Update to 3.9.18
Security fix for CVE-2023-40217 Resolves: RHEL-3043
This commit is contained in:
		
							parent
							
								
									5c7e81a8f7
								
							
						
					
					
						commit
						724b2ab564
					
				| @ -1,113 +1,3 @@ | ||||
| From f36519078bde3cce4328c03fffccb846121fb5bc Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Viktorin <encukou@gmail.com> | ||||
| Date: Wed, 9 Aug 2023 20:23:03 +0200 | ||||
| Subject: [PATCH] Fix symlink handling for tarfile.data_filter | ||||
| 
 | ||||
| ---
 | ||||
|  Doc/library/tarfile.rst  |  5 +++++ | ||||
|  Lib/tarfile.py           |  9 ++++++++- | ||||
|  Lib/test/test_tarfile.py | 26 ++++++++++++++++++++++++-- | ||||
|  3 files changed, 37 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst
 | ||||
| index 00f3070324e..e0511bfeb64 100644
 | ||||
| --- a/Doc/library/tarfile.rst
 | ||||
| +++ b/Doc/library/tarfile.rst
 | ||||
| @@ -740,6 +740,11 @@ A ``TarInfo`` object has the following public data attributes:
 | ||||
|     Name of the target file name, which is only present in :class:`TarInfo` objects | ||||
|     of type :const:`LNKTYPE` and :const:`SYMTYPE`. | ||||
|   | ||||
| +   For symbolic links (``SYMTYPE``), the linkname is relative to the directory
 | ||||
| +   that contains the link.
 | ||||
| +   For hard links (``LNKTYPE``), the linkname is relative to the root of
 | ||||
| +   the archive.
 | ||||
| +
 | ||||
|   | ||||
|  .. attribute:: TarInfo.uid | ||||
|     :type: int | ||||
| diff --git a/Lib/tarfile.py b/Lib/tarfile.py
 | ||||
| index df4e41f7a0d..d62323715b4 100755
 | ||||
| --- a/Lib/tarfile.py
 | ||||
| +++ b/Lib/tarfile.py
 | ||||
| @@ -802,7 +802,14 @@ def _get_filtered_attrs(member, dest_path, for_data=True):
 | ||||
|          if member.islnk() or member.issym(): | ||||
|              if os.path.isabs(member.linkname): | ||||
|                  raise AbsoluteLinkError(member) | ||||
| -            target_path = os.path.realpath(os.path.join(dest_path, member.linkname))
 | ||||
| +            if member.issym():
 | ||||
| +                target_path = os.path.join(dest_path,
 | ||||
| +                                           os.path.dirname(name),
 | ||||
| +                                           member.linkname)
 | ||||
| +            else:
 | ||||
| +                target_path = os.path.join(dest_path,
 | ||||
| +                                           member.linkname)
 | ||||
| +            target_path = os.path.realpath(target_path)
 | ||||
|              if os.path.commonpath([target_path, dest_path]) != dest_path: | ||||
|                  raise LinkOutsideDestinationError(member, target_path) | ||||
|      return new_attrs | ||||
| diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
 | ||||
| index 2eda7fc4cea..79fc35c2895 100644
 | ||||
| --- a/Lib/test/test_tarfile.py
 | ||||
| +++ b/Lib/test/test_tarfile.py
 | ||||
| @@ -3337,10 +3337,12 @@ def __exit__(self, *exc):
 | ||||
|          self.bio = None | ||||
|   | ||||
|      def add(self, name, *, type=None, symlink_to=None, hardlink_to=None, | ||||
| -            mode=None, **kwargs):
 | ||||
| +            mode=None, size=None, **kwargs):
 | ||||
|          """Add a member to the test archive. Call within `with`.""" | ||||
|          name = str(name) | ||||
|          tarinfo = tarfile.TarInfo(name).replace(**kwargs) | ||||
| +        if size is not None:
 | ||||
| +            tarinfo.size = size
 | ||||
|          if mode: | ||||
|              tarinfo.mode = _filemode_to_int(mode) | ||||
|          if symlink_to is not None: | ||||
| @@ -3416,7 +3418,8 @@ def check_context(self, tar, filter):
 | ||||
|                  raise self.raised_exception | ||||
|              self.assertEqual(self.expected_paths, set()) | ||||
|   | ||||
| -    def expect_file(self, name, type=None, symlink_to=None, mode=None):
 | ||||
| +    def expect_file(self, name, type=None, symlink_to=None, mode=None,
 | ||||
| +                    size=None):
 | ||||
