diff --git a/SOURCES/00360-CVE-2021-3426.patch b/SOURCES/00360-CVE-2021-3426.patch new file mode 100644 index 0000000..f24ef59 --- /dev/null +++ b/SOURCES/00360-CVE-2021-3426.patch @@ -0,0 +1,101 @@ +From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 29 Mar 2021 08:40:53 -0700 +Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) + (GH-25067) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2021-3426: Remove the "getfile" feature of the pydoc module which +could be abused to read arbitrary files on the disk (directory +traversal vulnerability). Moreover, even source code of Python +modules can contain sensitive data like passwords. Vulnerability +reported by David Schwörer. +(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) + +Co-authored-by: Victor Stinner +--- + Lib/pydoc.py | 18 ------------------ + Lib/test/test_pydoc.py | 6 ------ + .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ + 3 files changed, 4 insertions(+), 24 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst + +diff --git a/Lib/pydoc.py b/Lib/pydoc.py +index b521a5504728c4..5247ef9ea27aa1 100644 +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py +@@ -2312,9 +2312,6 @@ def page(self, title, contents): + %s%s
%s
+ ''' % (title, css_link, html_navbar(), contents) + +- def filelink(self, url, path): +- return '%s' % (url, path) +- + + html = _HTMLDoc() + +@@ -2400,19 +2397,6 @@ def bltinlink(name): + 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) + return 'Search Results', contents + +- def html_getfile(path): +- """Get and display a source file listing safely.""" +- path = urllib.parse.unquote(path) +- with tokenize.open(path) as fp: +- lines = html.escape(fp.read()) +- body = '
%s
' % lines +- heading = html.heading( +- 'File Listing', +- '#ffffff', '#7799ee') +- contents = heading + html.bigsection( +- 'File: %s' % path, '#ffffff', '#ee77aa', body) +- return 'getfile %s' % path, contents +- + def html_topics(): + """Index of topic texts available.""" + +@@ -2504,8 +2488,6 @@ def get_html_page(url): + op, _, url = url.partition('=') + if op == "search?key": + title, content = html_search(url) +- elif op == "getfile?key": +- title, content = html_getfile(url) + elif op == "topic?key": + # try topics first, then objects. + try: +diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py +index 00803d3305cb53..49bc3eb164b19c 100644 +--- a/Lib/test/test_pydoc.py ++++ b/Lib/test/test_pydoc.py +@@ -1052,18 +1052,12 @@ def test_url_requests(self): + ("topic?key=def", "Pydoc: KEYWORD def"), + ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), + ("foobar", "Pydoc: Error - foobar"), +- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), + ] + + with self.restrict_walk_packages(): + for url, title in requests: + self.call_url_handler(url, title) + +- path = string.__file__ +- title = "Pydoc: getfile " + path +- url = "getfile?key=" + path +- self.call_url_handler(url, title) +- + + class TestHelper(unittest.TestCase): + def test_keywords(self): +diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +new file mode 100644 +index 00000000000000..4b42dd05305a83 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +@@ -0,0 +1,4 @@ ++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which ++could be abused to read arbitrary files on the disk (directory traversal ++vulnerability). Moreover, even source code of Python modules can contain ++sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/SOURCES/00362-threading-enumerate-rlock.patch b/SOURCES/00362-threading-enumerate-rlock.patch new file mode 100644 index 0000000..9a8e064 --- /dev/null +++ b/SOURCES/00362-threading-enumerate-rlock.patch @@ -0,0 +1,36 @@ +bpo-44422: Fix threading.enumerate() reentrant call (GH-26727) + +The threading.enumerate() function now uses a reentrant lock to +prevent a hang on reentrant call. + +https://github.com/python/cpython/commit/243fd01047ddce1a7eb0f99a49732d123e942c63 + +Resolves: rhbz#1959459 + +diff --git a/Lib/threading.py b/Lib/threading.py +index 0ab1e46..7ab9ad8 100644 +--- a/Lib/threading.py ++++ b/Lib/threading.py +@@ -727,8 +727,11 @@ _counter() # Consume 0 so first non-main thread