From cdcbdc24317e3757897b51d195614097347c0713 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 27 2019 07:09:33 +0000 Subject: import rh-python35-python-3.5.1-13.el7 --- diff --git a/SOURCES/00320-CVE-2019-9636.patch b/SOURCES/00320-CVE-2019-9636.patch index ffc9620..98ca651 100644 --- a/SOURCES/00320-CVE-2019-9636.patch +++ b/SOURCES/00320-CVE-2019-9636.patch @@ -42,7 +42,7 @@ index 40098d0..1b3d4e3 100644 .. function:: urlunsplit(parts) diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index 0552f90..d425b47 100644 +index 0552f90..06c29da 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -1,3 +1,5 @@ @@ -51,7 +51,7 @@ index 0552f90..d425b47 100644 import unittest import urllib.parse -@@ -910,6 +912,27 @@ class UrlParseTestCase(unittest.TestCase): +@@ -910,6 +912,33 @@ class UrlParseTestCase(unittest.TestCase): expected.append(name) self.assertCountEqual(urllib.parse.__all__, expected) @@ -70,6 +70,12 @@ index 0552f90..d425b47 100644 + self.assertIn('\u2100', denorm_chars) + self.assertIn('\uFF03', denorm_chars) + ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urllib.parse.urlsplit('http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380') ++ + for scheme in ["http", "https", "ftp"]: + for c in denorm_chars: + url = "{}://netloc{}false.netloc/path".format(scheme, c) @@ -80,10 +86,10 @@ index 0552f90..d425b47 100644 class Utility_Tests(unittest.TestCase): """Testcase to test the various utility functions in the urllib.""" diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index 01c9e58..6e88195 100644 +index 01c9e58..c449b3c 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py -@@ -318,6 +318,21 @@ def _splitnetloc(url, start=0): +@@ -318,6 +318,24 @@ def _splitnetloc(url, start=0): delim = min(delim, wdelim) # use earliest delim position return url[start:delim], url[delim:] # return (domain, rest) @@ -93,19 +99,22 @@ index 01c9e58..6e88195 100644 + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata -+ netloc2 = unicodedata.normalize('NFKC', netloc) -+ if netloc == netloc2: ++ n = netloc.rpartition('@')[2] # ignore anything to the left of '@' ++ n = n.replace(':', '') # ignore characters already included ++ n = n.replace('#', '') # but not the surrounding text ++ n = n.replace('?', '') ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: + return -+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: -+ raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++ raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + def urlsplit(url, scheme='', allow_fragments=True): """Parse a URL into 5 components: :///?# -@@ -347,6 +362,7 @@ def urlsplit(url, scheme='', allow_fragments=True): +@@ -347,6 +365,7 @@ def urlsplit(url, scheme='', allow_fragments=True): url, fragment = url.split('#', 1) if '?' in url: url, query = url.split('?', 1) @@ -113,7 +122,7 @@ index 01c9e58..6e88195 100644 v = SplitResult(scheme, netloc, url, query, fragment) _parse_cache[key] = v return _coerce_result(v) -@@ -370,6 +386,7 @@ def urlsplit(url, scheme='', allow_fragments=True): +@@ -370,6 +389,7 @@ def urlsplit(url, scheme='', allow_fragments=True): url, fragment = url.split('#', 1) if '?' in url: url, query = url.split('?', 1) diff --git a/SPECS/python.spec b/SPECS/python.spec index 5386cd5..941b3b2 100644 --- a/SPECS/python.spec +++ b/SPECS/python.spec @@ -146,7 +146,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: %{?scl_prefix}python Version: %{pybasever}.1 -Release: 12%{?dist} +Release: 13%{?dist} License: Python Group: Development/Languages @@ -737,7 +737,7 @@ Patch300: 00300-change-so-version-scl.patch # 00320 # # Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization -# FIXED UPSTREAM: https://bugs.python.org/issue36216 +# FIXED UPSTREAM: https://bugs.python.org/issue36216 and and https://bugs.python.org/issue36742 # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1689322 Patch320: 00320-CVE-2019-9636.patch @@ -2002,6 +2002,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Fri May 10 2019 Charalampos Stratakis - 3.5.1-13 +- Updated fix for CVE-2019-9636 +Resolves: rhbz#1709331 + * Tue Apr 09 2019 Tomas Orsava - 3.5.1-12 - Security fix for CVE-2019-9636 Resolves: rhbz#1689319