|          """Check a single file. See check_context.""" | ||||
|          if self.raised_exception: | ||||
|              raise self.raised_exception | ||||
| @@ -3445,6 +3448,8 @@ def expect_file(self, name, type=None, symlink_to=None, mode=None):
 | ||||
|              self.assertTrue(path.is_fifo()) | ||||
|          else: | ||||
|              raise NotImplementedError(type) | ||||
| +        if size is not None:
 | ||||
| +            self.assertEqual(path.stat().st_size, size)
 | ||||
|          for parent in path.parents: | ||||
|              self.expected_paths.discard(parent) | ||||
|   | ||||
| @@ -3649,6 +3654,22 @@ def test_sly_relative2(self):
 | ||||
|                      + """['"].*moo['"], which is outside the """ | ||||
|                      + "destination") | ||||
|   | ||||
| +    def test_deep_symlink(self):
 | ||||
| +        with ArchiveMaker() as arc:
 | ||||
| +            arc.add('targetdir/target', size=3)
 | ||||
| +            arc.add('linkdir/hardlink', hardlink_to='targetdir/target')
 | ||||
| +            arc.add('linkdir/symlink', symlink_to='../targetdir/target')
 | ||||
| +
 | ||||
| +        for filter in 'tar', 'data', 'fully_trusted':
 | ||||
| +            with self.check_context(arc.open(), filter):
 | ||||
| +                self.expect_file('targetdir/target', size=3)
 | ||||
| +                self.expect_file('linkdir/hardlink', size=3)
 | ||||
| +                if support.can_symlink():
 | ||||
| +                    self.expect_file('linkdir/symlink', size=3,
 | ||||
| +                                     symlink_to='../targetdir/target')
 | ||||
| +                else:
 | ||||
| +                    self.expect_file('linkdir/symlink', size=3)
 | ||||
| +
 | ||||
|      def test_modes(self): | ||||
|          # Test how file modes are extracted | ||||
|          # (Note that the modes are ignored on platforms without working chmod) | ||||
| -- 
 | ||||
| 2.41.0 | ||||
| 
 | ||||
| From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001 | ||||
| From: Petr Viktorin <encukou@gmail.com> | ||||
| Date: Mon, 6 Mar 2023 17:24:24 +0100 | ||||
|  | ||||
| @ -13,11 +13,11 @@ URL: https://www.python.org/ | ||||
| 
 | ||||
| #  WARNING  When rebasing to a new Python version, | ||||
| #           remember to update the python3-docs package as well | ||||
| %global general_version %{pybasever}.17 | ||||
| %global general_version %{pybasever}.18 | ||||
| #global prerel ... | ||||
| %global upstream_version %{general_version}%{?prerel} | ||||
| Version: %{general_version}%{?prerel:~%{prerel}} | ||||
| Release: 2%{?dist} | ||||
| Release: 1%{?dist} | ||||
| License: Python | ||||
| 
 | ||||
| 
 | ||||
| @ -1810,6 +1810,11 @@ CheckPython optimized | ||||
| # ====================================================== | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Sep 07 2023 Charalampos Stratakis <cstratak@redhat.com> - 3.9.18-1 | ||||
| - Update to 3.9.18 | ||||
| - Security fix for CVE-2023-40217 | ||||
| Resolves: RHEL-3043 | ||||
| 
 | ||||
| * Wed Aug 09 2023 Petr Viktorin <pviktori@redhat.com> - 3.9.17-2 | ||||
| - Fix symlink handling in the fix for CVE-2023-24329 | ||||
| Resolves: rhbz#263261 | ||||
|  | ||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,2 +1,2 @@ | ||||
| SHA512 (Python-3.9.17.tar.xz) = 994d92346e563a4635411808744eac8207c68e6fc9c1db1c2eb4103dad8553aaad4a8116e38c61f28cb17905a12cc46dccdde985e1c45882bf1815081b88b6be | ||||
| SHA512 (Python-3.9.17.tar.xz.asc) = 948196f104539b2e05b17fb5ef2387be392c515222213def7ab6f5b0f490d60e472e8df2dc6ec1df1d293a34d8c26a761412c93aabbdefd3390ee8bdef95a5d8 | ||||
| SHA512 (Python-3.9.18.tar.xz) = aab155aca757d298394eddb91ff9a8f239665bd46feb495c6b6f735bbcb7489c05c858cc4cd08f1575c24f293b33492d763e9a140d92f0b2b0cc81a165a677c7 | ||||
| SHA512 (Python-3.9.18.tar.xz.asc) = dff9a86df2b0774b68e7c762bacf05e2482dbb218301acfdc9128fc600bbc51c97a3a44f6b7cee87bd4e153bcb4a0af3c98109560d0c7861b7508edc9ae05ea1 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user