diff --git a/SOURCES/00366-CVE-2021-3733.patch b/SOURCES/00366-CVE-2021-3733.patch new file mode 100644 index 0000000..7e5b670 --- /dev/null +++ b/SOURCES/00366-CVE-2021-3733.patch @@ -0,0 +1,40 @@ +From 29c669440dddba61d18e1b7fdd57180cae9e4ae3 Mon Sep 17 00:00:00 2001 +From: Yeting Li +Date: Wed, 7 Apr 2021 19:27:41 +0800 +Subject: [PATCH] bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler + (GH-24391) + +Fix Regular Expression Denial of Service (ReDoS) vulnerability in +urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex +has quadratic worst-case complexity and it allows cause a denial of +service when identifying crafted invalid RFCs. This ReDoS issue is on +the client side and needs remote attackers to control the HTTP server. +(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1) + +Co-authored-by: Yeting Li +--- + Lib/urllib/request.py | 2 +- + .../next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst + +diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py +index 6624e04317ba2..56565405a7097 100644 +--- a/Lib/urllib/request.py ++++ b/Lib/urllib/request.py +@@ -947,7 +947,7 @@ class AbstractBasicAuthHandler: + # (single quotes are a violation of the RFC, but appear in the wild) + rx = re.compile('(?:^|,)' # start of the string or ',' + '[ \t]*' # optional whitespaces +- '([^ \t]+)' # scheme like "Basic" ++ '([^ \t,]+)' # scheme like "Basic" + '[ \t]+' # mandatory whitespaces + # realm=xxx + # realm='xxx' +diff --git a/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +new file mode 100644 +index 0000000000000..1c9f727e965fb +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-31-05-28-14.bpo-43075.DoAXqO.rst +@@ -0,0 +1 @@ ++Fix Regular Expression Denial of Service (ReDoS) vulnerability in :class:`urllib.request.AbstractBasicAuthHandler`. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. diff --git a/SPECS/python3.spec b/SPECS/python3.spec index f18cb37..235b069 100644 --- a/SPECS/python3.spec +++ b/SPECS/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.8 -Release: 38%{?dist} +Release: 39%{?dist} License: Python @@ -598,6 +598,12 @@ Patch359: 00359-CVE-2021-23336.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1990860 Patch362: 00362-threading-enumerate-rlock.patch +# 00366 # +# CVE-2021-3733: Denial of service when identifying crafted invalid RFCs +# Upstream: https://bugs.python.org/issue43075 +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1995234 +Patch366: 00366-CVE-2021-3733.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -926,6 +932,7 @@ git apply %{PATCH351} %patch357 -p1 %patch359 -p1 %patch362 -p1 +%patch366 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -1851,6 +1858,10 @@ fi # ====================================================== %changelog +* Thu Sep 09 2021 Lumír Balhar - 3.6.8-39 +- Security fix for CVE-2021-3733: Denial of service when identifying crafted invalid RFCs +Resolves: rhbz#1995234 + * Wed Aug 11 2021 Charalampos Stratakis - 3.6.8-38 - Fix reentrant call to threading.enumerate() Resolves: rhbz#1990860