From c475ff8902ff263225da81cea505045cb36c7c23 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 6 Oct 2021 00:23:22 -0400 Subject: [PATCH] import python-urllib3-1.25.7-5.module+el8.5.0+11639+ea5b349d --- SOURCES/CVE-2021-33503.patch | 64 ++++++++++++++++++++++++++++++++++++ SPECS/python-urllib3.spec | 29 +++++++++++++++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2021-33503.patch diff --git a/SOURCES/CVE-2021-33503.patch b/SOURCES/CVE-2021-33503.patch new file mode 100644 index 0000000..9139be3 --- /dev/null +++ b/SOURCES/CVE-2021-33503.patch @@ -0,0 +1,64 @@ +From d5e3238b87fc557600618f18179e821a4a1c7577 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 29 Jun 2021 16:03:37 +0200 +Subject: [PATCH] CVE-2021-33503 + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 8ef5a23..7fb2650 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -365,7 +365,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index 42c3882..04c90b0 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -425,6 +425,16 @@ class TestUtil(object): + query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) +-- +2.31.1 + diff --git a/SPECS/python-urllib3.spec b/SPECS/python-urllib3.spec index 3208f29..5a3e314 100644 --- a/SPECS/python-urllib3.spec +++ b/SPECS/python-urllib3.spec @@ -5,7 +5,7 @@ Name: python-%{srcname} Version: 1.25.7 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Python HTTP library with thread-safe connection pooling and file post License: MIT @@ -13,6 +13,10 @@ URL: https://github.com/urllib3/urllib3 Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz # Unbundle ssl_match_hostname since we depend on it Source1: ssl_match_hostname_py3.py +# CVE-2021-33503 Catastrophic backtracking in URL authority parser +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1968074 +# Upstream fix: https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec +Patch0: CVE-2021-33503.patch BuildArch: noarch # Exclude i686 arch. Due to a modularity issue it's being added to the # x86_64 compose of CRB, but we don't want to ship it at all. @@ -50,6 +54,24 @@ Python3 HTTP module with connection pooling and file POST abilities. %prep %autosetup -p1 -n %{srcname}-%{version} +# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. +# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date +# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, +# since a user's system time could be set to a little in the past from what build time is (because of timezones, +# corner cases, etc). As stated in the comment in src/urllib3/connection.py: +# When updating RECENT_DATE, move it to within two years of the current date, +# and not less than 6 months ago. +# Example: if Today is 2018-01-01, then RECENT_DATE should be any date on or +# after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) +# There is also a test_ssl_wrong_system_time test (from test/with_dummyserver/test_https.py) that tests if +# user's system time isn't set as too far in the past, because it could lead to SSL verification errors. +# That is why we need RECENT_DATE to be set at most 2 years ago (or else test_ssl_wrong_system_time would +# result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being +# set to some time in the past, but not to far away from the present). +# Next few lines update RECENT_DATE dynamically. +recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") +sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py + # Drop the dummyserver tests in koji. They fail there in real builds, but not # in scratch builds (weird). rm -rf test/with_dummyserver/ @@ -100,6 +122,11 @@ popd %changelog +* Tue Jun 29 2021 Lumír Balhar - 1.25.7-5 +- Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser +Resolves: rhbz#1968074 +- Update RECENT_DATE dynamically + * Fri Dec 13 2019 Tomas Orsava - 1.25.7-4 - Exclude unsupported i686 arch