From 1ef302b0c577c4ac4c5d94cc120e6442d19d2093 Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 8 Aug 2022 14:02:55 -0400 Subject: [PATCH] Import rpm: f4a8dde4dc7d391cb3ee1902ff409fb145cb1c6d --- .fmf/version | 1 + .gitignore | 1 + CVE-2021-33503.patch | 64 +++++++ gating.yaml | 6 + plans.fmf | 4 + python-urllib3.spec | 368 ++++++++++++++++++++++++++++++++++++++ sources | 1 + ssl_match_hostname_py3.py | 1 + tests/super_smoke.fmf | 5 + 9 files changed, 451 insertions(+) create mode 100644 .fmf/version create mode 100644 .gitignore create mode 100644 CVE-2021-33503.patch create mode 100644 gating.yaml create mode 100644 plans.fmf create mode 100644 python-urllib3.spec create mode 100644 sources create mode 100644 ssl_match_hostname_py3.py create mode 100644 tests/super_smoke.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b5d0828 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/urllib3-1.25.7.tar.gz diff --git a/CVE-2021-33503.patch b/CVE-2021-33503.patch new file mode 100644 index 0000000..9139be3 --- /dev/null +++ b/CVE-2021-33503.patch @@ -0,0 +1,64 @@ +From d5e3238b87fc557600618f18179e821a4a1c7577 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 29 Jun 2021 16:03:37 +0200 +Subject: [PATCH] CVE-2021-33503 + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 8ef5a23..7fb2650 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -365,7 +365,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index 42c3882..04c90b0 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -425,6 +425,16 @@ class TestUtil(object): + query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) +-- +2.31.1 + diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..648918d --- /dev/null +++ b/gating.yaml @@ -0,0 +1,6 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} diff --git a/plans.fmf b/plans.fmf new file mode 100644 index 0000000..e6427de --- /dev/null +++ b/plans.fmf @@ -0,0 +1,4 @@ +discover: + how: fmf +execute: + how: tmt diff --git a/python-urllib3.spec b/python-urllib3.spec new file mode 100644 index 0000000..5a3e314 --- /dev/null +++ b/python-urllib3.spec @@ -0,0 +1,368 @@ +%global srcname urllib3 + +# When bootstrapping Python, we cannot test this yet +%bcond_with tests + +Name: python-%{srcname} +Version: 1.25.7 +Release: 5%{?dist} +Summary: Python HTTP library with thread-safe connection pooling and file post + +License: MIT +URL: https://github.com/urllib3/urllib3 +Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz +# Unbundle ssl_match_hostname since we depend on it +Source1: ssl_match_hostname_py3.py +# CVE-2021-33503 Catastrophic backtracking in URL authority parser +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1968074 +# Upstream fix: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec +Patch0: CVE-2021-33503.patch +BuildArch: noarch +# Exclude i686 arch. Due to a modularity issue it's being added to the +# x86_64 compose of CRB, but we don't want to ship it at all. +# See: https://projects.engineering.redhat.com/browse/RCM-72605 +ExcludeArch: i686 + +%description +Python HTTP module with connection pooling and file POST abilities. + +%package -n python%{python3_pkgversion}-%{srcname} +Summary: Python3 HTTP library with thread-safe connection pooling and file post + +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-rpm-macros +%if %{with tests} +BuildRequires: python%{python3_pkgversion}-nose +BuildRequires: python%{python3_pkgversion}-mock +BuildRequires: python%{python3_pkgversion}-six +BuildRequires: python%{python3_pkgversion}-pysocks +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-tornado +BuildRequires: python%{python3_pkgversion}-trustme +BuildRequires: python%{python3_pkgversion}-idna +%endif + +Requires: ca-certificates +Requires: python%{python3_pkgversion}-idna +Requires: python%{python3_pkgversion}-six +Requires: python%{python3_pkgversion}-pysocks + +%description -n python%{python3_pkgversion}-%{srcname} +Python3 HTTP module with connection pooling and file POST abilities. + + +%prep +%autosetup -p1 -n %{srcname}-%{version} +# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. +# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date +# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, +# since a user's system time could be set to a little in the past from what build time is (because of timezones, +# corner cases, etc). As stated in the comment in src/urllib3/connection.py: +# When updating RECENT_DATE, move it to within two years of the current date, +# and not less than 6 months ago. +# Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or +# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) +# There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if +# user's system time isn't set as too far in the past, because it could lead to SSL verification errors. +# That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would +# result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being +# set to some time in the past, but not to far away from the present). +# Next few lines update RECENT_DATE dynamically. +recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") +sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py + +# Drop the dummyserver tests in koji. They fail there in real builds, but not +# in scratch builds (weird). +rm -rf test/with_dummyserver/ +# Don't run the Google App Engine tests +rm -rf test/appengine/ +# Lots of these tests started failing, even for old versions, so it has something +# to do with Fedora in particular. They don't fail in upstream build infrastructure +rm -rf test/contrib/ + +# Tests for Python built without SSL, but Fedora builds with SSL. These tests +# fail when combined with the unbundling of backports-ssl_match_hostname +rm -f test/test_no_ssl.py + +%build +%py3_build + + +%install +%py3_install + +# Unbundle the Python 3 build +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/ + +mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/ +cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py +ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ + + +%if %{with tests} +%check +pushd test +PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pytest -v +popd +%endif + + +%files -n python%{python3_pkgversion}-%{srcname} +%license LICENSE.txt +%doc CHANGES.rst README.rst CONTRIBUTORS.txt +%{python3_sitelib}/urllib3/ +%{python3_sitelib}/urllib3-*.egg-info/ + + +%changelog +* Tue Jun 29 2021 Lumír Balhar - 1.25.7-5 +- Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser +Resolves: rhbz#1968074 +- Update RECENT_DATE dynamically + +* Fri Dec 13 2019 Tomas Orsava - 1.25.7-4 +- Exclude unsupported i686 arch + +* Wed Nov 20 2019 Lumír Balhar - 1.25.7-3 +- Adjusted for Python 3.8 module in RHEL 8 + +* Mon Nov 18 2019 Miro Hrončok - 1.25.7-2 +- Subpackage python2-urllib3 has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Tue Oct 15 2019 Jeremy Cline - 1.25.6-1 +- Update to v1.25.6 + +* Thu Oct 03 2019 Miro Hrončok - 1.25.3-7 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Sun Aug 18 2019 Miro Hrončok - 1.25.3-6 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Miro Hrončok - 1.25.3-5 +- Bootstrap for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 1.25.