Fix build with expat with fixed CVE-2023-52425

2024-04-24 12:48:17 +02:00 · 2024-04-24 12:48:17 +02:00 · ec10e021fa
commit ec10e021fa
parent 674a3880c6
2 changed files with 105 additions and 1 deletions
--- a/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+++ b/00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
@ -0,0 +1,90 @@
+From 87acab66e124912549fbc3151f27ca7fae76386c Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Tue, 23 Apr 2024 19:54:00 +0200
+Subject: [PATCH] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
+
+Feeding the parser by too small chunks defers parsing to prevent
+CVE-2023-52425. Future versions of Expat may be more reactive.
+
+(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
+---
+ Lib/test/test_xml_etree.py                    | 53 +++++++++++--------
+ ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst |  2 +
+ 2 files changed, 33 insertions(+), 22 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index acaa519..c01af47 100644
+--- a/Lib/test/test_xml_etree.py
+++ b/Lib/test/test_xml_etree.py
+@@ -1044,28 +1044,37 @@ class XMLPullParserTest(unittest.TestCase):
+         self.assertEqual([(action, elem.tag) for action, elem in events],
+                          expected)
+ 
+-    def test_simple_xml(self):
+-        for chunk_size in (None, 1, 5):
+-            with self.subTest(chunk_size=chunk_size):
+-                parser = ET.XMLPullParser()
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, "<!-- comment -->\n", chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser,
+-                           "<root>\n  <element key='value'>text</element",
+-                           chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, ">\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'element')])
+-                self._feed(parser, "<element>text</element>tail\n", chunk_size)
+-                self._feed(parser, "<empty-element/>\n", chunk_size)
+-                self.assert_event_tags(parser, [
+-                    ('end', 'element'),
+-                    ('end', 'empty-element'),
+-                    ])
+-                self._feed(parser, "</root>\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'root')])
+-                self.assertIsNone(parser.close())
+    def test_simple_xml(self, chunk_size=None):
+        parser = ET.XMLPullParser()
+        self.assert_event_tags(parser, [])
+        self._feed(parser, "<!-- comment -->\n", chunk_size)
+        self.assert_event_tags(parser, [])
+        self._feed(parser,
+                   "<root>\n  <element key='value'>text</element",
+                   chunk_size)
+        self.assert_event_tags(parser, [])
+        self._feed(parser, ">\n", chunk_size)
+        self.assert_event_tags(parser, [('end', 'element')])
+        self._feed(parser, "<element>text</element>tail\n", chunk_size)
+        self._feed(parser, "<empty-element/>\n", chunk_size)
+        self.assert_event_tags(parser, [
+            ('end', 'element'),
+            ('end', 'empty-element'),
+            ])
+        self._feed(parser, "</root>\n", chunk_size)
+        self.assert_event_tags(parser, [('end', 'root')])
+        self.assertIsNone(parser.close())
+
+    @unittest.expectedFailure
+    def test_simple_xml_chunk_1(self):
+        self.test_simple_xml(chunk_size=1)
+
+    @unittest.expectedFailure
+    def test_simple_xml_chunk_5(self):
+        self.test_simple_xml(chunk_size=5)
+
+    def test_simple_xml_chunk_22(self):
+        self.test_simple_xml(chunk_size=22)
+ 
+     def test_feed_while_iterating(self):
+         parser = ET.XMLPullParser()
+diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+new file mode 100644
+index 0000000..6f10152
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+@@ -0,0 +1,2 @@
+Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
+2.6.0.
+-- 
+2.44.0
+
--- a/python3.spec
+++ b/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 59%{?dist}
+Release: 60%{?dist}
 License: Python


@ -837,6 +837,15 @@ Patch414: 00414-skip_test_zlib_s390x.patch
 # config file or environment variable.
 Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

+# 00422 #
+# gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
+#
+# Feeding the parser by too small chunks defers parsing to prevent
+# CVE-2023-52425. Future versions of Expat may be more reactive. 
+#
+# Patch rebased because the CVE fix is backported to older expat in RHEL.
+Patch422: 00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1190,6 +1199,7 @@ git apply %{PATCH351}
 %patch413 -p1
 %patch414 -p1
 %patch415 -p1
+%patch422 -p1

 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -2121,6 +2131,10 @@ fi
 # ======================================================

 %changelog
+* Wed Apr 24 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-60
+- Fix build with expat with fixed CVE-2023-52425
+Related: RHEL-33671
+
 * Thu Jan 04 2024 Lumír Balhar <lbalhar@redhat.com> - 3.6.8-59
 - Security fix for CVE-2023-27043
 Resolves: RHEL-20610