import python2-2.7.18-10.module+el8.6.0+14191+7fdd52cd

2022-03-29 12:26:11 -04:00 · 2022-03-29 12:26:11 -04:00 · 155e533f82
commit 155e533f82
parent 59097c0a60
5 changed files with 393 additions and 1 deletions
--- a/SOURCES/00366-CVE-2021-3733.patch
+++ b/SOURCES/00366-CVE-2021-3733.patch
@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 14 Sep 2021 11:34:43 +0200
+Subject: [PATCH] 00366-CVE-2021-3733.patch
+
+00366 #
+CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
+
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in
+urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
+has quadratic worst-case complexity and it allows cause a denial of
+service when identifying crafted invalid RFCs. This ReDoS issue is on
+the client side and needs remote attackers to control the HTTP server.
+
+Backported from Python 3 together with another backward-compatible
+improvement of the regex from fix for CVE-2020-8492.
+
+Co-authored-by: Yeting Li <liyt@ios.ac.cn>
+---
+ Lib/urllib2.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Lib/urllib2.py b/Lib/urllib2.py
+index fd19e1ae943..e286583ecba 100644
+--- a/Lib/urllib2.py
+++ b/Lib/urllib2.py
+@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
--- a/SOURCES/00368-CVE-2021-3737.patch
+++ b/SOURCES/00368-CVE-2021-3737.patch
@ -0,0 +1,89 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 17 Sep 2021 07:56:50 +0200
+Subject: [PATCH] 00368-CVE-2021-3737.patch
+
+00368 #
+CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
+
+Fixes http.client potential denial of service where it could get stuck reading
+lines from a malicious server after a 100 Continue response.
+
+Backported from Python 3.
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+Co-authored-by: Gen Xu <xgbarry@gmail.com>
+---
+ Lib/httplib.py           | 32 +++++++++++++++++++++++---------
+ Lib/test/test_httplib.py |  8 ++++++++
+ 2 files changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index a63677477d5..f9a27619e62 100644
+--- a/Lib/httplib.py
+++ b/Lib/httplib.py
+@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message):
+                 # It's not a header line; skip it and try the next line.
+                 self.status = 'Non-header line where header expected'
+ 
+
+def _read_headers(fp):
+    """Reads potential header lines into a list from a file pointer.
+    Length of line is limited by _MAXLINE, and number of
+    headers is limited by _MAXHEADERS.
+    """
+    headers = []
+    while True:
+        line = fp.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise LineTooLong("header line")
+        headers.append(line)
+        if len(headers) > _MAXHEADERS:
+            raise HTTPException("got more than %d headers" % _MAXHEADERS)
+        if line in (b'\r\n', b'\n', b''):
+            break
+    return headers
+
+
+ class HTTPResponse:
+ 
+     # strict: If true, raise BadStatusLine if the status line can't be
+@@ -453,15 +472,10 @@ class HTTPResponse:
+             if status != CONTINUE:
+                 break
+             # skip the header from the 100 response
+-            while True:
+-                skip = self.fp.readline(_MAXLINE + 1)
+-                if len(skip) > _MAXLINE:
+-                    raise LineTooLong("header line")
+-                skip = skip.strip()
+-                if not skip:
+-                    break
+-                if self.debuglevel > 0:
+-                    print "header:", skip
+            skipped_headers = _read_headers(self.fp)
+            if self.debuglevel > 0:
+                print("headers:", skipped_headers)
+            del skipped_headers
+ 
+         self.status = status
+         self.reason = reason.strip()
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index b5fec9aa1ec..d05c0fc28d2 100644
+--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
+@@ -700,6 +700,14 @@ class BasicTest(TestCase):
+         resp = httplib.HTTPResponse(FakeSocket(body))
+         self.assertRaises(httplib.LineTooLong, resp.begin)
+ 
+    def test_overflowing_header_limit_after_100(self):
+        body = (
+            'HTTP/1.1 100 OK\r\n'
+            'r\n' * 32768
+        )
+        resp = httplib.HTTPResponse(FakeSocket(body))
+        self.assertRaises(httplib.HTTPException, resp.begin)
+
+     def test_overflowing_chunked_line(self):
+         body = (
+             'HTTP/1.1 200 OK\r\n'
--- a/SOURCES/00372-CVE-2021-4189.patch
+++ b/SOURCES/00372-CVE-2021-4189.patch
@ -0,0 +1,80 @@
+diff --git a/Lib/ftplib.py b/Lib/ftplib.py
+index 6644554..0550f0a 100644
+--- a/Lib/ftplib.py
+++ b/Lib/ftplib.py
+@@ -108,6 +108,8 @@ class FTP:
+     file = None
+     welcome = None
+     passiveserver = 1
+    # Disables https://bugs.python.org/issue43285 security if set to True.