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jul 08 2019 Miro Hrončok - 1.25.3-3 +- Set RECENT_DATE not to be older than 2 years (#1727796) + +* Tue May 28 2019 Jeremy Cline - 1.25.3-2 +- Drop the Python 2 tests since Tornado is going away + +* Tue May 28 2019 Jeremy Cline - 1.25.3-1 +- Update to 1.25.3 + +* Sat Feb 02 2019 Fedora Release Engineering - 1.24.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Nov 13 2018 Jeremy Cline - 1.24.1-2 +- Adjust unbundling of ssl_match_hostname + +* Mon Oct 29 2018 Jeremy Cline - 1.24.1-1 +- Update to v1.24.1 + +* Wed Jun 20 2018 Lumír Balhar - 1.23-4 +- Removed unneeded dependency python[23]-psutil + +* Mon Jun 18 2018 Miro Hrončok - 1.23-3 +- Rebuilt for Python 3.7 + +* Thu Jun 14 2018 Miro Hrončok - 1.23-2 +- Bootstrap for Python 3.7 + +* Tue Jun 05 2018 Jeremy Cline - 1.23-1 +- Update to the latest upstream release (rhbz 1586072) + +* Wed May 30 2018 Jeremy Cline - 1.22-10 +- Backport patch to support Python 3.7 (rhbz 1584112) + +* Thu May 03 2018 Lukas Slebodnik - 1.22-9 +- Do not lowercase hostnames with custom-protocol (rhbz 1567862) +- upstream: https://github.com/urllib3/urllib3/issues/1267 + +* Wed Apr 18 2018 Jeremy Cline - 1.22-8 +- Drop the dependency on idna and cryptography (rhbz 1567862) + +* Mon Apr 16 2018 Jeremy Cline - 1.22-7 +- Drop the dependency on PyOpenSSL, it's not needed (rhbz 1567862) + +* Fri Feb 09 2018 Fedora Release Engineering - 1.22-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Iryna Shcherbina - 1.22-5 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Thu Jan 25 2018 Tomas Hoger - 1.22-4 +- Fix FTBFS - Move RECENT_DATE to 2017-06-30 + +* Fri Dec 01 2017 Jeremy Cline - 1.22-3 +- Symlink the Python 3 bytecode for six (rbhz 1519147) + +* Thu Jul 27 2017 Fedora Release Engineering - 1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Jeremy Cline - 1.22-1 +- Update to 1.22 (#1473293) + +* Wed May 17 2017 Jeremy Cline - 1.21.1-1 +- Update to 1.21.1 (#1445280) + +* Thu Feb 09 2017 Jeremy Cline - 1.20-1 +- Update to 1.20 (#1414775) + +* Tue Dec 13 2016 Stratakis Charalampos - 1.19.1-2 +- Rebuild for Python 3.6 + +* Thu Nov 17 2016 Jeremy Cline 1.19.1-1 +- Update to 1.19.1 +- Clean up the specfile to only support Fedora 26 + +* Wed Aug 10 2016 Kevin Fenzi - 1.16-3 +- Rebuild now that python-requests is ready to update. + +* Tue Jul 19 2016 Fedora Release Engineering - 1.16-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Wed Jun 15 2016 Kevin Fenzi - 1.16-1 +- Update to 1.16 + +* Thu Jun 02 2016 Ralph Bean - 1.15.1-3 +- Create python2 subpackage to comply with guidelines. + +* Wed Jun 01 2016 Ralph Bean - 1.15.1-2 +- Remove broken symlinks to unbundled python3-six files + https://bugzilla.redhat.com/show_bug.cgi?id=1295015 + +* Fri Apr 29 2016 Ralph Bean - 1.15.1-1 +- Removed patch for ipv6 support, now applied upstream. +- Latest version. +- New dep on pysocks. + +* Fri Feb 26 2016 Ralph Bean - 1.13.1-3 +- Apply patch from upstream to fix ipv6. + +* Thu Feb 04 2016 Fedora Release Engineering - 1.13.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 21 2015 Ralph Bean - 1.13.1-1 +- new version + +* Fri Dec 18 2015 Ralph Bean - 1.13-1 +- new version + +* Mon Dec 14 2015 Ralph Bean - 1.12-1 +- new version + +* Thu Oct 15 2015 Robert Kuska - 1.10.4-7 +- Rebuilt for Python3.5 rebuild + +* Sat Oct 10 2015 Ralph Bean - 1.10.4-6 +- Sync from PyPI instead of a git checkout. + +* Tue Sep 08 2015 Ralph Bean - 1.10.4-5.20150503gita91975b +- Drop requirement on python-backports-ssl_match_hostname on F22 and newer. + +* Thu Jun 18 2015 Fedora Release Engineering - 1.10.4-4.20150503gita91975b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 08 2015 Ralph Bean - 1.10.4-3.20150503gita91975b +- Apply pyopenssl