import python38-3.8.8-3.module+el8.5.0+12031+10ce4870

2021-07-29 05:21:21 +00:00 · 2021-07-29 05:21:21 +00:00 · 261e33b983
parent 74ba38d01a
commit 261e33b983
2 changed files with 74 additions and 1 deletions
--- a/SOURCES/00365-CVE-2021-29921.patch
+++ b/SOURCES/00365-CVE-2021-29921.patch
@ -0,0 +1,62 @@
+diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
+index 2cdfddb..d464d2a 100644
+--- a/Doc/library/ipaddress.rst
+++ b/Doc/library/ipaddress.rst
+@@ -104,8 +104,7 @@ write code that handles both IP versions correctly.  Address objects are
+    1. A string in decimal-dot notation, consisting of four decimal integers in
+       the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
+       integer represents an octet (byte) in the address. Leading zeroes are
+-      tolerated only for values less than 8 (as there is no ambiguity
+-      between the decimal and octal interpretations of such strings).
+      not tolerated to prevent confusion with octal notation.
+    2. An integer that fits into 32 bits.
+    3. An integer packed into a :class:`bytes` object of length 4 (most
+       significant octet first).
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 28b7b61..d351f07 100644
+--- a/Lib/ipaddress.py
+++ b/Lib/ipaddress.py
+@@ -1173,6 +1173,11 @@ class _BaseV4:
+         if len(octet_str) > 3:
+             msg = "At most 3 characters permitted in %r"
+             raise ValueError(msg % octet_str)
+        # Handle leading zeros as strict as glibc's inet_pton()
+        # See security bug bpo-36384
+        if octet_str != '0' and octet_str[0] == '0':
+            msg = "Leading zeros are not permitted in %r"
+            raise ValueError(msg % octet_str)
+         # Convert to integer (we know digits are legal)
+         octet_int = int(octet_str, 10)
+         if octet_int > 255:
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 2f1c5b6..1297b83 100644
+--- a/Lib/test/test_ipaddress.py
+++ b/Lib/test/test_ipaddress.py
+@@ -97,10 +97,23 @@ class CommonTestMixin:
+ class CommonTestMixin_v4(CommonTestMixin):
+ 
+     def test_leading_zeros(self):
+-        self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
+-        self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
+-        self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
+-        self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
+        # bpo-36384: no leading zeros to avoid ambiguity with octal notation
+        msg = "Leading zeros are not permitted in '\d+'"
+        addresses = [
+            "000.000.000.000",
+            "192.168.000.001",
+            "016.016.016.016",
+            "192.168.000.001",
+            "001.000.008.016",
+            "01.2.3.40",
+            "1.02.3.40",
+            "1.2.03.40",
+            "1.2.3.040",
+        ]
+        for address in addresses:
+            with self.subTest(address=address):
+                with self.assertAddressError(msg):
+                    self.factory(address)
+ 
+     def test_int(self):
+         self.assertInstancesEqual(0, "0.0.0.0")
--- a/SPECS/python38.spec
+++ b/SPECS/python38.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python

 # Exclude i686 arch. Due to a modularity issue it's being added to the
@ -363,6 +363,12 @@ Patch359: 00359-CVE-2021-23336.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
 Patch360: 00360-CVE-2021-3426.patch

+# 00365 #
+# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module
+# Upstream: https://bugs.python.org/issue36384
+# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458
+Patch365: 00365-CVE-2021-29921.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -712,6 +718,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch353 -p1
 %patch359 -p1
 %patch360 -p1
+%patch365 -p1

 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@ -1800,6 +1807,10 @@ fi
 # ======================================================

 %changelog
+* Tue Jul 27 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-3
+- Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated
+Resolves: rhbz#1957458
+
 * Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-2
 - Security fix for CVE-2021-3426: information disclosure via pydoc
 Resolves: rhbz#1935913