+    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
+        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
+            untrusted_host, port = parse227(self.sendcmd('PASV'))
+            if self.trust_server_pasv_ipv4_address:
+                host = untrusted_host
+            else:
+                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+index 8a3eb06..62a3f5e 100644
+--- a/Lib/test/test_ftplib.py
+++ b/Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_chat):
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
+        # We use this as the string IPv4 address to direct the client
+        # to in response to a PASV command.  To test security behavior.
+        # https://bugs.python.org/issue43285/.
+        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_chat):
+         sock.bind((self.socket.getsockname()[0], 0))
+         sock.listen(5)
+         sock.settimeout(10)
+-        ip, port = sock.getsockname()[:2]
+        port = sock.getsockname()[1]
+        ip = self.fake_pasv_server_ip
+         ip = ip.replace('.', ',')
+         p1, p2 = divmod(port, 256)
+         self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
+    def test_makepasv_issue43285_security_disabled(self):
+        """Test the opt-in to the old vulnerable behavior."""
+        self.client.trust_server_pasv_ipv4_address = True
+        bad_host, port = self.client.makepasv()
+        self.assertEqual(
+                bad_host, self.server.handler_instance.fake_pasv_server_ip)
+        # Opening and closing a connection keeps the dummy server happy
+        # instead of timing out on accept.
+        socket.create_connection((self.client.sock.getpeername()[0], port),
+                                 timeout=TIMEOUT).close()
+
+    def test_makepasv_issue43285_security_enabled_default(self):
+        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
+        trusted_host, port = self.client.makepasv()
+        self.assertNotEqual(
+                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
+        # Opening and closing a connection keeps the dummy server happy
+        # instead of timing out on accept.
+        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
+
+     def test_line_too_long(self):
+         self.assertRaises(ftplib.Error, self.client.sendcmd,
+                           'x' * self.client.maxline * 2)
--- a/SOURCES/00377-CVE-2022-0391.patch
+++ b/SOURCES/00377-CVE-2022-0391.patch
@ -0,0 +1,127 @@
+diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst
+index 97d1119257c..c08c3dc8e8f 100644
+--- a/Doc/library/urlparse.rst
+++ b/Doc/library/urlparse.rst
+@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the following functions:
+    decomposed before parsing, or is not a Unicode string, no error will be
+    raised.
+ 
+   Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
+   ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
+
+    .. versionchanged:: 2.5
+       Added attributes to return value.
+ 
+@@ -321,6 +324,10 @@ The :mod:`urlparse` module defines the following functions:
+ 
+ .. seealso::
+ 
+   `WHATWG`_ -  URL Living standard
+      Working Group for the URL Standard that defines URLs, domains, IP addresses, the
+      application/x-www-form-urlencoded format, and their API.
+
+    :rfc:`3986` - Uniform Resource Identifiers
+       This is the current standard (STD66). Any changes to urlparse module
+       should conform to this. Certain deviations could be observed, which are
+@@ -345,6 +352,7 @@ The :mod:`urlparse` module defines the following functions:
+    :rfc:`1738` - Uniform Resource Locators (URL)
+       This specifies the formal syntax and semantics of absolute URLs.
+ 
+.. _WHATWG: https://url.spec.whatwg.org/
+ 
+ .. _urlparse-result-object:
+ 
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 21875bb2991..16eefed56f6 100644
+--- a/Lib/test/test_urlparse.py
+++ b/Lib/test/test_urlparse.py
+@@ -618,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase):
+         self.assertEqual(p1.path, '863-1234')
+         self.assertEqual(p1.params, 'phone-context=+1-914-555')
+ 
+    def test_urlsplit_remove_unsafe_bytes(self):
+        # Remove ASCII tabs and newlines from input, for http common case scenario.
+        url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.scheme, "http")
+        self.assertEqual(p.netloc, "www.python.org")
+        self.assertEqual(p.path, "/javascript:alert('msg')/")
+        self.assertEqual(p.query, "query=something")
+        self.assertEqual(p.fragment, "fragment")
+        self.assertEqual(p.username, None)
+        self.assertEqual(p.password, None)
+        self.assertEqual(p.hostname, "www.python.org")
+        self.assertEqual(p.port, None)
+        self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
+        # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
+        url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.scheme, b"http")
+        self.assertEqual(p.netloc, b"www.python.org")
+        self.assertEqual(p.path, b"/javascript:alert('msg')/")
+        self.assertEqual(p.query, b"query=something")
+        self.assertEqual(p.fragment, b"fragment")
+        self.assertEqual(p.username, None)
+        self.assertEqual(p.password, None)
+        self.assertEqual(p.hostname, b"www.python.org")
+        self.assertEqual(p.port, None)
+        self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
+        # any scheme
+        url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
+        # Remove ASCII tabs and newlines from input as bytes, any scheme.
