diff --git a/SOURCES/00360-CVE-2021-3426.patch b/SOURCES/00360-CVE-2021-3426.patch new file mode 100644 index 0000000..f24ef59 --- /dev/null +++ b/SOURCES/00360-CVE-2021-3426.patch @@ -0,0 +1,101 @@ +From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 29 Mar 2021 08:40:53 -0700 +Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) + (GH-25067) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2021-3426: Remove the "getfile" feature of the pydoc module which +could be abused to read arbitrary files on the disk (directory +traversal vulnerability). Moreover, even source code of Python +modules can contain sensitive data like passwords. Vulnerability +reported by David Schwörer. +(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) + +Co-authored-by: Victor Stinner +--- + Lib/pydoc.py | 18 ------------------ + Lib/test/test_pydoc.py | 6 ------ + .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ + 3 files changed, 4 insertions(+), 24 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst + +diff --git a/Lib/pydoc.py b/Lib/pydoc.py +index b521a5504728c4..5247ef9ea27aa1 100644 +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py +@@ -2312,9 +2312,6 @@ def page(self, title, contents): + %s%s
%s
+ ''' % (title, css_link, html_navbar(), contents) + +- def filelink(self, url, path): +- return '%s' % (url, path) +- + + html = _HTMLDoc() + +@@ -2400,19 +2397,6 @@ def bltinlink(name): + 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) + return 'Search Results', contents + +- def html_getfile(path): +- """Get and display a source file listing safely.""" +- path = urllib.parse.unquote(path) +- with tokenize.open(path) as fp: +- lines = html.escape(fp.read()) +- body = '
%s
' % lines +- heading = html.heading( +- 'File Listing', +- '#ffffff', '#7799ee') +- contents = heading + html.bigsection( +- 'File: %s' % path, '#ffffff', '#ee77aa', body) +- return 'getfile %s' % path, contents +- + def html_topics(): + """Index of topic texts available.""" + +@@ -2504,8 +2488,6 @@ def get_html_page(url): + op, _, url = url.partition('=') + if op == "search?key": + title, content = html_search(url) +- elif op == "getfile?key": +- title, content = html_getfile(url) + elif op == "topic?key": + # try topics first, then objects. + try: +diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py +index 00803d3305cb53..49bc3eb164b19c 100644 +--- a/Lib/test/test_pydoc.py ++++ b/Lib/test/test_pydoc.py +@@ -1052,18 +1052,12 @@ def test_url_requests(self): + ("topic?key=def", "Pydoc: KEYWORD def"), + ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), + ("foobar", "Pydoc: Error - foobar"), +- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), + ] + + with self.restrict_walk_packages(): + for url, title in requests: + self.call_url_handler(url, title) + +- path = string.__file__ +- title = "Pydoc: getfile " + path +- url = "getfile?key=" + path +- self.call_url_handler(url, title) +- + + class TestHelper(unittest.TestCase): + def test_keywords(self): +diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +new file mode 100644 +index 00000000000000..4b42dd05305a83 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +@@ -0,0 +1,4 @@ ++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which ++could be abused to read arbitrary files on the disk (directory traversal ++vulnerability). Moreover, even source code of Python modules can contain ++sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/SOURCES/00364-thread-exit.patch b/SOURCES/00364-thread-exit.patch new file mode 100644 index 0000000..b91665b --- /dev/null +++ b/SOURCES/00364-thread-exit.patch @@ -0,0 +1,43 @@ +bpo-44434: Don't call PyThread_exit_thread() explicitly (GH-26758) + +_thread.start_new_thread() no longer calls PyThread_exit_thread() +explicitly at the thread exit, the call was redundant. + +On Linux with the glibc, pthread_cancel() loads dynamically the +libgcc_s.so.1 library. dlopen() can fail if there is no more +available file descriptor to open the file. In this case, the process +aborts with the error message: + +"libgcc_s.so.1 must be installed for pthread_cancel to work" + +pthread_cancel() unwinds back to the thread's wrapping function that +calls the thread entry point. + +The unwind function is dynamically loaded from the libgcc_s library +since it is tightly coupled to the C compiler (GCC). The unwinder +depends on DWARF, the compiler generates DWARF, so the unwinder +belongs to the compiler. + +Thanks Florian Weimer and Carlos O'Donell for their help on +investigating this