Update to 3.9.16

2022-12-07 10:00:16 +01:00 · 2022-12-07 10:00:16 +01:00 · 3afb626968
commit 3afb626968
parent 66cc30cc44
4 changed files with 7 additions and 245 deletions
--- a/00382-cve-2015-20107.patch
+++ b/00382-cve-2015-20107.patch
@ -1,150 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
 Date: Fri, 3 Jun 2022 11:43:35 +0200
 Subject: [PATCH] 00382: CVE-2015-20107
 Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
 Upstream: https://github.com/python/cpython/issues/68966
 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
 ---
 Doc/library/mailcap.rst                       | 12 +++++++++
 Lib/mailcap.py                                | 26 +++++++++++++++++--
 Lib/test/test_mailcap.py                      |  8 ++++--
 ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |  4 +++
 4 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
 diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
 index a22b5b9c9e..7aa3380fec 100644
 --- a/Doc/library/mailcap.rst
 +++ b/Doc/library/mailcap.rst
@@ -60,6 +60,18 @@ standard.  However, mailcap files are supported on most Unix systems.
    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
    will automatically check such conditions and skip the entry if the check fails.
 +   .. versionchanged:: 3.11
 +
 +      To prevent security issues with shell metacharacters (symbols that have
 +      special effects in a shell command line), ``findmatch`` will refuse
 +      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
 +      into the returned command line.
 +
 +      If a disallowed character appears in *filename*, ``findmatch`` will always
 +      return ``(None, None)`` as if no entry was found.
 +      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
 +      ``findmatch`` will ignore all mailcap entries which use that value.
 +      A :mod:`warning <warnings>` will be raised in either case.
 .. function:: getcaps()
 diff --git a/Lib/mailcap.py b/Lib/mailcap.py
 index ae416a8e9f..444c6408b5 100644
 --- a/Lib/mailcap.py
 +++ b/Lib/mailcap.py
@@ -2,6 +2,7 @@
 import os
 import warnings
 +import re
 __all__ = ["getcaps","findmatch"]
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
     else:
         return 1, 0
 +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
 +
 +class UnsafeMailcapInput(Warning):
 +    """Warning raised when refusing unsafe input"""
 +
 # Part 1: top-level interface.
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
     entry to use.
     """
 +    if _find_unsafe(filename):
 +        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
 +        warnings.warn(msg, UnsafeMailcapInput)
 +        return None, None
     entries = lookup(caps, MIMEtype, key)
     # XXX This code should somehow check for the needsterminal flag.
     for e in entries:
         if 'test' in e:
             test = subst(e['test'], filename, plist)
 +            if test is None:
 +                continue
             if test and os.system(test) != 0:
                 continue
         command = subst(e[key], MIMEtype, filename, plist)
 -        return command, e
 +        if command is not None:
 +            return command, e
     return None, None
 def lookup(caps, MIMEtype, key=None):
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
             elif c == 's':
                 res = res + filename
             elif c == 't':
 +                if _find_unsafe(MIMEtype):
 +                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
 +                    warnings.warn(msg, UnsafeMailcapInput)
 +                    return None
                 res = res + MIMEtype
             elif c == '{':
                 start = i
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
                     i = i+1
                 name = field[start:i]
                 i = i+1
 -                res = res + findparam(name, plist)
 +                param = findparam(name, plist)
 +                if _find_unsafe(param):
 +                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
 +                    warnings.warn(msg, UnsafeMailcapInput)
 +                    return None
 +                res = res + param
             # XXX To do:
             # %n == number of parts if type is multipart/*
             # %F == list of alternating type and filename for parts
 diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
 index c08423c670..920283d9a2 100644
 --- a/Lib/test/test_mailcap.py
 +++ b/Lib/test/test_mailcap.py
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
             (["", "audio/*", "foo.txt"], ""),
             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
 -            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
 +            (["echo %t", "audio/*", "foo.txt"], None),
 +            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
              ('"An audio fragment"', audio_basic_entry)),
             ([c, "audio/*"],
              {"filename": fname},
 -             ("/usr/local/bin/showaudio audio/*", audio_entry)),
 +             (None, None)),
 +            ([c, "audio/wav"],
 +             {"filename": fname},
 +             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
             ([c, "message/external-body"],
              {"plist": plist},
              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
 diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
 new file mode 100644
 index 0000000000..da81a1f699
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
 +The deprecated mailcap module now refuses to inject unsafe text (filenames,
 +MIME types, parameters) into shell commands. Instead of using such text, it
 +will warn and act as if a match was not found (or for test commands, as if
 +the test failed).
--- a/00391-don-t-use-linux-abstract-sockets-for-multiprocessing.patch
+++ b/00391-don-t-use-linux-abstract-sockets-for-multiprocessing.patch
@ -1,64 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Fri, 28 Oct 2022 03:08:30 -0700
 Subject: [PATCH] 00391: Don't use Linux abstract sockets for multiprocessing
 Linux abstract sockets are insecure as they lack any form of filesystem
 permissions so their use allows anyone on the system to inject code into
 the process.
 This removes the default preference for abstract sockets in
 multiprocessing introduced in Python 3.9+ via
 https://github.com/python/cpython/pull/18866 while fixing
 https://github.com/python/cpython/issues/84031.
 Explicit use of an abstract socket by a user now generates a
 RuntimeWarning.  If we choose to keep this warning, it should be
 backported to the 3.7 and 3.8 branches.