+        url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
+        p = urlparse.urlsplit(url)
+        self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
+        # Unsafe bytes is not returned from urlparse cache.
+        # scheme is stored after parsing, sending an scheme with unsafe bytes *will not* return an unsafe scheme
+        url = "https://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
+        scheme = "htt\nps"
+        for _ in range(2):
+            p = urlparse.urlsplit(url, scheme=scheme)
+            self.assertEqual(p.scheme, "https")
+            self.assertEqual(p.geturl(), "https://www.python.org/javascript:alert('msg')/?query=something#fragment")
+
+
+ 
+     def test_attributes_bad_port(self):
+         """Check handling of non-integer ports."""
+diff --git a/Lib/urlparse.py b/Lib/urlparse.py
+index 69504d8fd93..6cc40a8d2fb 100644
+--- a/Lib/urlparse.py
+++ b/Lib/urlparse.py
+@@ -63,6 +63,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
+                 '0123456789'
+                 '+-.')
+ 
+# Unsafe bytes to be removed per WHATWG spec
+_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
+
+ MAX_CACHE_SIZE = 20
+ _parse_cache = {}
+ 
+@@ -185,12 +188,19 @@ def _checknetloc(netloc):
+                              "under NFKC normalization"
+                              % netloc)
+ 
+def _remove_unsafe_bytes_from_url(url):
+    for b in _UNSAFE_URL_BYTES_TO_REMOVE:
+        url = url.replace(b, "")
+    return url
+
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+     Return a 5-tuple: (scheme, netloc, path, query, fragment).
+     Note that we don't break the components up in smaller bits
+     (e.g. netloc is a single string) and we don't expand % escapes."""
+    url = _remove_unsafe_bytes_from_url(url)
+    scheme = _remove_unsafe_bytes_from_url(scheme)
+     allow_fragments = bool(allow_fragments)
+     key = url, scheme, allow_fragments, type(url), type(scheme)
+     cached = _parse_cache.get(key, None)
--- a/SPECS/python2.spec
+++ b/SPECS/python2.spec
@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 7%{?dist}
+Release: 10%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -729,6 +729,51 @@ Patch357: 00357-CVE-2021-3177.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch

+# 00366 # e76b05ea3313854adf80e290c07d5b38fef606bb
+# CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
+#
+# Fix Regular Expression Denial of Service (ReDoS) vulnerability in
+# urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
+# has quadratic worst-case complexity and it allows cause a denial of
+# service when identifying crafted invalid RFCs. This ReDoS issue is on
+# the client side and needs remote attackers to control the HTTP server.
+#
+# Backported from Python 3 together with another backward-compatible
+# improvement of the regex from fix for CVE-2020-8492.
+#
+# Upstream: https://bugs.python.org/issue43075
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
+Patch366: 00366-CVE-2021-3733.patch
+
+# 00368 # 10dcf6732fb101ce89ad506a89365c6b1ff8c4e4
+# CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
+#
+# Fixes http.client potential denial of service where it could get stuck reading
+# lines from a malicious server after a 100 Continue response.
+#
+# Backported from Python 3.
+#
+# Upstream: https://bugs.python.org/issue44022
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995162
+Patch368: 00368-CVE-2021-3737.patch
+
+# 00372 #
+# CVE-2021-4189: ftplib should not use the host from the PASV response
+# Upstream: https://bugs.python.org/issue43285
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020
+Patch372: 00372-CVE-2021-4189.patch
+
+# 00377 #
+# CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+#
+# ASCII newline and tab characters are stripped from the URL.
+#
+# Backported from Python 3.
+#
+# Upstream: https://bugs.python.org/issue43882
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2047376
+Patch377: 00377-CVE-2022-0391.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@ -1056,6 +1101,10 @@ git apply %{PATCH351}
 %patch355 -p1
 %patch357 -p1
 %patch359 -p1
+%patch366 -p1
+%patch368 -p1
+%patch372 -p1
+%patch377 -p1

 # This shouldn't be necesarry, but is right now (2.2a3)
 find -name "*~" |xargs rm -f
@ -1994,6 +2043,18 @@ fi
 # ======================================================

 %changelog
+* Tue Feb 08 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-10
+- Security fix for CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Resolves: rhbz#2047376
+
+* Wed Jan 12 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-9
+- Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response
+Resolves: rhbz#2036020
+
+* Tue Sep 21 2021 Lumír Balhar <lbalhar@redhat.com> - 2.7.18-8
+- Security fixes for CVE-2021-3737 and CVE-2021-3733
+Resolves: rhbz#1995162 and rhbz#1995234
+
 * Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 2.7.18-7
 - Adjusted the postun scriptlets to enable upgrading to RHEL 9
 - Resolves: rhbz#1933055