Fix for CVE-2022-48565

Resolves: RHEL-7088
2023-10-06 12:54:52 +02:00 · 2023-10-06 12:54:52 +02:00 · cec2df2191
commit cec2df2191
parent 68ad882ccc
2 changed files with 111 additions and 1 deletions
--- a/00406-cve-2022-48565.patch
+++ b/00406-cve-2022-48565.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ned Deily <nad@python.org>
+Date: Fri, 6 Oct 2023 12:23:43 +0200
+Subject: [PATCH] 00406-cve-2022-48565.patch
+
+Reject XML entity declarations in plist files
+CVE-2022-48565: XML External Entity in XML processing plistlib module
+Backported from https://github.com/python/cpython/commit/a158fb9c5138
+Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-48565
+
+Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
+Co-authored-by: Lumir Balhar <lbalhar@redhat.com>
+---
+ Lib/plistlib.py                                | 12 ++++++++++++
+ Lib/test/test_plistlib.py                      | 18 ++++++++++++++++++
+ .../2020-10-19-10-56-27.bpo-42051.EU_B7u.rst   |  3 +++
+ 3 files changed, 33 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
+
+diff --git a/Lib/plistlib.py b/Lib/plistlib.py
+index 42897b8da8b..73fca1d4714 100644
+--- a/Lib/plistlib.py
+++ b/Lib/plistlib.py
+@@ -390,6 +390,11 @@ class Data:
+         return "%s(%s)" % (self.__class__.__name__, repr(self.data))
+ 
+ 
+class InvalidFileException (ValueError):
+    def __init__(self, message="Invalid file"):
+        ValueError.__init__(self, message)
+
+
+ class PlistParser:
+ 
+     def __init__(self):
+@@ -403,9 +408,16 @@ class PlistParser:
+         parser.StartElementHandler = self.handleBeginElement
+         parser.EndElementHandler = self.handleEndElement
+         parser.CharacterDataHandler = self.handleData
+        parser.EntityDeclHandler = self.handle_entity_decl
+         parser.ParseFile(fileobj)
+         return self.root
+ 
+    def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
+        # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
+        # Regular plist files don't contain those declerations, and Apple's plutil tool does not
+        # accept them either.
+        raise InvalidFileException("XML entity declarations are not supported in plist files")
+
+     def handleBeginElement(self, element, attrs):
+         self.data = []
+         handler = getattr(self, "begin_" + element, None)
+diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
+index 7859ad05723..bcdae924d91 100644
+--- a/Lib/test/test_plistlib.py
+++ b/Lib/test/test_plistlib.py
+@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encoding="UTF-8"?>
+ </plist>
+ """.replace(" " * 8, "\t")  # Apple as well as plistlib.py output hard tabs
+ 
+XML_PLIST_WITH_ENTITY=b'''\
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
+   <!ENTITY entity "replacement text">
+  ]>
+<plist version="1.0">
+  <dict>
+    <key>A</key>
+    <string>&entity;</string>
+  </dict>
+</plist>
+'''
+
+ 
+ class TestPlistlib(unittest.TestCase):
+ 
+@@ -195,6 +208,11 @@ class TestPlistlib(unittest.TestCase):
+         self.assertEqual(test1, result1)
+         self.assertEqual(test2, result2)
+ 
+    def test_xml_plist_with_entity_decl(self):
+        with self.assertRaisesRegexp(plistlib.InvalidFileException,
+                                     "XML entity declarations are not supported"):
+            plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY)
+
+ 
+ def test_main():
+     test_support.run_unittest(TestPlistlib)
+diff --git a/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
+new file mode 100644
+index 00000000000..31b44b229f6
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst
+@@ -0,0 +1,3 @@
+The :mod:`plistlib` module no longer accepts entity declarations in XML
+plist files to avoid XML vulnerabilities. This should not affect users as
+entity declarations are not used in regular plist files.
+\ No newline at end of file
--- a/python2.spec
+++ b/python2.spec
@ -104,7 +104,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python2-docs when changing this:
 Version: 2.7.18
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -838,6 +838,13 @@ Patch399: 00399-cve-2023-24329.patch
 # Backported from Python 3.8
 Patch404: 00404-cve-2023-40217.patch

+# 00406 # 33d46d8ceb68210f6234f26f3465c8556c0b6ccb
+# Reject XML entity declarations in plist files
+# CVE-2022-48565: XML External Entity in XML processing plistlib module
+# Backported from https://github.com/python/cpython/commit/a158fb9c5138
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-48565
+Patch406: 00406-cve-2022-48565.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@ -1176,6 +1183,7 @@ git apply %{PATCH351}
 %patch394 -p1
 %patch399 -p1
 %patch404 -p1
+%patch406 -p1


 # This shouldn't be necesarry, but is right now (2.2a3)
@ -2115,6 +2123,10 @@ fi
 # ======================================================

 %changelog
+* Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 2.7.18-16
+- Fix for CVE-2022-48565
+Resolves: RHEL-7088
+
 * Wed Sep 27 2023 Charalampos Stratakis <cstratak@redhat.com> - 2.7.18-15
 - Security fix for CVE-2023-40217
 Resolves: RHEL-9621