by the URL parsing functions above. + + :rfc:`1738` - Uniform Resource Locators (URL) + This specifies the formal syntax and semantics of absolute URLs. ++ ++.. _WHATWG: https://url.spec.whatwg.org/ +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index e3088b2f39bd7..3509278a01694 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -612,6 +612,54 @@ def test_urlsplit_attributes(self): + with self.assertRaisesRegex(ValueError, "out of range"): + p.port + ++ def test_urlsplit_remove_unsafe_bytes(self): ++ # Remove ASCII tabs and newlines from input, for http common case scenario. ++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, "http") ++ self.assertEqual(p.netloc, "www.python.org") ++ self.assertEqual(p.path, "/javascript:alert('msg')/") ++ self.assertEqual(p.query, "query=something") ++ self.assertEqual(p.fragment, "fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, "www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario. ++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.scheme, b"http") ++ self.assertEqual(p.netloc, b"www.python.org") ++ self.assertEqual(p.path, b"/javascript:alert('msg')/") ++ self.assertEqual(p.query, b"query=something") ++ self.assertEqual(p.fragment, b"fragment") ++ self.assertEqual(p.username, None) ++ self.assertEqual(p.password, None) ++ self.assertEqual(p.hostname, b"www.python.org") ++ self.assertEqual(p.port, None) ++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # any scheme ++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Remove ASCII tabs and newlines from input as bytes, any scheme. ++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ p = urllib.parse.urlsplit(url) ++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ ++ # Unsafe bytes is not returned from urlparse cache. ++ # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme ++ url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment" ++ scheme = "htt\nps" ++ for _ in range(2): ++ p = urllib.parse.urlsplit(url, scheme=scheme) ++ self.assertEqual(p.scheme, "https") ++ self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment") ++ + def test_attributes_bad_port(self): + """Check handling of invalid ports.""" + for bytes in (False, True): +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 66056bf589bf6..ac6e7a9cee0b9 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -76,6 +76,9 @@ + '0123456789' + '+-.') + ++# Unsafe bytes to be removed per WHATWG spec ++_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] ++ + # XXX: Consider replacing with functools.lru_cache + MAX_CACHE_SIZE = 20 + _parse_cache = {} +@@ -409,6 +412,11 @@ def _checknetloc(netloc): + raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + ++def _remove_unsafe_bytes_from_url(url): ++ for b in _UNSAFE_URL_BYTES_TO_REMOVE: ++ url = url.replace(b, "") ++ return url ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# +@@ -416,6 +424,8 @@ def urlsplit(url, scheme='', allow_fragments=True): + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" + url, scheme, _coerce_result = _coerce_args(url, scheme) ++ url = _remove_unsafe_bytes_from_url(url) ++ scheme = _remove_unsafe_bytes_from_url(scheme) + allow_fragments = bool(allow_fragments) + key = url, scheme, allow_fragments, type(url), type(scheme) + cached = _parse_cache.get(key, None) +diff --git a/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst +new file mode 100644 +index 0000000000000..a326d079dff4a +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst +@@ -0,0 +1,6 @@ ++The presence of newline or tab characters in parts of a URL could allow ++some forms of attacks. ++ ++Following the controlling specification for URLs defined by WHATWG ++:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, ++preventing such attacks. diff --git a/SOURCES/00378-support-expat-2-4-5.patch b/SOURCES/00378-support-expat-2-4-5.patch new file mode 100644 index 0000000..4b1e441 --- /dev/null +++ b/SOURCES/00378-support-expat-2-4-5.patch @@ -0,0 +1,98 @@ +From a5b78c6f1c802f6023bd4d7a248dc83be1eef6a3 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Feb 2022 15:48:32 +0100 +Subject: [PATCH] 00378: Support expat 2.4.5 + +Curly brackets were never allowed in namespace URIs +according to RFC 3986, and so-called namespace-validating +XML parsers have the right to reject them a invalid URIs. + +libexpat >=2.4.5 has become strcter in that regard due to +related security issues; with ET.XML instantiating a +namespace-aware parser under the hood, this test has no +future in CPython. + +References: +- https://datatracker.ietf.org/doc/html/rfc3968 +- https://www.w3.org/TR/xml-names/ + +Also, test_minidom.py: Support Expat >=2.4.5 + +Upstream: https://bugs.python.org/issue46811 + +Co-authored-by: Sebastian Pipping +--- + Lib/test/test_minidom.py | 12 +++++++++--- + Lib/test/test_xml_etree.py | 6 ------ + .../Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 + + 3 files changed, 10 insertions(+), 9 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst + +diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py +index d55e25e..e947382 100644 +--- a/Lib/test/test_minidom.py ++++ b/Lib/test/test_minidom.py +@@ -5,10 +5,12 @@ import pickle + from test import support + import unittest + ++import pyexpat + import xml.dom.minidom + + from xml.dom.minidom import parse, Node, Document, parseString + from xml.dom.minidom import getDOMImplementation ++from xml.parsers.expat import ExpatError + + + tstfile = support.findfile("test.xml", subdir="xmltestdata") +@@ -1156,8 +1158,10 @@ class MinidomTest(unittest.TestCase): + + # Verify that character decoding errors raise exceptions instead + # of crashing +- self.assertRaises(UnicodeDecodeError, parseString, +- b'Comment \xe7a va ? Tr\xe8s bien ?') ++ self.assertRaises(ExpatError, parseString, ++ b'') ++ self.assertRaises(ExpatError, parseString, ++ b'Comment \xe7a va ? Tr\xe8s bien ?') + + doc.unlink() + +@@ -1602,7 +1606,9 @@ class MinidomTest(unittest.TestCase): + self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) + + def testExceptionOnSpacesInXMLNSValue(self): +- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'): ++ context = self.assertRaisesRegex(ExpatError, 'syntax error') ++ ++ with context: + parseString('') + + def testDocRemoveChild(self): +diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py +index b01709e..acaa519 100644 +--- a/Lib/test/test_xml_etree.py ++++ b/Lib/test/test_xml_etree.py +@@ -1668,12 +1668,6 @@ class BugsTest(unittest.TestCase): + b"\n" + b'tãg') + +- def test_issue3151(self): +- e = ET.XML('') +- self.assertEqual(e.tag, '{${stuff}}localname') +- t = ET.ElementTree(e) +- self.assertEqual(ET.tostring(e), b'') +- + def test_issue6565(self): + elem = ET.XML("") + self.assertEqual(summarize_list(elem), ['tag']) +diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +new file mode 100644 +index 0000000..6969bd1 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst +@@ -0,0 +1 @@ ++Make test suite support Expat >=2.4.5 +-- +2.35.1 + diff --git a/SOURCES/00382-cve-2015-20107.patch b/SOURCES/00382-cve-2015-20107.patch new file mode 100644 index 0000000..9e981e2 --- /dev/null +++ b/SOURCES/00382-cve-2015-20107.patch @@ -0,0 +1,150 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 3 Jun 2022 11:43:35 +0200 +Subject: [PATCH] 00382: CVE-2015-20107 + +Make mailcap refuse to match unsafe filenames/types/params (GH-91993) + +Upstream: https://github.com/python/cpython/issues/68966 + +Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 +--- + Doc/library/mailcap.rst | 12 +++++++++ + Lib/mailcap.py | 26 +++++++++++++++++-- + Lib/test/test_mailcap.py | 8 ++++-- + ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++ + 4 files changed, 46 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst + +diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst +index 896afd1d73..849d0bc05f 100644 +--- a/Doc/library/mailcap.rst ++++ b/Doc/library/mailcap.rst +@@ -54,6 +54,18 @@ standard. However, mailcap files are supported on most Unix systems. + use) to determine whether or not the mailcap line applies. :func:`findmatch` + will automatically check such conditions and skip the entry if the check fails. + ++ .. versionchanged:: 3.11 ++ ++ To prevent security issues with shell metacharacters (symbols that have ++ special effects in a shell command line), ``findmatch`` will refuse ++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` ++ into the returned command line. ++ ++ If a disallowed character appears in *filename*, ``findmatch`` will always ++ return ``(None, None)`` as if no entry was found. ++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*), ++ ``findmatch`` will ignore all mailcap entries which use that value. ++ A :mod:`warning ` will be raised in either case. + + .. function:: getcaps() + +diff --git a/Lib/mailcap.py b/Lib/mailcap.py +index bd0fc0981c..dcd4b449e8 100644 +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -2,6 +2,7 @@ + + import os + import warnings ++import re + + __all__ = ["getcaps","findmatch"] + +@@ -13,6 +14,11 @@ def lineno_sort_key(entry): + else: + return 1, 0 + ++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ + + # Part 1: top-level interface. + +@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): + entry to use. + + """ ++ if _find_unsafe(filename): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + entries = lookup(caps, MIMEtype, key) + # XXX This code should somehow check for the needsterminal flag. + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]): + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]): + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts +diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py +index c08423c670..920283d9a2 100644 +--- a/Lib/test/test_mailcap.py ++++ b/Lib/test/test_mailcap.py +@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase): + (["", "audio/*", "foo.txt"], ""), + (["echo foo", "audio/*", "foo.txt"], "echo foo"), + (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), +- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), ++ (["echo %t", "audio/*", "foo.txt"], None), ++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), + (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), + (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), + (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") +@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase): + ('"An audio fragment"', audio_basic_entry)), + ([c, "audio/*"], + {"filename": fname}, +- ("/usr/local/bin/showaudio audio/*", audio_entry)), ++ (None, None)), ++ ([c, "audio/wav"], ++ {"filename": fname}, ++ ("/usr/local/bin/showaudio audio/wav", audio_entry)), + ([c, "message/external-body"], + {"plist": plist}, + ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) +diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +new file mode 100644 +index 0000000000..da81a1f699 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +@@ -0,0 +1,4 @@ ++The deprecated mailcap module now refuses to inject unsafe text (filenames, ++MIME types, parameters) into shell commands. Instead of using such text, it ++will warn and act as if a match was not found (or for test commands, as if ++the test failed). diff --git a/SPECS/python3.spec b/SPECS/python3.spec index 785689a..510672e 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 45%{?dist} +Release: 47%{?dist} License: Python @@ -651,6 +651,50 @@ Patch370: 00370-GIL-monotonic-clock.patch # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020 Patch372: 00372-CVE-2021-4189.patch +# 00377 # +# CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs +# +# ASCII newline and tab characters are stripped from the URL. +# +# Upstream: https://bugs.python.org/issue43882 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2047376 +Patch377: 00377-CVE-2022-0391.patch + +# 00378 # +# Support expat 2.4.5 +# +# Curly brackets were never allowed in namespace URIs +# according to RFC 3986, and so-called namespace-validating +# XML parsers have the right to reject them a invalid URIs. +# +# libexpat >=2.4.5 has become strcter in that regard due to +# related security issues; with ET.XML instantiating a +# namespace-aware parser under the hood, this test has no +# future in CPython. +# +# References: +# - https://datatracker.ietf.org/doc/html/rfc3968 +# - https://www.w3.org/TR/xml-names/ +# +# Also, test_minidom.py: Support Expat >=2.4.5 +# +# The patch has diverged from upstream as the python test +# suite was relying on checking the expat version, whereas +# in RHEL fixes get backported instead of rebasing packages. +# +# Upstream: https://bugs.python.org/issue46811 +Patch378: 00378-support-expat-2-4-5.patch + +# 00382 # +# CVE-2015-20107 +# +# Make mailcap refuse to match unsafe filenames/types/params (GH-91993) +# +# Upstream: https://github.com/python/cpython/issues/68966 +# +# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 +Patch382: 00382-cve-2015-20107.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -990,6 +1034,9 @@ git apply %{PATCH351} %patch369 -p1 %patch370 -p1 %patch372 -p1 +%patch377 -p1 +%patch378 -p1 +%patch382 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -1915,6 +1962,15 @@ fi # ====================================================== %changelog +* Tue Jun 14 2022 Charalampos Stratakis - 3.6.8-47 +- Security fix for CVE-2015-20107 +Resolves: rhbz#2075390 + +* Wed Mar 09 2022 Charalampos Stratakis - 3.6.8-46 +- Security fix for CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs +- Fix the test suite support for Expat >= 2.4.5 +Resolves: rhbz#2047376, rhbz#2060435 + * Fri Jan 07 2022 Charalampos Stratakis - 3.6.8-45 - Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response Resolves: rhbz#2036020