 (cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
 Co-authored-by: Gregory P. Smith <greg@krypto.org>
 ---
 Lib/multiprocessing/connection.py                 |  5 -----
 .../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
 diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
 index 510e4b5aba..8e2facf92a 100644
 --- a/Lib/multiprocessing/connection.py
 +++ b/Lib/multiprocessing/connection.py
@@ -73,11 +73,6 @@ def arbitrary_address(family):
     if family == 'AF_INET':
         return ('localhost', 0)
     elif family == 'AF_UNIX':
 -        # Prefer abstract sockets if possible to avoid problems with the address
 -        # size.  When coding portable applications, some implementations have
 -        # sun_path as short as 92 bytes in the sockaddr_un struct.
 -        if util.abstract_sockets_supported:
 -            return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
         return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
     elif family == 'AF_PIPE':
         return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
 diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
 new file mode 100644
 index 0000000000..02d95b5705
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
@@ -0,0 +1,15 @@
 +On Linux the :mod:`multiprocessing` module returns to using filesystem backed
 +unix domain sockets for communication with the *forkserver* process instead of
 +the Linux abstract socket namespace.  Only code that chooses to use the
 +:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
 +
 +Abstract sockets have no permissions and could allow any user on the system in
 +the same `network namespace
 +<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
 +whole system) to inject code into the multiprocessing *forkserver* process.
 +This was a potential privilege escalation. Filesystem based socket permissions
 +restrict this to the *forkserver* process user as was the default in Python 3.8
 +and earlier.
 +
 +This prevents Linux `CVE-2022-42919
 +<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
--- a/python3.9.spec
+++ b/python3.9.spec
@ -13,11 +13,11 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.15
+%global general_version %{pybasever}.16
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: Python
@ -387,33 +387,6 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # https://github.com/GrahamDumpleton/mod_wsgi/issues/730
 Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 # 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
 # CVE-2015-20107
 #
 # Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
 #
 # Upstream: https://github.com/python/cpython/issues/68966
 #
 # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
 Patch382: 00382-cve-2015-20107.patch
 # 00391 # e6d12d8fca6afad3a56dc076c220f213b723a28e
 # Don't use Linux abstract sockets for multiprocessing
 #
 # Linux abstract sockets are insecure as they lack any form of filesystem
 # permissions so their use allows anyone on the system to inject code into
 # the process.
 #
 # This removes the default preference for abstract sockets in
 # multiprocessing introduced in Python 3.9+ via
 # https://github.com/python/cpython/pull/18866 while fixing
 # https://github.com/python/cpython/issues/84031.
 #
 # Explicit use of an abstract socket by a user now generates a
 # RuntimeWarning.  If we choose to keep this warning, it should be
 # backported to the 3.7 and 3.8 branches.
 Patch391: 00391-don-t-use-linux-abstract-sockets-for-multiprocessing.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1829,6 +1802,9 @@ CheckPython optimized
 # ======================================================
 %changelog
 * Wed Dec 07 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.16-1
 - Update to 3.9.16
 * Thu Nov 17 2022 Miro Hrončok <mhroncok@redhat.com> - 3.9.15-3
 - Rebuilt for infrastructure problems
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (Python-3.9.15.tar.xz) = 9310d263bc7a7925f73a6f66fd254ae61f377f43011a6bc5c58e57c8b170c2da4f197a646927ab9d05f8912ed8be4369c09576063931a3f93c3b0228ccb33a39
+SHA512 (Python-3.9.16.tar.xz) = b5fd0afe131c82bbce6ddf887c59eef6945910d6a9a2bc87c0927f4e4a096bf9ca4d25bcb729c40f6ebb8a65fbe8bf7b0b97a7c4a8c9e551240eb4f34b878653
-SHA512 (Python-3.9.15.tar.xz.asc) = 722625091731536757b9db447590c31620665133d45076367a3281f2ee3add23a781b10ce5cea582d65caabb18814583c1a347689d2b396214e36a6771182f38
+SHA512 (Python-3.9.16.tar.xz.asc) = 468959c36a3ec6136f57a39475fff4745a25be0cb5d3d58cf3e5faf0b9ce2d2a8b89f1f9fea1479c4c6ad12ac49e97c1cfd4291c978bb3d30df5a582ec315210
`@ -1,2 +1,2 @@`
	`SHA512 (Python-3.9.15.tar.xz) = 9310d263bc7a7925f73a6f66fd254ae61f377f43011a6bc5c58e57c8b170c2da4f197a646927ab9d05f8912ed8be4369c09576063931a3f93c3b0228ccb33a39`	`SHA512 (Python-3.9.16.tar.xz) = b5fd0afe131c82bbce6ddf887c59eef6945910d6a9a2bc87c0927f4e4a096bf9ca4d25bcb729c40f6ebb8a65fbe8bf7b0b97a7c4a8c9e551240eb4f34b878653`
	`SHA512 (Python-3.9.15.tar.xz.asc) = 722625091731536757b9db447590c31620665133d45076367a3281f2ee3add23a781b10ce5cea582d65caabb18814583c1a347689d2b396214e36a6771182f38`	`SHA512 (Python-3.9.16.tar.xz.asc) = 468959c36a3ec6136f57a39475fff4745a25be0cb5d3d58cf3e5faf0b9ce2d2a8b89f1f9fea1479c4c6ad12ac49e97c1cfd4291c978bb3d30df5a582ec315210`