import python3-3.6.8-38.el8

2021-05-08 08:12:55 +00:00 · 2021-05-08 08:12:55 +00:00 · f5e9ddec4b
parent b265504ed4
commit f5e9ddec4b
2 changed files with 113 additions and 1 deletions
--- a/SOURCES/00360-CVE-2021-3426.patch
+++ b/SOURCES/00360-CVE-2021-3426.patch
@ -0,0 +1,101 @@
+From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 29 Mar 2021 08:40:53 -0700
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+ (GH-25067)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index b521a5504728c4..5247ef9ea27aa1 100644
+--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
+@@ -2312,9 +2312,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2400,19 +2397,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2504,8 +2488,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index 00803d3305cb53..49bc3eb164b19c 100644
+--- a/Lib/test/test_pydoc.py
+++ b/Lib/test/test_pydoc.py
+@@ -1052,18 +1052,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 00000000000000..4b42dd05305a83
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schwörer.
--- a/SPECS/python3.spec
+++ b/SPECS/python3.spec
@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.8
-Release: 37%{?dist}
+Release: 38%{?dist}
 License: Python


@ -591,6 +591,12 @@ Patch357: 00357-CVE-2021-3177.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch

+# 00360 #
+# CVE-2021-3426: information disclosure via pydoc
+# Upstream: https://bugs.python.org/issue42988
+# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
+Patch360: 00360-CVE-2021-3426.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -918,6 +924,7 @@ git apply %{PATCH351}
 %patch356 -p1
 %patch357 -p1
 %patch359 -p1
+%patch360 -p1

 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -1843,6 +1850,10 @@ fi
 # ======================================================

 %changelog
+* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-38
+- Security fix for CVE-2021-3426: information disclosure via pydoc
+Resolves: rhbz#1935913
+
 * Thu Mar 04 2021 Petr Viktorin <pviktori@redhat.com> - 3.6.8-37
 - Fix for CVE-2021-23336
 Resolves: rhbz#1928904