From a5d6ddad0f10cb0b25ec7c79b8a0dc190990a30c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 9 Aug 2023 20:36:11 +0200 Subject: [PATCH] Fix symlink handling in the fix for CVE-2023-24329 Resolves: rhbz#263261 --- 00397-tarfile-filter.patch | 112 ++++++++++++++++++++++++++++++++++++- python3.11.spec | 14 ++++- 2 files changed, 122 insertions(+), 4 deletions(-) diff --git a/00397-tarfile-filter.patch b/00397-tarfile-filter.patch index 9297ea5..bd8f98f 100644 --- a/00397-tarfile-filter.patch +++ b/00397-tarfile-filter.patch @@ -1,4 +1,114 @@ -From 363474312808642b23840a26b4e812051a551e48 Mon Sep 17 00:00:00 2001 +From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Wed, 9 Aug 2023 20:23:03 +0200 +Subject: [PATCH] Fix symlink handling for tarfile.data_filter + +--- + Doc/library/tarfile.rst | 5 +++++ + Lib/tarfile.py | 9 ++++++++- + Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++-- + 3 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst +index 00f3070324e..e0511bfeb64 100644 +--- a/Doc/library/tarfile.rst ++++ b/Doc/library/tarfile.rst +@@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes: + Name of the target file name, which is only present in :class:`TarInfo` objects + of type :const:`LNKTYPE` and :const:`SYMTYPE`. + ++ For symbolic links (``SYMTYPE``), the linkname is relative to the directory ++ that contains the link. ++ For hard links (``LNKTYPE``), the linkname is relative to the root of ++ the archive. ++ + + .. attribute:: TarInfo.uid + :type: int +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index df4e41f7a0d..d62323715b4 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True): + if member.islnk() or member.issym(): + if os.path.isabs(member.linkname): + raise AbsoluteLinkError(member) +- target_path = os.path.realpath(os.path.join(dest_path, member.linkname)) ++ if member.issym(): ++ target_path = os.path.join(dest_path, ++ os.path.dirname(name), ++ member.linkname) ++ else: ++ target_path = os.path.join(dest_path, ++ member.linkname) ++ target_path = os.path.realpath(target_path) + if os.path.commonpath([target_path, dest_path]) != dest_path: + raise LinkOutsideDestinationError(member, target_path) + return new_attrs +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 2eda7fc4cea..79fc35c2895 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -3337,10 +3337,12 @@ def __exit__(self, *exc): + self.bio = None + + def add(self, name, *, type=None, symlink_to=None, hardlink_to=None, +- mode=None, **kwargs): ++ mode=None, size=None, **kwargs): + """Add a member to the test archive. Call within `with`.""" + name = str(name) + tarinfo = tarfile.TarInfo(name).replace(**kwargs) ++ if size is not None: ++ tarinfo.size = size + if mode: + tarinfo.mode = _filemode_to_int(mode) + if symlink_to is not None: +@@ -3416,7 +3418,8 @@ def check_context(self, tar, filter): + raise self.raised_exception + self.assertEqual(self.expected_paths, set()) + +- def expect_file(self, name, type=None, symlink_to=None, mode=None): ++ def expect_file(self, name, type=None, symlink_to=None, mode=None, ++ size=None): + """Check a single file. See check_context.""" + if self.raised_exception: + raise self.raised_exception +@@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None): + self.assertTrue(path.is_fifo()) + else: + raise NotImplementedError(type) ++ if size is not None: ++ self.assertEqual(path.stat().st_size, size) + for parent in path.parents: + self.expected_paths.discard(parent) + +@@ -3649,6 +3654,22 @@ def test_sly_relative2(self): + + """['"].*moo['"], which is outside the """ + + "destination") + ++ def test_deep_symlink(self): ++ with ArchiveMaker() as arc: ++ arc.add('targetdir/target', size=3) ++ arc.add('linkdir/hardlink', hardlink_to='targetdir/target') ++ arc.add('linkdir/symlink', symlink_to='../targetdir/target') ++ ++ for filter in 'tar', 'data', 'fully_trusted': ++ with self.check_context(arc.open(), filter): ++ self.expect_file('targetdir/target', size=3) ++ self.expect_file('linkdir/hardlink', size=3) ++ if os_helper.can_symlink(): ++ self.expect_file('linkdir/symlink', size=3, ++ symlink_to='../targetdir/target') ++ else: ++ self.expect_file('linkdir/symlink', size=3) ++ + def test_modes(self): + # Test how file modes are extracted + # (Note that the modes are ignored on platforms without working chmod) +-- +2.41.0 + +From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 6 Mar 2023 17:24:24 +0100 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction diff --git a/python3.11.spec b/python3.11.spec index b759c58..e838321 100644 --- a/python3.11.spec +++ b/python3.11.spec @@ -20,7 +20,7 @@ URL: https://www.python.org/ #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 2%{?dist} +Release: 3%{?dist} License: Python @@ -333,8 +333,12 @@ Patch329: 00329-fips.patch Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch # 00397 # -# Add Red Hat configuration for tarfile extraction (CVE-2007-4559, PEP-706) -# See KB for documentation: +# Filters for tarfile extraction (CVE-2007-4559, PEP-706) +# First patch fixes determination of symlink targets, which were treated +# as relative to the root of the archive, +# rather than the directory containing the symlink. +# Not yet upstream as of this writing. +# The second patch is Red Hat configuration, see KB for documentation: # - https://access.redhat.com/articles/7004769 Patch397: 00397-tarfile-filter.patch @@ -1605,6 +1609,10 @@ CheckPython optimized # ====================================================== %changelog +* Wed Aug 09 2023 Petr Viktorin - 3.11.4-3 +- Fix symlink handling in the fix for CVE-2023-24329 +Resolves: rhbz#263261 + * Fri Jun 30 2023 Charalampos Stratakis - 3.11.4-2 - Security fix for CVE-2007-4559 Resolves: rhbz#263261