import python2-2.7.18-8.module+el8.6.0+12703+136ebe63

2021-09-22 11:26:23 +00:00 · 2021-09-22 11:26:23 +00:00 · 8842e62e53
commit 8842e62e53
parent 85f83730ed
3 changed files with 159 additions and 1 deletions
--- a/SOURCES/00366-CVE-2021-3733.patch
+++ b/SOURCES/00366-CVE-2021-3733.patch
@ -0,0 +1,35 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 14 Sep 2021 11:34:43 +0200
 Subject: [PATCH] 00366-CVE-2021-3733.patch
 00366 #
 CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
 Fix Regular Expression Denial of Service (ReDoS) vulnerability in
 urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
 has quadratic worst-case complexity and it allows cause a denial of
 service when identifying crafted invalid RFCs. This ReDoS issue is on
 the client side and needs remote attackers to control the HTTP server.
 Backported from Python 3 together with another backward-compatible
 improvement of the regex from fix for CVE-2020-8492.
 Co-authored-by: Yeting Li <liyt@ios.ac.cn>
 ---
 Lib/urllib2.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Lib/urllib2.py b/Lib/urllib2.py
 index fd19e1ae943..e286583ecba 100644
 --- a/Lib/urllib2.py
 +++ b/Lib/urllib2.py
@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
     # allow for double- and single-quoted realm values
     # (single quotes are a violation of the RFC, but appear in the wild)
 -    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
 +    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t,]+)[ \t]+'
                     'realm=(["\']?)([^"\']*)\\2', re.I)
     # XXX could pre-emptively send auth info already accepted (RFC 2617,
--- a/SOURCES/00368-CVE-2021-3737.patch
+++ b/SOURCES/00368-CVE-2021-3737.patch
@ -0,0 +1,89 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Fri, 17 Sep 2021 07:56:50 +0200
 Subject: [PATCH] 00368-CVE-2021-3737.patch
 00368 #
 CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
 Fixes http.client potential denial of service where it could get stuck reading
 lines from a malicious server after a 100 Continue response.
 Backported from Python 3.
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 Co-authored-by: Gen Xu <xgbarry@gmail.com>
 ---
 Lib/httplib.py           | 32 +++++++++++++++++++++++---------
 Lib/test/test_httplib.py |  8 ++++++++
 2 files changed, 31 insertions(+), 9 deletions(-)
 diff --git a/Lib/httplib.py b/Lib/httplib.py
 index a63677477d5..f9a27619e62 100644
 --- a/Lib/httplib.py
 +++ b/Lib/httplib.py
@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message):
                 # It's not a header line; skip it and try the next line.
                 self.status = 'Non-header line where header expected'
 +
 +def _read_headers(fp):
 +    """Reads potential header lines into a list from a file pointer.
 +    Length of line is limited by _MAXLINE, and number of
 +    headers is limited by _MAXHEADERS.
 +    """
 +    headers = []
 +    while True:
 +        line = fp.readline(_MAXLINE + 1)
 +        if len(line) > _MAXLINE:
 +            raise LineTooLong("header line")
 +        headers.append(line)
 +        if len(headers) > _MAXHEADERS:
 +            raise HTTPException("got more than %d headers" % _MAXHEADERS)
 +        if line in (b'\r\n', b'\n', b''):
 +            break
 +    return headers
 +
 +
 class HTTPResponse:
     # strict: If true, raise BadStatusLine if the status line can't be
@@ -453,15 +472,10 @@ class HTTPResponse:
             if status != CONTINUE:
                 break
             # skip the header from the 100 response
 -            while True:
 -                skip = self.fp.readline(_MAXLINE + 1)
 -                if len(skip) > _MAXLINE:
 -                    raise LineTooLong("header line")
 -                skip = skip.strip()
 -                if not skip:
 -                    break
 -                if self.debuglevel > 0:
 -                    print "header:", skip
 +            skipped_headers = _read_headers(self.fp)
 +            if self.debuglevel > 0:
 +                print("headers:", skipped_headers)
 +            del skipped_headers
         self.status = status
         self.reason = reason.strip()
 diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
 index b5fec9aa1ec..d05c0fc28d2 100644
 --- a/Lib/test/test_httplib.py
 +++ b/Lib/test/test_httplib.py
@@ -700,6 +700,14 @@ class BasicTest(TestCase):
         resp = httplib.HTTPResponse(FakeSocket(body))
         self.assertRaises(httplib.LineTooLong, resp.begin)
 +    def test_overflowing_header_limit_after_100(self):
 +        body = (
 +            'HTTP/1.1 100 OK\r\n'
 +            'r\n' * 32768
 +        )
 +        resp = httplib.HTTPResponse(FakeSocket(body))
 +        self.assertRaises(httplib.HTTPException, resp.begin)
 +
     def test_overflowing_chunked_line(self):
         body = (
             'HTTP/1.1 200 OK\r\n'
--- a/SPECS/python2.spec
+++ b/SPECS/python2.spec
@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -729,6 +729,34 @@ Patch357: 00357-CVE-2021-3177.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch
 # 00366 # e76b05ea3313854adf80e290c07d5b38fef606bb
 # CVE-2021-3733: Fix ReDoS in urllib AbstractBasicAuthHandler
 #
 # Fix Regular Expression Denial of Service (ReDoS) vulnerability in
 # urllib2.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
 # has quadratic worst-case complexity and it allows cause a denial of
 # service when identifying crafted invalid RFCs. This ReDoS issue is on
 # the client side and needs remote attackers to control the HTTP server.
 #
 # Backported from Python 3 together with another backward-compatible
 # improvement of the regex from fix for CVE-2020-8492.
 #
 # Upstream: https://bugs.python.org/issue43075
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
 Patch366: 00366-CVE-2021-3733.patch
 # 00368 # 10dcf6732fb101ce89ad506a89365c6b1ff8c4e4
 # CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
 #
 # Fixes http.client potential denial of service where it could get stuck reading
 # lines from a malicious server after a 100 Continue response.
 #
 # Backported from Python 3.
 #
 # Upstream: https://bugs.python.org/issue44022
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995162
 Patch368: 00368-CVE-2021-3737.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@ -1056,6 +1084,8 @@ git apply %{PATCH351}
 %patch355 -p1
 %patch357 -p1
 %patch359 -p1
 %patch366 -p1
 %patch368 -p1
 # This shouldn't be necesarry, but is right now (2.2a3)
 find -name "*~" |xargs rm -f
@ -1994,6 +2024,10 @@ fi
 # ======================================================
 %changelog
 * Tue Sep 21 2021 Lumír Balhar <lbalhar@redhat.com> - 2.7.18-8
 - Security fixes for CVE-2021-3737 and CVE-2021-3733
 Resolves: rhbz#1995162 and rhbz#1995234
 * Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 2.7.18-7
 - Adjusted the postun scriptlets to enable upgrading to RHEL 9
 - Resolves: rhbz#1933055