From 8842e62e533d8a0dfcbbfd73a0f7fc4d9f78b991 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 22 Sep 2021 11:26:23 +0000 Subject: [PATCH] import python2-2.7.18-8.module+el8.6.0+12703+136ebe63 --- SOURCES/00366-CVE-2021-3733.patch | 35 ++++++++++++ SOURCES/00368-CVE-2021-3737.patch | 89 +++++++++++++++++++++++++++++++ SPECS/python2.spec | 36 ++++++++++++- 3 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 SOURCES/00366-CVE-2021-3733.patch create mode 100644 SOURCES/00368-CVE-2021-3737.patch diff --git a/SOURCES/00366-CVE-2021-3733.patch b/SOURCES/00366-CVE-2021-3733.patch new file mode 100644 index 0000000..beffdf0 --- /dev/null +++ b/SOURCES/00366-CVE-2021-3733.patch @@ -0,0 +1,35 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Tue, 14 Sep 2021 11:34:43 +0200 +Subject: [PATCH] 00366-CVE-2021-3733.patch + +00366 # +CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler + +Fix Regular Expression Denial of Service (ReDoS) vulnerability in +urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +has quadratic worst-case complexity and it allows cause a denial of +service when identifying crafted invalid RFCs. This ReDoS issue is on +the client side and needs remote attackers to control the HTTP server. + +Backported from Python 3 together with another backward-compatible +improvement of the regex from fix for CVE-2020-8492. + +Co-authored-by: Yeting Li +--- + Lib/urllib2.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib2.py b/Lib/urllib2.py +index fd19e1ae943..e286583ecba 100644 +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, diff --git a/SOURCES/00368-CVE-2021-3737.patch b/SOURCES/00368-CVE-2021-3737.patch new file mode 100644 index 0000000..667c049 --- /dev/null +++ b/SOURCES/00368-CVE-2021-3737.patch @@ -0,0 +1,89 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 17 Sep 2021 07:56:50 +0200 +Subject: [PATCH] 00368-CVE-2021-3737.patch + +00368 # +CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue + +Fixes http.client potential denial of service where it could get stuck reading +lines from a malicious server after a 100 Continue response. + +Backported from Python 3. + +Co-authored-by: Gregory P. Smith +Co-authored-by: Gen Xu +--- + Lib/httplib.py | 32 +++++++++++++++++++++++--------- + Lib/test/test_httplib.py | 8 ++++++++ + 2 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/Lib/httplib.py b/Lib/httplib.py +index a63677477d5..f9a27619e62 100644 +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message): + # It's not a header line; skip it and try the next line. + self.status = 'Non-header line where header expected' + ++ ++def _read_headers(fp): ++ """Reads potential header lines into a list from a file pointer. ++ Length of line is limited by _MAXLINE, and number of ++ headers is limited by _MAXHEADERS. ++ """ ++ headers = [] ++ while True: ++ line = fp.readline(_MAXLINE + 1) ++ if len(line) > _MAXLINE: ++ raise LineTooLong("header line") ++ headers.append(line) ++ if len(headers) > _MAXHEADERS: ++ raise HTTPException("got more than %d headers" % _MAXHEADERS) ++ if line in (b'\r\n', b'\n', b''): ++ break ++ return headers ++ ++ + class HTTPResponse: + + # strict: If true, raise BadStatusLine if the status line can't be +@@ -453,15 +472,10 @@ class HTTPResponse: + if status != CONTINUE: + break + # skip the header from the 100 response +- while True: +- skip = self.fp.readline(_MAXLINE + 1) +- if len(skip) > _MAXLINE: +- raise LineTooLong("header line") +- skip = skip.strip() +- if not skip: +- break +- if self.debuglevel > 0: +- print "header:", skip ++ skipped_headers = _read_headers(self.fp) ++ if self.debuglevel > 0: ++ print("headers:", skipped_headers) ++ del skipped_headers + + self.status = status + self.reason = reason.strip() +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index b5fec9aa1ec..d05c0fc28d2 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -700,6 +700,14 @@ class BasicTest(TestCase): + resp = httplib.HTTPResponse(FakeSocket(body)) + self.assertRaises(httplib.LineTooLong, resp.begin) + ++ def test_overflowing_header_limit_after_100(self): ++ body = ( ++ 'HTTP/1.1 100 OK\r\n' ++ 'r\n' * 32768 ++ ) ++ resp = httplib.HTTPResponse(FakeSocket(body)) ++ self.assertRaises(httplib.HTTPException, resp.begin) ++ + def test_overflowing_chunked_line(self): + body = ( + 'HTTP/1.1 200 OK\r\n' diff --git a/SPECS/python2.spec b/SPECS/python2.spec index a5728fb..cd23de7 100644 --- a/SPECS/python2.spec +++ b/SPECS/python2.spec @@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python2-docs when changing this: Version: 2.7.18 -Release: 7%{?dist} +Release: 8%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -729,6 +729,34 @@ Patch357: 00357-CVE-2021-3177.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch +# 00366 # e76b05ea3313854adf80e290c07d5b38fef606bb +# CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler +# +# Fix Regular Expression Denial of Service (ReDoS) vulnerability in +# urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +# has quadratic worst-case complexity and it allows cause a denial of +# service when identifying crafted invalid RFCs. This ReDoS issue is on +# the client side and needs remote attackers to control the HTTP server. +# +# Backported from Python 3 together with another backward-compatible +# improvement of the regex from fix for CVE-2020-8492. +# +# Upstream: https://bugs.python.org/issue43075 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234 +Patch366: 00366-CVE-2021-3733.patch + +# 00368 # 10dcf6732fb101ce89ad506a89365c6b1ff8c4e4 +# CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue +# +# Fixes http.client potential denial of service where it could get stuck reading +# lines from a malicious server after a 100 Continue response. +# +# Backported from Python 3. +# +# Upstream: https://bugs.python.org/issue44022 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995162 +Patch368: 00368-CVE-2021-3737.patch + # (New patches go here ^^^) # # When adding new patches to "python2" and "python3" in Fedora, EL, etc., @@ -1056,6 +1084,8 @@ git apply %{PATCH351} %patch355 -p1 %patch357 -p1 %patch359 -p1 +%patch366 -p1 +%patch368 -p1 # This shouldn't be necesarry, but is right now (2.2a3) find -name "*~" |xargs rm -f @@ -1994,6 +2024,10 @@ fi # ====================================================== %changelog +* Tue Sep 21 2021 Lumír Balhar - 2.7.18-8 +- Security fixes for CVE-2021-3737 and CVE-2021-3733 +Resolves: rhbz#1995162 and rhbz#1995234 + * Thu Aug 05 2021 Tomas Orsava - 2.7.18-7 - Adjusted the postun scriptlets to enable upgrading to RHEL 9 - Resolves: rhbz#1933055