Almalinux changes

SOURCES/00360-CVE-2021-3426.patch

@@ -0,0 +1,101 @@
+From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 29 Mar 2021 08:40:53 -0700
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+ (GH-25067)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index b521a5504728c4..5247ef9ea27aa1 100644
+--- a/Lib/pydoc.py
++++ b/Lib/pydoc.py
+@@ -2312,9 +2312,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2400,19 +2397,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2504,8 +2488,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index 00803d3305cb53..49bc3eb164b19c 100644
+--- a/Lib/test/test_pydoc.py
++++ b/Lib/test/test_pydoc.py
+@@ -1052,18 +1052,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 00000000000000..4b42dd05305a83
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
++could be abused to read arbitrary files on the disk (directory traversal
++vulnerability). Moreover, even source code of Python modules can contain
++sensitive data like passwords. Vulnerability reported by David Schwörer.

SOURCES/00362-threading-enumerate-rlock.patch

@@ -0,0 +1,36 @@
+bpo-44422: Fix threading.enumerate() reentrant call (GH-26727)
+
+The threading.enumerate() function now uses a reentrant lock to
+prevent a hang on reentrant call.
+
+https://github.com/python/cpython/commit/243fd01047ddce1a7eb0f99a49732d123e942c63
+
+Resolves: rhbz#1959459
+
+diff --git a/Lib/threading.py b/Lib/threading.py
+index 0ab1e46..7ab9ad8 100644
+--- a/Lib/threading.py
++++ b/Lib/threading.py
+@@ -727,8 +727,11 @@ _counter() # Consume 0 so first non-main thread has id 1.
+ def _newname(template="Thread-%d"):
+     return template % _counter()
+ 
+-# Active thread administration
+-_active_limbo_lock = _allocate_lock()
++# Active thread administration.
++#
++# bpo-44422: Use a reentrant lock to allow reentrant calls to functions like
++# threading.enumerate().
++_active_limbo_lock = RLock()
+ _active = {}    # maps thread id to Thread object
+ _limbo = {}
+ _dangling = WeakSet()
+@@ -1325,7 +1328,7 @@ def _after_fork():
+     # Reset _active_limbo_lock, in case we forked while the lock was held
+     # by another (non-forked) thread.  http://bugs.python.org/issue874900
+     global _active_limbo_lock, _main_thread
+-    _active_limbo_lock = _allocate_lock()
++    _active_limbo_lock = RLock()
+ 
+     # fork() only copied the current thread; clear references to others.
+     new_active = {}

SOURCES/00364-thread-exit.patch

@@ -0,0 +1,43 @@
+bpo-44434: Don't call PyThread_exit_thread() explicitly (GH-26758)
+
+_thread.start_new_thread() no longer calls PyThread_exit_thread()
+explicitly at the thread exit, the call was redundant.
+
+On Linux with the glibc, pthread_cancel() loads dynamically the
+libgcc_s.so.1 library. dlopen() can fail if there is no more
+available file descriptor to open the file. In this case, the process
+aborts with the error message:
+
+"libgcc_s.so.1 must be installed for pthread_cancel to work"
+
+pthread_cancel() unwinds back to the thread's wrapping function that
+calls the thread entry point.
+
+The unwind function is dynamically loaded from the libgcc_s library
+since it is tightly coupled to the C compiler (GCC). The unwinder
+depends on DWARF, the compiler generates DWARF, so the unwinder
+belongs to the compiler.
+
+Thanks Florian Weimer and Carlos O'Donell for their help on
+investigating this issue.
+
+https://github.com/python/cpython/commit/45a78f906d2d5fe5381d78466b11763fc56d57ba
+
+Resolves: rhbz#1972293
+
+diff --git a/Modules/_threadmodule.c b/Modules/_threadmodule.c
+index a13b2e0..8cc035b 100644
+--- a/Modules/_threadmodule.c
++++ b/Modules/_threadmodule.c
+@@ -1027,7 +1027,10 @@ t_bootstrap(void *boot_raw)
+     nb_threads--;
+     PyThreadState_Clear(tstate);
+     PyThreadState_DeleteCurrent();
+-    PyThread_exit_thread();
++
++    // bpo-44434: Don't call explicitly PyThread_exit_thread(). On Linux with
++    // the glibc, pthread_exit() can abort the whole process if dlopen() fails
++    // to open the libgcc_s.so library (ex: EMFILE error).
+ }
+ 
+ static PyObject *

SOURCES/00366-CVE-2021-3733.patch

@@ -0,0 +1,40 @@
+From 29c669440dddba61d18e1b7fdd57180cae9e4ae3 Mon Sep 17 00:00:00 2001
+From: Yeting Li <liyt@ios.ac.cn>
+Date: Wed, 7 Apr 2021 19:27:41 +0800
+Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler
+ (GH-24391)
+
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in
+urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
+has quadratic worst-case complexity and it allows cause a denial of
+service when identifying crafted invalid RFCs. This ReDoS issue is on
+the client side and needs remote attackers to control the HTTP server.
+(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
+
+Co-authored-by: Yeting Li <liyt@ios.ac.cn>
+---
+ Lib/urllib/request.py                                           | 2 +-
+ .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst      | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 6624e04317ba2..56565405a7097 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -947,7 +947,7 @@ class AbstractBasicAuthHandler:
+     # (single quotes are a violation of the RFC, but appear in the wild)
+     rx = re.compile('(?:^|,)'   # start of the string or ','
+                     '[ \t]*'    # optional whitespaces
+-                    '([^ \t]+)' # scheme like "Basic"
++                    '([^ \t,]+)' # scheme like "Basic"
+                     '[ \t]+'    # mandatory whitespaces
+                     # realm=xxx
+                     # realm='xxx'
+diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+new file mode 100644
+index 0000000000000..1c9f727e965fb
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+@@ -0,0 +1 @@
++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`.  The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

