diff --git a/.gitignore b/.gitignore index 2576193..075b3f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-2.7.17-noexe.tar.xz +SOURCES/Python-2.7.18-noexe.tar.xz diff --git a/.python2.metadata b/.python2.metadata index dd6dfd3..5e6f432 100644 --- a/.python2.metadata +++ b/.python2.metadata @@ -1 +1 @@ -e63124a9a86b4b52c09384915a0842adf00b9d45 SOURCES/Python-2.7.17-noexe.tar.xz +ce5e27d588d635469bdec487c4b1def2ffa84ba2 SOURCES/Python-2.7.18-noexe.tar.xz diff --git a/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch new file mode 100644 index 0000000..239c9cb --- /dev/null +++ b/SOURCES/00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch @@ -0,0 +1,88 @@ +diff --git a/Lib/httplib.py b/Lib/httplib.py +index fcc4152..a636774 100644 +--- a/Lib/httplib.py ++++ b/Lib/httplib.py +@@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]') + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -935,6 +939,8 @@ class HTTPConnection: + else: + raise CannotSendRequest() + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1020,6 +1026,16 @@ class HTTPConnection: + # On Python 2, request is already encoded (default) + return request + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ "method can't contain control characters. %r " ++ "(found at least %r)" ++ % (method, match.group())) ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index d8a57f7..96a61dd 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -385,6 +385,29 @@ class HeaderTests(TestCase): + conn.putheader(name, value) + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ with self.assertRaisesRegexp( ++ ValueError, "method can't contain control characters"): ++ conn = httplib.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ conn.request(method=method, url="/") ++ ++ ++ + class BasicTest(TestCase): + def test_status_lines(self): + # Test HTTP status lines +@@ -1009,9 +1032,9 @@ class TunnelTests(TestCase): + + @test_support.reap_threads + def test_main(verbose=None): +- test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest, +- HTTPTest, HTTPSTest, SourceAddressTest, +- TunnelTests) ++ test_support.run_unittest(HeaderTests, OfflineTest, HttpMethodTests, ++ BasicTest, TimeoutTest, HTTPTest, HTTPSTest, ++ SourceAddressTest, TunnelTests) + + if __name__ == '__main__': + test_main() diff --git a/SOURCES/00357-CVE-2021-3177.patch b/SOURCES/00357-CVE-2021-3177.patch new file mode 100644 index 0000000..c4e2b9a --- /dev/null +++ b/SOURCES/00357-CVE-2021-3177.patch @@ -0,0 +1,181 @@ +commit 30e41798f40c684be57d7ccfebf5c6ad94c0ff97 +Author: Petr Viktorin +Date: Wed Jan 20 15:21:43 2021 +0100 + + CVE-2021-3177: Replace snprintf with Python unicode formatting in ctypes param reprs + + Backport of Python3 commit 916610ef90a0d0761f08747f7b0905541f0977c7: + https://bugs.python.org/issue42938 + https://github.com/python/cpython/pull/24239 + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index 23c1b6e2259..77300d71ae1 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -206,6 +206,49 @@ class SimpleTypesTestCase(unittest.TestCase): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param('a')), "") ++ self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegexpMatches(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegexpMatches(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegexpMatches(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegexpMatches(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegexpMatches(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegexpMatches(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 00000000000..7df65a156fe +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 066fefc0cca..5cc3c4cf685 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -460,50 +460,62 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.l); +- break; + + #ifdef HAVE_LONG_LONG + case 'q': + case 'Q': +- sprintf(buffer, +- "", ++ return PyString_FromFormat("", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *s = PyString_FromFormat("tag); ++ if (s == NULL) { ++ return NULL; ++ } ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ Py_DECREF(s); ++ return NULL; ++ } ++ PyObject *r = PyObject_Repr(f); ++ Py_DECREF(f); ++ if (r == NULL) { ++ Py_DECREF(s); ++ return NULL; ++ } ++ PyString_ConcatAndDel(&s, r); ++ if (s == NULL) { ++ return NULL; ++ } ++ r = PyString_FromString(")>"); ++ if (r == NULL) { ++ Py_DECREF(s); ++ return NULL; ++ } ++ PyString_ConcatAndDel(&s, r); ++ return s; ++ } + case 'c': +- sprintf(buffer, "", ++ return PyString_FromFormat("", + self->tag, self->value.c); +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -512,16 +524,13 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); +- break; + + default: +- sprintf(buffer, "", +- self->tag, self); +- break; ++ return PyString_FromFormat("", ++ (unsigned char)self->tag, (void *)self); + } +- return PyString_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/SPECS/python2.spec b/SPECS/python2.spec index 3a81aac..72b2dd3 100644 --- a/SPECS/python2.spec +++ b/SPECS/python2.spec @@ -103,8 +103,8 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python2-docs when changing this: -Version: 2.7.17 -Release: 2%{?dist} +Version: 2.7.18 +Release: 4%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -173,9 +173,9 @@ BuildRequires: python2-pip-wheel %endif # Runtime require alternatives -Requires: %{_sbindir}/alternatives -Requires(post): %{_sbindir}/alternatives -Requires(postun): %{_sbindir}/alternatives +Requires: /usr/sbin/alternatives +Requires(post): /usr/sbin/alternatives +Requires(postun): /usr/sbin/alternatives # Previously, this was required for our rewheel patch to work. # This is technically no longer needed, but we keep it recommended @@ -702,6 +702,20 @@ Patch289: 00289-disable-nis-detection.patch # See: https://bugs.python.org/issue39017 Patch351: 00351-cve-2019-20907-fix-infinite-loop-in-tarfile.patch +# 00354 # +# Reject control chars in HTTP method in httplib.putrequest to prevent +# HTTP header injection +# +# Backported from Python 3.5-3.10 (and adjusted for py2's single-module httplib): +# - https://bugs.python.org/issue39603 +Patch354: 00354-cve-2020-26116-http-request-method-crlf-injection-in-httplib.patch + +# 00357 # +# Security fix for CVE-2021-3177 +# Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c +# Backported from the upstream python3 branches: https://bugs.python.org/issue42938 +Patch357: 00357-CVE-2021-3177.patch + # (New patches go here ^^^) # # When adding new patches to "python2" and "python3" in Fedora, EL, etc., @@ -800,7 +814,16 @@ Requires: python3-rpm-generators # installed when -devel is required. # See https://bugzilla.redhat.com/show_bug.cgi?id=1623922 # See https://fedoraproject.org/wiki/Packaging:Directory_Replacement +# +# This is not necessary when rebuilding when we're bundling the python2 stack +# into a Flatpak containe with prefix=/app, because we never upgrade packages +# in the Flatpak context. We want to avoid +# python2-setuptools => BuildRequires => python2-devel => Requires python2-setuptools +# since the old python2-setuptools will be the /usr version not the /app version. + +%if !0%{?flatpak} Requires: python2-setuptools +%endif # https://bugzilla.redhat.com/show_bug.cgi?id=1217376 # https://bugzilla.redhat.com/show_bug.cgi?id=1496757 @@ -1016,6 +1039,9 @@ rm Lib/ensurepip/_bundled/*.whl # Patch 351 adds binary file for testing. We need to apply it using Git. git apply %{PATCH351} +%patch354 -p1 +%patch357 -p1 + # This shouldn't be necesarry, but is right now (2.2a3) find -name "*~" |xargs rm -f @@ -1209,7 +1235,7 @@ make install DESTDIR=%{buildroot} # but doing so generated noise when ldconfig was rerun (rhbz:562980) # %if 0%{?with_gdb_hooks} -DirHoldingGdbPy=%{_prefix}/lib/debug/%{_libdir} +DirHoldingGdbPy=%{_usr}/lib/debug/%{_libdir} PathOfGdbPy=$DirHoldingGdbPy/$PyInstSoName-%{version}-%{release}.%{_arch}.debug-gdb.py mkdir -p %{buildroot}$DirHoldingGdbPy @@ -1581,10 +1607,10 @@ fi %{_bindir}/pydoc2* %{_bindir}/%{python} %{_bindir}/python%{pybasever} -%{_mandir}/man1/python2.1.gz -%{_mandir}/man1/python2.7.1.gz +%{_mandir}/man1/python2.1* +%{_mandir}/man1/python2.7.1* %ghost %{_bindir}/unversioned-python -%ghost %{_mandir}/man1/python.1.gz +%ghost %{_mandir}/man1/python.1* %files libs @@ -1953,6 +1979,22 @@ fi # ====================================================== %changelog +* Fri Jan 22 2021 Charalampos Stratakis - 2.7.18-4 +- Security fix for CVE-2021-3177 +Resolves: rhbz#1919163 + +* Wed Jan 13 2021 Charalampos Stratakis - 2.7.18-3 +- Fixes for bundling prefix=/app build in gimp/inkscape containers +Resolves: rhbz#1907592 + +* Fri Oct 09 2020 Charalampos Stratakis - 2.7.18-2 +- Security fix for CVE-2020-26116: Reject control chars in HTTP method in httplib.putrequest +Resolves: rhbz#1883258 + +* Fri Oct 09 2020 Charalampos Stratakis - 2.7.18-1 +- Update to 2.7.18 +Resolves: rhbz#1886754 + * Mon Aug 17 2020 Tomas Orsava - 2.7.17-2 - Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907) Resolves: rhbz#1856481