rpms/python3.11
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI python3.11-3.11.9-7.el9_5.3

Browse Source
This commit is contained in:
eabdullin 2025-04-07 14:40:36 +00:00
parent 36fadf47e9
commit 3402056e7f
2 changed files with 143 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
SOURCES/00453-CVE-2024-7592.patch Normal file
View File

@ -0,0 +1,133 @@
From d4ac921a4b081f7f996a5d2b101684b67ba0ed7f Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-islington@users.noreply.github.com>
Date: Wed, 4 Sep 2024 17:50:00 +0200
Subject: [PATCH] [3.11] gh-123067: Fix quadratic complexity in parsing
"-quoted cookie values with backslashes (GH-123075) (#123105)
This fixes CVE-2024-7592.
(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
Lib/http/cookies.py | 34 ++++-------------
Lib/test/test_http_cookies.py | 38 +++++++++++++++++++
...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 +
3 files changed, 47 insertions(+), 26 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
index 35ac2dc6ae280c..2c1f021d0abede 100644
--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
@@ -184,8 +184,13 @@ def _quote(str):
return '"' + str.translate(_Translator) + '"'
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
-_QuotePatt = re.compile(r"[\\].")
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
+
+def _unquote_replace(m):
+ if m[1]:
+ return chr(int(m[1], 8))
+ else:
+ return m[2]
def _unquote(str):
# If there aren't any doublequotes,
@@ -205,30 +210,7 @@ def _unquote(str):
# \012 --> \n
# \" --> "
#
- i = 0
- n = len(str)
- res = []
- while 0 <= i < n:
- o_match = _OctalPatt.search(str, i)
- q_match = _QuotePatt.search(str, i)
- if not o_match and not q_match: # Neither matched
- res.append(str[i:])
- break
- # else:
- j = k = -1
- if o_match:
- j = o_match.start(0)
- if q_match:
- k = q_match.start(0)
- if q_match and (not o_match or k < j): # QuotePatt matched
- res.append(str[i:k])
- res.append(str[k+1])
- i = k + 2
- else: # OctalPatt matched
- res.append(str[i:j])
- res.append(chr(int(str[j+1:j+4], 8)))
- i = j + 4
- return _nulljoin(res)
+ return _unquote_sub(_unquote_replace, str)
# The _getdate() routine is used to set the expiration time in the cookie's HTTP
# header. By default, _getdate() returns the current time in the appropriate
diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
index 925c8697f60de6..8879902a6e2f41 100644
--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
@@ -5,6 +5,7 @@
import doctest
from http import cookies
import pickle
+from test import support
class CookieTests(unittest.TestCase):
@@ -58,6 +59,43 @@ def test_basic(self):
for k, v in sorted(case['dict'].items()):
self.assertEqual(C[k].value, v)
+ def test_unquote(self):
+ cases = [
+ (r'a="b=\""', 'b="'),
+ (r'a="b=\\"', 'b=\\'),
+ (r'a="b=\="', 'b=='),
+ (r'a="b=\n"', 'b=n'),
+ (r'a="b=\042"', 'b="'),
+ (r'a="b=\134"', 'b=\\'),
+ (r'a="b=\377"', 'b=\xff'),
+ (r'a="b=\400"', 'b=400'),
+ (r'a="b=\42"', 'b=42'),
+ (r'a="b=\\042"', 'b=\\042'),
+ (r'a="b=\\134"', 'b=\\134'),
+ (r'a="b=\\\""', 'b=\\"'),
+ (r'a="b=\\\042"', 'b=\\"'),
+ (r'a="b=\134\""', 'b=\\"'),
+ (r'a="b=\134\042"', 'b=\\"'),
+ ]
+ for encoded, decoded in cases:
+ with self.subTest(encoded):
+ C = cookies.SimpleCookie()
+ C.load(encoded)
+ self.assertEqual(C['a'].value, decoded)
+
+ @support.requires_resource('cpu')
+ def test_unquote_large(self):
+ n = 10**6
+ for encoded in r'\\', r'\134':
+ with self.subTest(encoded):
+ data = 'a="b=' + encoded*n + ';"'
+ C = cookies.SimpleCookie()
+ C.load(data)
+ value = C['a'].value
+ self.assertEqual(value[:3], 'b=\\')
+ self.assertEqual(value[-2:], '\\;')
+ self.assertEqual(len(value), n + 3)
+
def test_load(self):
C = cookies.SimpleCookie()
C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
new file mode 100644
index 00000000000000..6a234561fe31a3
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
@@ -0,0 +1 @@
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.

11
SPECS/python3.11.spec
View File

@ -20,7 +20,7 @@ URL: https://www.python.org/
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
Release: 7%{?dist}.2 Release: 7%{?dist}.3
License: Python License: Python
@ -408,6 +408,11 @@ Patch437: 00437-CVE-2024-6232.patch
# Resolved upstream: https://github.com/python/cpython/issues/124651 # Resolved upstream: https://github.com/python/cpython/issues/124651
Patch443: 00443-CVE-2024-9287.patch Patch443: 00443-CVE-2024-9287.patch
# 00453 #
# CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote()
# Resolved upstream: https://github.com/python/cpython/issues/123067
Patch453: 00453-CVE-2024-7592.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora, EL, etc., # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1686,6 +1691,10 @@ CheckPython optimized
# ====================================================== # ======================================================
%changelog %changelog
* Wed Apr 02 2025 Lumír Balhar <lbalhar@redhat.com> - 3.11.9-7.3
- Security fix for CVE-2024-7592
Resolves: RHEL-85299
* Mon Dec 09 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.11.9-7.2 * Mon Dec 09 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.11.9-7.2
- Security fix for CVE-2024-9287 - Security fix for CVE-2024-9287
Resolves: RHEL-64882 Resolves: RHEL-64882