import python3-3.6.8-39.el8_4

SOURCES/00366-CVE-2021-3733.patch

@@ -0,0 +1,40 @@
+From 29c669440dddba61d18e1b7fdd57180cae9e4ae3 Mon Sep 17 00:00:00 2001
+From: Yeting Li <liyt@ios.ac.cn>
+Date: Wed, 7 Apr 2021 19:27:41 +0800
+Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler
+ (GH-24391)
+
+Fix Regular Expression Denial of Service (ReDoS) vulnerability in
+urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
+has quadratic worst-case complexity and it allows cause a denial of
+service when identifying crafted invalid RFCs. This ReDoS issue is on
+the client side and needs remote attackers to control the HTTP server.
+(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
+
+Co-authored-by: Yeting Li <liyt@ios.ac.cn>
+---
+ Lib/urllib/request.py                                           | 2 +-
+ .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst      | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 6624e04317ba2..56565405a7097 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -947,7 +947,7 @@ class AbstractBasicAuthHandler:
+     # (single quotes are a violation of the RFC, but appear in the wild)
+     rx = re.compile('(?:^|,)'   # start of the string or ','
+                     '[ \t]*'    # optional whitespaces
+-                    '([^ \t]+)' # scheme like "Basic"
++                    '([^ \t,]+)' # scheme like "Basic"
+                     '[ \t]+'    # mandatory whitespaces
+                     # realm=xxx
+                     # realm='xxx'
+diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+new file mode 100644
+index 0000000000000..1c9f727e965fb
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst
+@@ -0,0 +1 @@
++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`.  The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

SPECS/python3.spec

@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 38%{?dist}
+Release: 39%{?dist}
 License: Python
 
 
@@ -598,6 +598,12 @@ Patch359: 00359-CVE-2021-23336.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1990860
 Patch362: 00362-threading-enumerate-rlock.patch
 
+# 00366 #
+# CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
+# Upstream: https://bugs.python.org/issue43075
+# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234
+Patch366: 00366-CVE-2021-3733.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -926,6 +932,7 @@ git apply %{PATCH351}
 %patch357 -p1
 %patch359 -p1
 %patch362 -p1
+%patch366 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -1851,6 +1858,10 @@ fi
 # ======================================================
 
 %changelog
+* Thu Sep 09 2021 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-39
+- Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs
+Resolves: rhbz#1995234
+
 * Wed Aug 11 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-38
 - Fix reentrant call to threading.enumerate()
 Resolves: rhbz#1990860