Replace whole repo with latest content from branch stream-2.7-rhel-8.8.0

Content corresponds with RHEL dist-git commit 55ee5eb
This commit is contained in:
Honza Horak 2023-05-15 20:09:03 +02:00
parent 0c8e7804e0
commit cc1cc6b2d0
5 changed files with 1458 additions and 3 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/Python-2.7.18-noexe.tar.xz /*.tar.*
/Python-2.7.18-noexe.tar.xz

View File

@ -0,0 +1,41 @@
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
@@ -41,6 +41,10 @@
# A very generous timeout when it comes to local connections...
CONNECTION_TIMEOUT = 20.
+# The hmac module implicitly defaults to using MD5.
+# Support using a stronger algorithm for the challenge/response code:
+HMAC_DIGEST_NAME='sha256'
+
_mmap_counter = itertools.count()
default_family = 'AF_INET'
@@ -700,12 +704,16 @@
WELCOME = b'#WELCOME#'
FAILURE = b'#FAILURE#'
+def get_digestmod_for_hmac():
+ import hashlib
+ return getattr(hashlib, HMAC_DIGEST_NAME)
+
def deliver_challenge(connection, authkey):
import hmac
assert isinstance(authkey, bytes)
message = os.urandom(MESSAGE_LENGTH)
connection.send_bytes(CHALLENGE + message)
- digest = hmac.new(authkey, message).digest()
+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
response = connection.recv_bytes(256) # reject large message
if response == digest:
connection.send_bytes(WELCOME)
@@ -719,7 +727,7 @@
message = connection.recv_bytes(256) # reject large message
assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
message = message[len(CHALLENGE):]
- digest = hmac.new(authkey, message).digest()
+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
connection.send_bytes(digest)
response = connection.recv_bytes(256) # reject large message
if response != WELCOME:

View File

@ -96,3 +96,23 @@ index 00000000000..5185fac2e29
+length hostname involving bidirectional characters were decoded. Some protocols +length hostname involving bidirectional characters were decoded. Some protocols
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker +such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
+to supply such a name. +to supply such a name.
diff -urNp a/Lib/encodings/idna.py b/Lib/encodings/idna.py
--- a/Lib/encodings/idna.py 2023-02-16 08:58:06.884171667 +0100
+++ b/Lib/encodings/idna.py 2023-02-16 08:59:31.931296399 +0100
@@ -101,6 +101,16 @@ def ToASCII(label):
raise UnicodeError("label empty or too long")
def ToUnicode(label):
+ if len(label) > 1024:
+ # Protection from https://github.com/python/cpython/issues/98433.
+ # https://datatracker.ietf.org/doc/html/rfc5894#section-6
+ # doesn't specify a label size limit prior to NAMEPREP. But having
+ # one makes practical sense.
+ # This leaves ample room for nameprep() to remove Nothing characters
+ # per https://www.rfc-editor.org/rfc/rfc3454#section-3.1 while still
+ # preventing us from wasting time decoding a big thing that'll just
+ # hit the actual <= 63 length limit in Step 6.
+ raise UnicodeError("label way too long")
# Step 1: Check for ASCII
if isinstance(label, str):
pure_ascii = True

1392
python-gdb.py Normal file

File diff suppressed because it is too large Load Diff

View File

@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
Name: %{python} Name: %{python}
# Remember to also rebase python2-docs when changing this: # Remember to also rebase python2-docs when changing this:
Version: 2.7.18 Version: 2.7.18
Release: 12%{?dist} Release: 13%{?dist}
License: Python License: Python
Group: Development/Languages Group: Development/Languages
Requires: %{python}-libs%{?_isa} = %{version}-%{release} Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -2089,6 +2089,9 @@ fi
# ====================================================== # ======================================================
%changelog %changelog
* Thu Feb 16 2023 Josef Ridky <jridky@redhat.com> - 2.7.18-13
- Add missing part of fix for CVE-2022-45061 (#2145071)
* Wed Dec 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-12 * Wed Dec 21 2022 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-12
- Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder - Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
Resolves: rhbz#2144072 Resolves: rhbz#2144072