has id 1. + def _newname(template="Thread-%d"): + return template % _counter() + +-# Active thread administration +-_active_limbo_lock = _allocate_lock() ++# Active thread administration. ++# ++# bpo-44422: Use a reentrant lock to allow reentrant calls to functions like ++# threading.enumerate(). ++_active_limbo_lock = RLock() + _active = {} # maps thread id to Thread object + _limbo = {} + _dangling = WeakSet() +@@ -1325,7 +1328,7 @@ def _after_fork(): + # Reset _active_limbo_lock, in case we forked while the lock was held + # by another (non-forked) thread. http://bugs.python.org/issue874900 + global _active_limbo_lock, _main_thread +- _active_limbo_lock = _allocate_lock() ++ _active_limbo_lock = RLock() + + # fork() only copied the current thread; clear references to others. + new_active = {} diff --git a/SOURCES/00364-thread-exit.patch b/SOURCES/00364-thread-exit.patch new file mode 100644 index 0000000..b91665b --- /dev/null +++ b/SOURCES/00364-thread-exit.patch @@ -0,0 +1,43 @@ +bpo-44434: Don't call PyThread_exit_thread() explicitly (GH-26758) + +_thread.start_new_thread() no longer calls PyThread_exit_thread() +explicitly at the thread exit, the call was redundant. + +On Linux with the glibc, pthread_cancel() loads dynamically the +libgcc_s.so.1 library. dlopen() can fail if there is no more +available file descriptor to open the file. In this case, the process +aborts with the error message: + +"libgcc_s.so.1 must be installed for pthread_cancel to work" + +pthread_cancel() unwinds back to the thread's wrapping function that +calls the thread entry point. + +The unwind function is dynamically loaded from the libgcc_s library +since it is tightly coupled to the C compiler (GCC). The unwinder +depends on DWARF, the compiler generates DWARF, so the unwinder +belongs to the compiler. + +Thanks Florian Weimer and Carlos O'Donell for their help on +investigating this issue. + +https://github.com/python/cpython/commit/45a78f906d2d5fe5381d78466b11763fc56d57ba + +Resolves: rhbz#1972293 + +diff --git a/Modules/_threadmodule.c b/Modules/_threadmodule.c +index a13b2e0..8cc035b 100644 +--- a/Modules/_threadmodule.c ++++ b/Modules/_threadmodule.c +@@ -1027,7 +1027,10 @@ t_bootstrap(void *boot_raw) + nb_threads--; + PyThreadState_Clear(tstate); + PyThreadState_DeleteCurrent(); +- PyThread_exit_thread(); ++ ++ // bpo-44434: Don't call explicitly PyThread_exit_thread(). On Linux with ++ // the glibc, pthread_exit() can abort the whole process if dlopen() fails ++ // to open the libgcc_s.so library (ex: EMFILE error). + } + + static PyObject * diff --git a/SOURCES/00366-CVE-2021-3733.patch b/SOURCES/00366-CVE-2021-3733.patch new file mode 100644 index 0000000..7e5b670 --- /dev/null +++ b/SOURCES/00366-CVE-2021-3733.patch @@ -0,0 +1,40 @@ +From 29c669440dddba61d18e1b7fdd57180cae9e4ae3 Mon Sep 17 00:00:00 2001 +From: Yeting Li +Date: Wed, 7 Apr 2021 19:27:41 +0800 +Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler + (GH-24391) + +Fix Regular Expression Denial of Service (ReDoS) vulnerability in +urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +has quadratic worst-case complexity and it allows cause a denial of +service when identifying crafted invalid RFCs. This ReDoS issue is on +the client side and needs remote attackers to control the HTTP server. +(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) + +Co-authored-by: Yeting Li +--- + Lib/urllib/request.py | 2 +- + .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst + +diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py +index 6624e04317ba2..56565405a7097 100644 +--- a/Lib/urllib/request.py ++++ b/Lib/urllib/request.py +@@ -947,7 +947,7 @@ class AbstractBasicAuthHandler: + # (single quotes are a violation of the RFC, but appear in the wild) + rx = re.compile('(?:^|,)' # start of the string or ',' + '[ \t]*' # optional whitespaces +- '([^ \t]+)' # scheme like "Basic" ++ '([^ \t,]+)' # scheme like "Basic" + '[ \t]+' # mandatory whitespaces + # realm=xxx + # realm='xxx' +diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +new file mode 100644 +index 0000000000000..1c9f727e965fb +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +@@ -0,0 +1 @@ ++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. diff --git a/SPECS/python3.spec b/SPECS/python3.spec index 39b3e64..561b72f 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -15,7 +15,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 37%{?dist} +Release: 41%{?dist} License: Python @@ -592,6 +592,31 @@ Patch357: 00357-CVE-2021-3177.