import python3-3.6.8-38.el8
This commit is contained in:
parent
b265504ed4
commit
f5e9ddec4b
|
@ -0,0 +1,101 @@
|
||||||
|
From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Miss Islington (bot)"
|
||||||
|
<31488909+miss-islington@users.noreply.github.com>
|
||||||
|
Date: Mon, 29 Mar 2021 08:40:53 -0700
|
||||||
|
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
|
||||||
|
(GH-25067)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
|
||||||
|
could be abused to read arbitrary files on the disk (directory
|
||||||
|
traversal vulnerability). Moreover, even source code of Python
|
||||||
|
modules can contain sensitive data like passwords. Vulnerability
|
||||||
|
reported by David Schwörer.
|
||||||
|
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
|
||||||
|
|
||||||
|
Co-authored-by: Victor Stinner <vstinner@python.org>
|
||||||
|
---
|
||||||
|
Lib/pydoc.py | 18 ------------------
|
||||||
|
Lib/test/test_pydoc.py | 6 ------
|
||||||
|
.../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++
|
||||||
|
3 files changed, 4 insertions(+), 24 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/pydoc.py b/Lib/pydoc.py
|
||||||
|
index b521a5504728c4..5247ef9ea27aa1 100644
|
||||||
|
--- a/Lib/pydoc.py
|
||||||
|
+++ b/Lib/pydoc.py
|
||||||
|
@@ -2312,9 +2312,6 @@ def page(self, title, contents):
|
||||||
|
%s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
|
||||||
|
</body></html>''' % (title, css_link, html_navbar(), contents)
|
||||||
|
|
||||||
|
- def filelink(self, url, path):
|
||||||
|
- return '<a href="getfile?key=%s">%s</a>' % (url, path)
|
||||||
|
-
|
||||||
|
|
||||||
|
html = _HTMLDoc()
|
||||||
|
|
||||||
|
@@ -2400,19 +2397,6 @@ def bltinlink(name):
|
||||||
|
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
|
||||||
|
return 'Search Results', contents
|
||||||
|
|
||||||
|
- def html_getfile(path):
|
||||||
|
- """Get and display a source file listing safely."""
|
||||||
|
- path = urllib.parse.unquote(path)
|
||||||
|
- with tokenize.open(path) as fp:
|
||||||
|
- lines = html.escape(fp.read())
|
||||||
|
- body = '<pre>%s</pre>' % lines
|
||||||
|
- heading = html.heading(
|
||||||
|
- '<big><big><strong>File Listing</strong></big></big>',
|
||||||
|
- '#ffffff', '#7799ee')
|
||||||
|
- contents = heading + html.bigsection(
|
||||||
|
- 'File: %s' % path, '#ffffff', '#ee77aa', body)
|
||||||
|
- return 'getfile %s' % path, contents
|
||||||
|
-
|
||||||
|
def html_topics():
|
||||||
|
"""Index of topic texts available."""
|
||||||
|
|
||||||
|
@@ -2504,8 +2488,6 @@ def get_html_page(url):
|
||||||
|
op, _, url = url.partition('=')
|
||||||
|
if op == "search?key":
|
||||||
|
title, content = html_search(url)
|
||||||
|
- elif op == "getfile?key":
|
||||||
|
- title, content = html_getfile(url)
|
||||||
|
elif op == "topic?key":
|
||||||
|
# try topics first, then objects.
|
||||||
|
try:
|
||||||
|
diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
|
||||||
|
index 00803d3305cb53..49bc3eb164b19c 100644
|
||||||
|
--- a/Lib/test/test_pydoc.py
|
||||||
|
+++ b/Lib/test/test_pydoc.py
|
||||||
|
@@ -1052,18 +1052,12 @@ def test_url_requests(self):
|
||||||
|
("topic?key=def", "Pydoc: KEYWORD def"),
|
||||||
|
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
|
||||||
|
("foobar", "Pydoc: Error - foobar"),
|
||||||
|
- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
|
||||||
|
]
|
||||||
|
|
||||||
|
with self.restrict_walk_packages():
|
||||||
|
for url, title in requests:
|
||||||
|
self.call_url_handler(url, title)
|
||||||
|
|
||||||
|
- path = string.__file__
|
||||||
|
- title = "Pydoc: getfile " + path
|
||||||
|
- url = "getfile?key=" + path
|
||||||
|
- self.call_url_handler(url, title)
|
||||||
|
-
|
||||||
|
|
||||||
|
class TestHelper(unittest.TestCase):
|
||||||
|
def test_keywords(self):
|
||||||
|
diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000000..4b42dd05305a83
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
|
||||||
|
+could be abused to read arbitrary files on the disk (directory traversal
|
||||||
|
+vulnerability). Moreover, even source code of Python modules can contain
|
||||||
|
+sensitive data like passwords. Vulnerability reported by David Schwörer.
|
|
@ -14,7 +14,7 @@ URL: https://www.python.org/
|
||||||
# WARNING When rebasing to a new Python version,
|
# WARNING When rebasing to a new Python version,
|
||||||
# remember to update the python3-docs package as well
|
# remember to update the python3-docs package as well
|
||||||
Version: %{pybasever}.8
|
Version: %{pybasever}.8
|
||||||
Release: 37%{?dist}
|
Release: 38%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
|
|
||||||
|
@ -591,6 +591,12 @@ Patch357: 00357-CVE-2021-3177.patch
|
||||||
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
|
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
|
||||||
Patch359: 00359-CVE-2021-23336.patch
|
Patch359: 00359-CVE-2021-23336.patch
|
||||||
|
|
||||||
|
# 00360 #
|
||||||
|
# CVE-2021-3426: information disclosure via pydoc
|
||||||
|
# Upstream: https://bugs.python.org/issue42988
|
||||||
|
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
|
||||||
|
Patch360: 00360-CVE-2021-3426.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
|
@ -918,6 +924,7 @@ git apply %{PATCH351}
|
||||||
%patch356 -p1
|
%patch356 -p1
|
||||||
%patch357 -p1
|
%patch357 -p1
|
||||||
%patch359 -p1
|
%patch359 -p1
|
||||||
|
%patch360 -p1
|
||||||
|
|
||||||
# Remove files that should be generated by the build
|
# Remove files that should be generated by the build
|
||||||
# (This is after patching, so that we can use patches directly from upstream)
|
# (This is after patching, so that we can use patches directly from upstream)
|
||||||
|
@ -1843,6 +1850,10 @@ fi
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.6.8-38
|
||||||
|
- Security fix for CVE-2021-3426: information disclosure via pydoc
|
||||||
|
Resolves: rhbz#1935913
|
||||||
|
|
||||||
* Thu Mar 04 2021 Petr Viktorin <pviktori@redhat.com> - 3.6.8-37
|
* Thu Mar 04 2021 Petr Viktorin <pviktori@redhat.com> - 3.6.8-37
|
||||||
- Fix for CVE-2021-23336
|
- Fix for CVE-2021-23336
|
||||||
Resolves: rhbz#1928904
|
Resolves: rhbz#1928904
|
||||||
|
|
Loading…
Reference in New Issue