injection for an outdated cpython as per upstream advice + https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning + https://urllib3.readthedocs.org/en/latest/security.html#pyopenssl + +* Tue May 19 2015 Ralph Bean - 1.10.4-2.20150503gita91975b +- Specify symlinks for six.py{c,o}, fixing rhbz #1222142. + +* Sun May 03 2015 Ralph Bean - 1.10.4-1.20150503gita91975b +- Latest release for python-requests-2.7.0 + +* Wed Apr 29 2015 Ralph Bean - 1.10.3-2.20150429git585983a +- Grab a git snapshot to get around this chunked encoding failure. + +* Wed Apr 22 2015 Ralph Bean - 1.10.3-1 +- new version + +* Thu Feb 26 2015 Ralph Bean - 1.10.2-1 +- new version + +* Wed Feb 18 2015 Ralph Bean - 1.10.1-1 +- new version + +* Wed Feb 18 2015 Ralph Bean - 1.10.1-1 +- new version + +* Mon Jan 05 2015 Ralph Bean - 1.10-2 +- Copy in a shim for ssl_match_hostname on python3. + +* Sun Dec 14 2014 Ralph Bean - 1.10-1 +- Latest upstream 1.10, for python-requests-2.5.0. +- Re-do unbundling without patch, with symlinks. +- Modernize python2 macros. +- Remove the with_dummyserver tests which fail only sometimes. + +* Wed Nov 05 2014 Ralph Bean - 1.9.1-1 +- Latest upstream, 1.9.1 for latest python-requests. + +* Mon Aug 4 2014 Tom Callaway - 1.8.2-4 +- fix license handling + +* Sun Jun 08 2014 Fedora Release Engineering - 1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 14 2014 Bohuslav Kabrda - 1.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Mon Apr 21 2014 Arun S A G - 1.8.2-1 +- Update to latest upstream version + +* Mon Oct 28 2013 Ralph Bean - 1.7.1-2 +- Update patch to find ca_certs in the correct location. + +* Wed Sep 25 2013 Ralph Bean - 1.7.1-1 +- Latest upstream with support for a new timeout class and py3.4. + +* Wed Aug 28 2013 Ralph Bean - 1.7-3 +- Bump release again, just to push an unpaired update. + +* Mon Aug 26 2013 Ralph Bean - 1.7-2 +- Bump release to pair an update with python-requests. + +* Thu Aug 22 2013 Ralph Bean - 1.7-1 +- Update to latest upstream. +- Removed the accept-header proxy patch which is included in upstream now. +- Removed py2.6 compat patch which is included in upstream now. + +* Sun Aug 04 2013 Fedora Release Engineering - 1.5-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jun 11 2013 Toshio Kuratomi - 1.5-6 +- Fix Requires of python-ordereddict to only apply to RHEL + +* Fri Mar 1 2013 Toshio Kuratomi - 1.5-5 +- Unbundling finished! + +* Fri Mar 01 2013 Ralph Bean - 1.5-4 +- Upstream patch to fix Accept header when behind a proxy. +- Reorganize patch numbers to more clearly distinguish them. + +* Wed Feb 27 2013 Ralph Bean - 1.5-3 +- Renamed patches to python-urllib3-* +- Fixed ssl check patch to use the correct cert path for Fedora. +- Included dependency on ca-certificates +- Cosmetic indentation changes to the .spec file. + +* Tue Feb 5 2013 Toshio Kuratomi - 1.5-2 +- python3-tornado BR and run all unittests on python3 + +* Mon Feb 04 2013 Toshio Kuratomi 1.5-1 +- Initial fedora build. diff --git a/sources b/sources new file mode 100644 index 0000000..1363f2b --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA1 (urllib3-1.25.7.tar.gz) = e47468a95c66d5eed276facc776027b86b390dcf diff --git a/ssl_match_hostname_py3.py b/ssl_match_hostname_py3.py new file mode 100644 index 0000000..99d425a --- /dev/null +++ b/ssl_match_hostname_py3.py @@ -0,0 +1 @@ +from ssl import match_hostname, CertificateError diff --git a/tests/super_smoke.fmf b/tests/super_smoke.fmf new file mode 100644 index 0000000..6207261 --- /dev/null +++ b/tests/super_smoke.fmf @@ -0,0 +1,5 @@ +test: python3 -c 'import urllib3' +framework: shell +require: +- python3 +- python3-urllib3