import python3-3.6.8-45.el8
This commit is contained in:
parent
57d92fbb47
commit
0d99696247
|
@ -0,0 +1,80 @@
|
||||||
|
diff --git a/Lib/ftplib.py b/Lib/ftplib.py
|
||||||
|
index 2ff251a..385e432 100644
|
||||||
|
--- a/Lib/ftplib.py
|
||||||
|
+++ b/Lib/ftplib.py
|
||||||
|
@@ -104,6 +104,8 @@ class FTP:
|
||||||
|
welcome = None
|
||||||
|
passiveserver = 1
|
||||||
|
encoding = "latin-1"
|
||||||
|
+ # Disables https://bugs.python.org/issue43285 security if set to True.
|
||||||
|
+ trust_server_pasv_ipv4_address = False
|
||||||
|
|
||||||
|
# Initialization method (called by class instantiation).
|
||||||
|
# Initialize host to localhost, port to standard ftp port
|
||||||
|
@@ -333,8 +335,13 @@ class FTP:
|
||||||
|
return sock
|
||||||
|
|
||||||
|
def makepasv(self):
|
||||||
|
+ """Internal: Does the PASV or EPSV handshake -> (address, port)"""
|
||||||
|
if self.af == socket.AF_INET:
|
||||||
|
- host, port = parse227(self.sendcmd('PASV'))
|
||||||
|
+ untrusted_host, port = parse227(self.sendcmd('PASV'))
|
||||||
|
+ if self.trust_server_pasv_ipv4_address:
|
||||||
|
+ host = untrusted_host
|
||||||
|
+ else:
|
||||||
|
+ host = self.sock.getpeername()[0]
|
||||||
|
else:
|
||||||
|
host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
|
||||||
|
return host, port
|
||||||
|
diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
|
||||||
|
index 4ff2f71..3ca7cc1 100644
|
||||||
|
--- a/Lib/test/test_ftplib.py
|
||||||
|
+++ b/Lib/test/test_ftplib.py
|
||||||
|
@@ -94,6 +94,10 @@ class DummyFTPHandler(asynchat.async_chat):
|
||||||
|
self.rest = None
|
||||||
|
self.next_retr_data = RETR_DATA
|
||||||
|
self.push('220 welcome')
|
||||||
|
+ # We use this as the string IPv4 address to direct the client
|
||||||
|
+ # to in response to a PASV command. To test security behavior.
|
||||||
|
+ # https://bugs.python.org/issue43285/.
|
||||||
|
+ self.fake_pasv_server_ip = '252.253.254.255'
|
||||||
|
|
||||||
|
def collect_incoming_data(self, data):
|
||||||
|
self.in_buffer.append(data)
|
||||||
|
@@ -136,7 +140,8 @@ class DummyFTPHandler(asynchat.async_chat):
|
||||||
|
sock.bind((self.socket.getsockname()[0], 0))
|
||||||
|
sock.listen()
|
||||||
|
sock.settimeout(TIMEOUT)
|
||||||
|
- ip, port = sock.getsockname()[:2]
|
||||||
|
+ port = sock.getsockname()[1]
|
||||||
|
+ ip = self.fake_pasv_server_ip
|
||||||
|
ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256
|
||||||
|
self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
|
||||||
|
conn, addr = sock.accept()
|
||||||
|
@@ -694,6 +699,26 @@ class TestFTPClass(TestCase):
|
||||||
|
# IPv4 is in use, just make sure send_epsv has not been used
|
||||||
|
self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
|
||||||
|
|
||||||
|
+ def test_makepasv_issue43285_security_disabled(self):
|
||||||
|
+ """Test the opt-in to the old vulnerable behavior."""
|
||||||
|
+ self.client.trust_server_pasv_ipv4_address = True
|
||||||
|
+ bad_host, port = self.client.makepasv()
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ bad_host, self.server.handler_instance.fake_pasv_server_ip)
|
||||||
|
+ # Opening and closing a connection keeps the dummy server happy
|
||||||
|
+ # instead of timing out on accept.
|
||||||
|
+ socket.create_connection((self.client.sock.getpeername()[0], port),
|
||||||
|
+ timeout=TIMEOUT).close()
|
||||||
|
+
|
||||||
|
+ def test_makepasv_issue43285_security_enabled_default(self):
|
||||||
|
+ self.assertFalse(self.client.trust_server_pasv_ipv4_address)
|
||||||
|
+ trusted_host, port = self.client.makepasv()
|
||||||
|
+ self.assertNotEqual(
|
||||||
|
+ trusted_host, self.server.handler_instance.fake_pasv_server_ip)
|
||||||
|
+ # Opening and closing a connection keeps the dummy server happy
|
||||||
|
+ # instead of timing out on accept.
|
||||||
|
+ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
|
||||||
|
+
|
||||||
|
def test_with_statement(self):
|
||||||
|
self.client.quit()
|
||||||
|
|
|
@ -14,7 +14,7 @@ URL: https://www.python.org/
|
||||||
# WARNING When rebasing to a new Python version,
|
# WARNING When rebasing to a new Python version,
|
||||||
# remember to update the python3-docs package as well
|
# remember to update the python3-docs package as well
|
||||||
Version: %{pybasever}.8
|
Version: %{pybasever}.8
|
||||||
Release: 44%{?dist}
|
Release: 45%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
|
|
||||||
|
@ -645,6 +645,12 @@ Patch369: 00369-rollover-only-regular-files-in-logging-handlers.patch
|
||||||
# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2003758
|
# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2003758
|
||||||
Patch370: 00370-GIL-monotonic-clock.patch
|
Patch370: 00370-GIL-monotonic-clock.patch
|
||||||
|
|
||||||
|
# 00372 #
|
||||||
|
# CVE-2021-4189: ftplib should not use the host from the PASV response
|
||||||
|
# Upstream: https://bugs.python.org/issue43285
|
||||||
|
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2036020
|
||||||
|
Patch372: 00372-CVE-2021-4189.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
|
@ -983,6 +989,7 @@ git apply %{PATCH351}
|
||||||
%patch368 -p1
|
%patch368 -p1
|
||||||
%patch369 -p1
|
%patch369 -p1
|
||||||
%patch370 -p1
|
%patch370 -p1
|
||||||
|
%patch372 -p1
|
||||||
|
|
||||||
# Remove files that should be generated by the build
|
# Remove files that should be generated by the build
|
||||||
# (This is after patching, so that we can use patches directly from upstream)
|
# (This is after patching, so that we can use patches directly from upstream)
|
||||||
|
@ -1908,6 +1915,10 @@ fi
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 07 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-45
|
||||||
|
- Security fix for CVE-2021-4189: ftplib should not use the host from the PASV response
|
||||||
|
Resolves: rhbz#2036020
|
||||||
|
|
||||||
* Tue Oct 12 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-44
|
* Tue Oct 12 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-44
|
||||||
- Use the monotonic clock for theading.Condition
|
- Use the monotonic clock for theading.Condition
|
||||||
- Use the monotonic clock for the global interpreter lock
|
- Use the monotonic clock for the global interpreter lock
|
||||||
|
|
Loading…
Reference in New Issue