import python3-3.6.8-45.el8

SOURCES/00372-CVE-2021-4189.patch

@@ -0,0 +1,80 @@
+diff --git a/Lib/ftplib.py b/Lib/ftplib.py
+index 2ff251a..385e432 100644
+--- a/Lib/ftplib.py
++++ b/Lib/ftplib.py
+@@ -104,6 +104,8 @@ class FTP:
+     welcome = None
+     passiveserver = 1
+     encoding = "latin-1"
++    # Disables https://bugs.python.org/issue43285 security if set to True.
++    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -333,8 +335,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
++        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
++            untrusted_host, port = parse227(self.sendcmd('PASV'))
++            if self.trust_server_pasv_ipv4_address:
++                host = untrusted_host
++            else:
++                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+index 4ff2f71..3ca7cc1 100644
+--- a/Lib/test/test_ftplib.py
++++ b/Lib/test/test_ftplib.py
+@@ -94,6 +94,10 @@ class DummyFTPHandler(asynchat.async_chat):
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
++        # We use this as the string IPv4 address to direct the client
++        # to in response to a PASV command.  To test security behavior.
++        # https://bugs.python.org/issue43285/.
++        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -136,7 +140,8 @@ class DummyFTPHandler(asynchat.async_chat):
+             sock.bind((self.socket.getsockname()[0], 0))
+             sock.listen()
+             sock.settimeout(TIMEOUT)
+-            ip, port = sock.getsockname()[:2]
++            port = sock.getsockname()[1]
++            ip = self.fake_pasv_server_ip
+             ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256
+             self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+             conn, addr = sock.accept()
+@@ -694,6 +699,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
++    def test_makepasv_issue43285_security_disabled(self):
++        """Test the opt-in to the old vulnerable behavior."""
++        self.client.trust_server_pasv_ipv4_address = True
++        bad_host, port = self.client.makepasv()
++        self.assertEqual(
++                bad_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((self.client.sock.getpeername()[0], port),
++                                 timeout=TIMEOUT).close()
++
++    def test_makepasv_issue43285_security_enabled_default(self):
++        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++        trusted_host, port = self.client.makepasv()
++        self.assertNotEqual(
++                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+     def test_with_statement(self):
+         self.client.quit()
+ 

SPECS/python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 44%{?dist}
+Release: 45%{?dist}
 License: Python
 
 
@@ -645,6 +645,12 @@ Patch369: 00369-rollover-only-regular-files-in-logging-handlers.patch
 # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2003758
 Patch370: 00370-GIL-monotonic-clock.patch
 
+# 00372 #
+# CVE-2021-4189: ftplib should not use the host from the PASV response
+# Upstream: https://bugs.python.org/issue43285
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020
+Patch372: 00372-CVE-2021-4189.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -983,6 +989,7 @@ git apply %{PATCH351}
 %patch368 -p1
 %patch369 -p1
 %patch370 -p1
+%patch372 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -1908,6 +1915,10 @@ fi
 # ======================================================
 
 %changelog
+* Fri Jan 07 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-45
+- Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response
+Resolves: rhbz#2036020
+
 * Tue Oct 12 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-44
 - Use the monotonic clock for theading.Condition
 - Use the monotonic clock for the global interpreter lock