diff --git a/SOURCES/00365-CVE-2021-29921.patch b/SOURCES/00365-CVE-2021-29921.patch new file mode 100644 index 0000000..b3f8176 --- /dev/null +++ b/SOURCES/00365-CVE-2021-29921.patch @@ -0,0 +1,62 @@ +diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst +index 2cdfddb..d464d2a 100644 +--- a/Doc/library/ipaddress.rst ++++ b/Doc/library/ipaddress.rst +@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are + 1. A string in decimal-dot notation, consisting of four decimal integers in + the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each + integer represents an octet (byte) in the address. Leading zeroes are +- tolerated only for values less than 8 (as there is no ambiguity +- between the decimal and octal interpretations of such strings). ++ not tolerated to prevent confusion with octal notation. + 2. An integer that fits into 32 bits. + 3. An integer packed into a :class:`bytes` object of length 4 (most + significant octet first). +diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py +index 28b7b61..d351f07 100644 +--- a/Lib/ipaddress.py ++++ b/Lib/ipaddress.py +@@ -1173,6 +1173,11 @@ class _BaseV4: + if len(octet_str) > 3: + msg = "At most 3 characters permitted in %r" + raise ValueError(msg % octet_str) ++ # Handle leading zeros as strict as glibc's inet_pton() ++ # See security bug bpo-36384 ++ if octet_str != '0' and octet_str[0] == '0': ++ msg = "Leading zeros are not permitted in %r" ++ raise ValueError(msg % octet_str) + # Convert to integer (we know digits are legal) + octet_int = int(octet_str, 10) + if octet_int > 255: +diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py +index 2f1c5b6..1297b83 100644 +--- a/Lib/test/test_ipaddress.py ++++ b/Lib/test/test_ipaddress.py +@@ -97,10 +97,23 @@ class CommonTestMixin: + class CommonTestMixin_v4(CommonTestMixin): + + def test_leading_zeros(self): +- self.assertInstancesEqual("000.000.000.000", "0.0.0.0") +- self.assertInstancesEqual("192.168.000.001", "192.168.0.1") +- self.assertInstancesEqual("016.016.016.016", "16.16.16.16") +- self.assertInstancesEqual("001.000.008.016", "1.0.8.16") ++ # bpo-36384: no leading zeros to avoid ambiguity with octal notation ++ msg = "Leading zeros are not permitted in '\d+'" ++ addresses = [ ++ "000.000.000.000", ++ "192.168.000.001", ++ "016.016.016.016", ++ "192.168.000.001", ++ "001.000.008.016", ++ "01.2.3.40", ++ "1.02.3.40", ++ "1.2.03.40", ++ "1.2.3.040", ++ ] ++ for address in addresses: ++ with self.subTest(address=address): ++ with self.assertAddressError(msg): ++ self.factory(address) + + def test_int(self): + self.assertInstancesEqual(0, "0.0.0.0") diff --git a/SPECS/python38.spec b/SPECS/python38.spec index 9932f49..9375807 100644 --- a/SPECS/python38.spec +++ b/SPECS/python38.spec @@ -17,7 +17,7 @@ URL: https://www.python.org/ #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 3%{?dist} License: Python # Exclude i686 arch. Due to a modularity issue it's being added to the @@ -363,6 +363,12 @@ Patch359: 00359-CVE-2021-23336.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913 Patch360: 00360-CVE-2021-3426.patch +# 00365 # +# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module +# Upstream: https://bugs.python.org/issue36384 +# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458 +Patch365: 00365-CVE-2021-29921.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -712,6 +718,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch353 -p1 %patch359 -p1 %patch360 -p1 +%patch365 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -1800,6 +1807,10 @@ fi # ====================================================== %changelog +* Tue Jul 27 2021 Charalampos Stratakis - 3.8.8-3 +- Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated +Resolves: rhbz#1957458 + * Fri Apr 30 2021 Charalampos Stratakis - 3.8.8-2 - Security fix for CVE-2021-3426: information disclosure via pydoc Resolves: rhbz#1935913