issue. + +https://github.com/python/cpython/commit/45a78f906d2d5fe5381d78466b11763fc56d57ba + +Resolves: rhbz#1972293 + +diff --git a/Modules/_threadmodule.c b/Modules/_threadmodule.c +index a13b2e0..8cc035b 100644 +--- a/Modules/_threadmodule.c ++++ b/Modules/_threadmodule.c +@@ -1027,7 +1027,10 @@ t_bootstrap(void *boot_raw) + nb_threads--; + PyThreadState_Clear(tstate); + PyThreadState_DeleteCurrent(); +- PyThread_exit_thread(); ++ ++ // bpo-44434: Don't call explicitly PyThread_exit_thread(). On Linux with ++ // the glibc, pthread_exit() can abort the whole process if dlopen() fails ++ // to open the libgcc_s.so library (ex: EMFILE error). + } + + static PyObject * diff --git a/SPECS/python3.spec b/SPECS/python3.spec index 235b069..89deda4 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 39%{?dist} +Release: 41%{?dist} License: Python @@ -591,13 +591,25 @@ Patch357: 00357-CVE-2021-3177.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch +# 00360 # +# CVE-2021-3426: information disclosure via pydoc +# Upstream: https://bugs.python.org/issue42988 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913 +Patch360: 00360-CVE-2021-3426.patch + # 00362 # # The threading.enumerate() function now uses a reentrant lock to # prevent a hang on reentrant call. # Upstream: https://bugs.python.org/issue44422 -# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1990860 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1959459 Patch362: 00362-threading-enumerate-rlock.patch +# 00364 # +# Don't call PyThread_exit_thread() explicitly. +# Upstream: https://bugs.python.org/issue44434 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1972293 +Patch364: 00364-thread-exit.patch + # 00366 # # CVE-2021-3733: Denial of service when identifying crafted invalid RFCs # Upstream: https://bugs.python.org/issue43075 @@ -650,10 +662,10 @@ Requires: python3-setuptools-wheel Requires: python3-pip-wheel %endif -# Runtime require alternatives -Requires: %{_sbindir}/alternatives -Requires(post): %{_sbindir}/alternatives -Requires(postun): %{_sbindir}/alternatives +# Require alternatives version that implements the --keep-foreign flag +Requires: alternatives >= 1.19.1-1 +Requires(post): alternatives >= 1.19.1-1 +Requires(postun): alternatives >= 1.19.1-1 # This prevents ALL subpackages built from this spec to require # /usr/bin/python3*. Granularity per subpackage is impossible. @@ -794,6 +806,9 @@ Provides: %{name}-tools = %{version}-%{release} Provides: %{name}-tools%{?_isa} = %{version}-%{release} Obsoletes: %{name}-tools < %{version}-%{release} + +# Require alternatives version that implements the --keep-foreign flag +Requires(postun): alternatives >= 1.19.1-1 # python36 installs the alternatives master symlink to which we attach a slave Requires: python36 Requires(post): python36 @@ -931,7 +946,9 @@ git apply %{PATCH351} %patch356 -p1 %patch357 -p1 %patch359 -p1 +%patch360 -p1 %patch362 -p1 +%patch364 -p1 %patch366 -p1 # Remove files that should be generated by the build @@ -1400,7 +1417,7 @@ alternatives --install %{_bindir}/unversioned-python \ %postun -n platform-python # Do this only during uninstall process (not during update) if [ $1 -eq 0 ]; then - alternatives --remove python \ + alternatives --keep-foreign --remove python \ %{_libexecdir}/no-python fi @@ -1415,7 +1432,7 @@ alternatives --add-slave python3 %{_bindir}/python3.6 \ %postun -n python3-idle # Do this only during uninstall process (not during update) if [ $1 -eq 0 ]; then - alternatives --remove-slave python3 %{_bindir}/python3.6 \ + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.6 \ idle3 fi @@ -1858,13 +1875,22 @@ fi # ====================================================== %changelog -* Thu Sep 09 2021 Lumír Balhar - 3.6.8-39 +* Thu Sep 09 2021 Lumír Balhar - 3.6.8-41 - Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs Resolves: rhbz#1995234 -* Wed Aug 11 2021 Charalampos Stratakis - 3.6.8-38 -- Fix reentrant call to threading.enumerate() -Resolves: rhbz#1990860 +* Thu Jul 29 2021 Tomas Orsava - 3.6.8-40 +- Adjusted the postun scriptlets to enable upgrading to RHEL 9 +- Resolves: rhbz#1933055 + +* Fri Jul 09 2021 Victor Stinner - 3.6.8-39 +- Fix reentrant call to threading.enumerate() (rhbz#1959459) +- Don't exit Python with abort() when a thread exit and there is no available + file descriptor to load dynamically the libgcc_s.so.1 library (rhbz#1972293) + +* Fri Apr 30 2021 Charalampos Stratakis - 3.6.8-38 +- Security fix for CVE-2021-3426: information disclosure via pydoc +Resolves: rhbz#1935913 * Thu Mar 04 2021 Petr Viktorin - 3.6.8-37 - Fix for CVE-2021-23336