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch +# 00360 # +# CVE-2021-3426: information disclosure via pydoc +# Upstream: https://bugs.python.org/issue42988 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913 +Patch360: 00360-CVE-2021-3426.patch + +# 00362 # +# The threading.enumerate() function now uses a reentrant lock to +# prevent a hang on reentrant call. +# Upstream: https://bugs.python.org/issue44422 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1959459 +Patch362: 00362-threading-enumerate-rlock.patch + +# 00364 # +# Don't call PyThread_exit_thread() explicitly. +# Upstream: https://bugs.python.org/issue44434 +# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1972293 +Patch364: 00364-thread-exit.patch + +# 00366 # +# CVE-2021-3733: Denial of service when identifying crafted invalid RFCs +# Upstream: https://bugs.python.org/issue43075 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234 +Patch366: 00366-CVE-2021-3733.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -639,10 +664,10 @@ Requires: python3-setuptools-wheel Requires: python3-pip-wheel %endif -# Runtime require alternatives -Requires: %{_sbindir}/alternatives -Requires(post): %{_sbindir}/alternatives -Requires(postun): %{_sbindir}/alternatives +# Require alternatives version that implements the --keep-foreign flag +Requires: alternatives >= 1.19.1-1 +Requires(post): alternatives >= 1.19.1-1 +Requires(postun): alternatives >= 1.19.1-1 # This prevents ALL subpackages built from this spec to require # /usr/bin/python3*. Granularity per subpackage is impossible. @@ -783,6 +808,9 @@ Provides: %{name}-tools = %{version}-%{release} Provides: %{name}-tools%{?_isa} = %{version}-%{release} Obsoletes: %{name}-tools < %{version}-%{release} + +# Require alternatives version that implements the --keep-foreign flag +Requires(postun): alternatives >= 1.19.1-1 # python36 installs the alternatives master symlink to which we attach a slave Requires: python36 Requires(post): python36 @@ -920,6 +948,10 @@ git apply %{PATCH351} %patch356 -p1 %patch357 -p1 %patch359 -p1 +%patch360 -p1 +%patch362 -p1 +%patch364 -p1 +%patch366 -p1 %patch1000 -p1 @@ -1389,7 +1421,7 @@ alternatives --install %{_bindir}/unversioned-python \ %postun -n platform-python # Do this only during uninstall process (not during update) if [ $1 -eq 0 ]; then - alternatives --remove python \ + alternatives --keep-foreign --remove python \ %{_libexecdir}/no-python fi @@ -1404,7 +1436,7 @@ alternatives --add-slave python3 %{_bindir}/python3.6 \ %postun -n python3-idle # Do this only during uninstall process (not during update) if [ $1 -eq 0 ]; then - alternatives --remove-slave python3 %{_bindir}/python3.6 \ + alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.6 \ idle3 fi @@ -1847,9 +1879,26 @@ fi # ====================================================== %changelog -* Mon May 24 2021 Andrew Lukoshko - 3.6.8-37.alma +* Wed Dec 29 2021 Andrew Lukoshko - 3.6.8-41.alma - Add AlmaLinux to supported distros +* Thu Sep 09 2021 Lumír Balhar - 3.6.8-41 +- Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs +Resolves: rhbz#1995234 + +* Thu Jul 29 2021 Tomas Orsava - 3.6.8-40 +- Adjusted the postun scriptlets to enable upgrading to RHEL 9 +- Resolves: rhbz#1933055 + +* Fri Jul 09 2021 Victor Stinner - 3.6.8-39 +- Fix reentrant call to threading.enumerate() (rhbz#1959459) +- Don't exit Python with abort() when a thread exit and there is no available + file descriptor to load dynamically the libgcc_s.so.1 library (rhbz#1972293) + +* Fri Apr 30 2021 Charalampos Stratakis - 3.6.8-38 +- Security fix for CVE-2021-3426: information disclosure via pydoc +Resolves: rhbz#1935913 + * Thu Mar 04 2021 Petr Viktorin - 3.6.8-37 - Fix for CVE-2021-23336 Resolves: rhbz#1928904