From be2100ec318de201701fcaba16b7663363ee17e9 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 13 Nov 2024 13:28:34 +0100 Subject: [PATCH] Security fix for CVE-2024-11168 Resolves: RHEL-67252 --- 00444-security-fix-for-cve-2024-11168.patch | 110 ++++++++++++++++++++ python3.spec | 15 ++- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 00444-security-fix-for-cve-2024-11168.patch diff --git a/00444-security-fix-for-cve-2024-11168.patch b/00444-security-fix-for-cve-2024-11168.patch new file mode 100644 index 0000000..d447c86 --- /dev/null +++ b/00444-security-fix-for-cve-2024-11168.patch @@ -0,0 +1,110 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 9 May 2023 23:35:24 -0700 +Subject: [PATCH] 00444: Security fix for CVE-2024-11168 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) + +Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses. + +(cherry picked from commit 29f348e232e82938ba2165843c448c2b291504c5) + +Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com> +Co-authored-by: Gregory P. Smith +Co-authored-by: Lumír Balhar +--- + Lib/test/test_urlparse.py | 26 +++++++++++++++++++ + Lib/urllib/parse.py | 15 +++++++++++ + ...-04-26-09-54-25.gh-issue-103848.aDSnpR.rst | 2 ++ + 3 files changed, 43 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 7fd61ffea9..090d2f17bf 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -1076,6 +1076,32 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(p2.scheme, 'tel') + self.assertEqual(p2.path, '+31641044153') + ++ def test_invalid_bracketed_hosts(self): ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[192.0.2.146]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[important.com:8000]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123r.IP]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v12ae]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v.IP]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v123.]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[v]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query') ++ self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path') ++ ++ def test_splitting_bracketed_hosts(self): ++ p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query') ++ self.assertEqual(p1.hostname, 'v6a.ip') ++ self.assertEqual(p1.username, 'user') ++ self.assertEqual(p1.path, '/path') ++ p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7]/path?query') ++ self.assertEqual(p2.hostname, '0439:23af:2309::fae7') ++ self.assertEqual(p2.username, 'user') ++ self.assertEqual(p2.path, '/path') ++ p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146]/path?query') ++ self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146') ++ self.assertEqual(p3.username, 'user') ++ self.assertEqual(p3.path, '/path') ++ + def test_telurl_params(self): + p1 = urllib.parse.urlparse('tel:123-4;phone-context=+1-650-516') + self.assertEqual(p1.scheme, 'tel') +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 717e990997..bf186b7984 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -34,6 +34,7 @@ It serves as a useful guide when making changes. + import os + import sys + import collections ++import ipaddress + + __all__ = ["urlparse", "urlunparse", "urljoin", "urldefrag", + "urlsplit", "urlunsplit", "urlencode", "parse_qs", +@@ -425,6 +426,17 @@ def _remove_unsafe_bytes_from_url(url): + url = url.replace(b, "") + return url + ++# Valid bracketed hosts are defined in ++# https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/ ++def _check_bracketed_host(hostname): ++ if hostname.startswith('v'): ++ if not re.match(r"\Av[a-fA-F0-9]+\..+\Z", hostname): ++ raise ValueError(f"IPvFuture address is invalid") ++ else: ++ ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4 ++ if isinstance(ip, ipaddress.IPv4Address): ++ raise ValueError(f"An IPv4 address cannot be in brackets") ++ + def urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# +@@ -480,6 +492,9 @@ def urlsplit(url, scheme='', allow_fragments=True): + if (('[' in netloc and ']' not in netloc) or + (']' in netloc and '[' not in netloc)): + raise ValueError("Invalid IPv6 URL") ++ if '[' in netloc and ']' in netloc: ++ bracketed_host = netloc.partition('[')[2].partition(']')[0] ++ _check_bracketed_host(bracketed_host) + if allow_fragments and '#' in url: + url, fragment = url.split('#', 1) + if '?' in url: +diff --git a/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst +new file mode 100644 +index 0000000000..81e5904aa6 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2023-04-26-09-54-25.gh-issue-103848.aDSnpR.rst +@@ -0,0 +1,2 @@ ++Add checks to ensure that ``[`` bracketed ``]`` hosts found by ++:func:`urllib.parse.urlsplit` are of IPv6 or IPvFuture format. diff --git a/python3.spec b/python3.spec index 2fb8c93..81f994e 100644 --- a/python3.spec +++ b/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 68%{?dist} +Release: 69%{?dist} License: Python @@ -910,6 +910,14 @@ Patch437: 00437-cve-2024-6232.patch # (cherry picked from 3.9) Patch443: 00443-gh-124651-quote-template-strings-in-venv-activation-scripts.patch +# 00444 # fed0071c8c86599091f93967a5fa2cce42ceb840 +# Security fix for CVE-2024-11168 +# +# gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format (GH-103849) +# +# Tests are adjusted because Python <3.9 don't support scoped IPv6 addresses. +Patch444: 00444-security-fix-for-cve-2024-11168.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -1278,6 +1286,7 @@ git apply %{PATCH351} %patch435 -p1 %patch437 -p1 %patch443 -p1 +%patch444 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -2209,6 +2218,10 @@ fi # ====================================================== %changelog +* Thu Nov 14 2024 Lumír Balhar - 3.6.8-69 +- Security fix for CVE-2024-11168 +Resolves: RHEL-67252 + * Tue Nov 05 2024 Lumír Balhar - 3.6.8-68 - Security fix for CVE-2024-9287 Resolves: RHEL-64878