SPECS/python3.spec

@@ -15,7 +15,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 37%{?dist}
+Release: 41%{?dist}
 License: Python
 
 
@@ -592,6 +592,31 @@ Patch357: 00357-CVE-2021-3177.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch
 
+# 00360 #
+# CVE-2021-3426: information disclosure via pydoc
+# Upstream: https://bugs.python.org/issue42988
+# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
+Patch360: 00360-CVE-2021-3426.patch
+
+# 00362 #
+# The threading.enumerate() function now uses a reentrant lock to
+# prevent a hang on reentrant call.
+# Upstream: https://bugs.python.org/issue44422
+# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1959459
+Patch362: 00362-threading-enumerate-rlock.patch
+
+# 00364 #
+# Don't call PyThread_exit_thread() explicitly.
+# Upstream: https://bugs.python.org/issue44434
+# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1972293
+Patch364: 00364-thread-exit.patch
+
+# 00366 #
+# CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
+# Upstream: https://bugs.python.org/issue43075
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
+Patch366: 00366-CVE-2021-3733.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -639,10 +664,10 @@ Requires: python3-setuptools-wheel
 Requires: python3-pip-wheel
 %endif
 
-# Runtime require alternatives
+# Require alternatives version that implements the --keep-foreign flag
-Requires:         %{_sbindir}/alternatives
+Requires:         alternatives >= 1.19.1-1
-Requires(post):   %{_sbindir}/alternatives
+Requires(post):   alternatives >= 1.19.1-1
-Requires(postun): %{_sbindir}/alternatives
+Requires(postun): alternatives >= 1.19.1-1
 
 # This prevents ALL subpackages built from this spec to require
 # /usr/bin/python3*. Granularity per subpackage is impossible.
@@ -783,6 +808,9 @@ Provides: %{name}-tools = %{version}-%{release}
 Provides: %{name}-tools%{?_isa} = %{version}-%{release}
 Obsoletes: %{name}-tools < %{version}-%{release}
 
+
+# Require alternatives version that implements the --keep-foreign flag
+Requires(postun): alternatives >= 1.19.1-1
 # python36 installs the alternatives master symlink to which we attach a slave
 Requires: python36
 Requires(post): python36
@@ -920,6 +948,10 @@ git apply %{PATCH351}
 %patch356 -p1
 %patch357 -p1
 %patch359 -p1
+%patch360 -p1
+%patch362 -p1
+%patch364 -p1
+%patch366 -p1
 
 %patch1000 -p1
 
@@ -1389,7 +1421,7 @@ alternatives --install %{_bindir}/unversioned-python \
 %postun -n platform-python
 # Do this only during uninstall process (not during update)
 if [ $1 -eq 0 ]; then
-    alternatives --remove python \
+    alternatives --keep-foreign --remove python \
                           %{_libexecdir}/no-python
 
 fi
@@ -1404,7 +1436,7 @@ alternatives --add-slave python3 %{_bindir}/python3.6 \
 %postun -n python3-idle
 # Do this only during uninstall process (not during update)
 if [ $1 -eq 0 ]; then
-    alternatives --remove-slave python3 %{_bindir}/python3.6 \
+    alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.6 \
        idle3
 fi
 
@@ -1847,9 +1879,26 @@ fi
 # ======================================================
 
 %changelog
-* Mon May 24 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 3.6.8-37.alma
+* Wed Dec 29 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 3.6.8-41.alma
 - Add AlmaLinux to supported distros
 
+* Thu Sep 09 2021 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-41
+- Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
+Resolves: rhbz#1995234
+
+* Thu Jul 29 2021 Tomas Orsava <torsava@redhat.com> - 3.6.8-40
+- Adjusted the postun scriptlets to enable upgrading to RHEL 9
+- Resolves: rhbz#1933055
+
+* Fri Jul 09 2021 Victor Stinner <vstinner@redhat.com> - 3.6.8-39
+- Fix reentrant call to threading.enumerate() (rhbz#1959459)
+- Don't exit Python with abort() when a thread exit and there is no available
+  file descriptor to load dynamically the libgcc_s.so.1 library (rhbz#1972293)
+
+* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-38
+- Security fix for CVE-2021-3426: information disclosure via pydoc
+Resolves: rhbz#1935913
+
 * Thu Mar 04 2021 Petr Viktorin <pviktori@redhat.com> - 3.6.8-37
 - Fix for CVE-2021-23336
 Resolves: rhbz#1928904