import python38-3.8.8-3.module+el8.5.0+12031+10ce4870
This commit is contained in:
CentOS Sources
parent
74ba38d01a
commit
261e33b983
62
SOURCES/00365-CVE-2021-29921.patch
Normal file
62
SOURCES/00365-CVE-2021-29921.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
|
||||||
|
index 2cdfddb..d464d2a 100644
|
||||||
|
--- a/Doc/library/ipaddress.rst
|
||||||
|
+++ b/Doc/library/ipaddress.rst
|
||||||
|
@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are
|
||||||
|
1. A string in decimal-dot notation, consisting of four decimal integers in
|
||||||
|
the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
|
||||||
|
integer represents an octet (byte) in the address. Leading zeroes are
|
||||||
|
- tolerated only for values less than 8 (as there is no ambiguity
|
||||||
|
- between the decimal and octal interpretations of such strings).
|
||||||
|
+ not tolerated to prevent confusion with octal notation.
|
||||||
|
2. An integer that fits into 32 bits.
|
||||||
|
3. An integer packed into a :class:`bytes` object of length 4 (most
|
||||||
|
significant octet first).
|
||||||
|
diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
|
||||||
|
index 28b7b61..d351f07 100644
|
||||||
|
--- a/Lib/ipaddress.py
|
||||||
|
+++ b/Lib/ipaddress.py
|
||||||
|
@@ -1173,6 +1173,11 @@ class _BaseV4:
|
||||||
|
if len(octet_str) > 3:
|
||||||
|
msg = "At most 3 characters permitted in %r"
|
||||||
|
raise ValueError(msg % octet_str)
|
||||||
|
+ # Handle leading zeros as strict as glibc's inet_pton()
|
||||||
|
+ # See security bug bpo-36384
|
||||||
|
+ if octet_str != '0' and octet_str[0] == '0':
|
||||||
|
+ msg = "Leading zeros are not permitted in %r"
|
||||||
|
+ raise ValueError(msg % octet_str)
|
||||||
|
# Convert to integer (we know digits are legal)
|
||||||
|
octet_int = int(octet_str, 10)
|
||||||
|
if octet_int > 255:
|
||||||
|
diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
|
||||||
|
index 2f1c5b6..1297b83 100644
|
||||||
|
--- a/Lib/test/test_ipaddress.py
|
||||||
|
+++ b/Lib/test/test_ipaddress.py
|
||||||
|
@@ -97,10 +97,23 @@ class CommonTestMixin:
|
||||||
|
class CommonTestMixin_v4(CommonTestMixin):
|
||||||
|
|
||||||
|
def test_leading_zeros(self):
|
||||||
|
- self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
|
||||||
|
- self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
|
||||||
|
- self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
|
||||||
|
- self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
|
||||||
|
+ # bpo-36384: no leading zeros to avoid ambiguity with octal notation
|
||||||
|
+ msg = "Leading zeros are not permitted in '\d+'"
|
||||||
|
+ addresses = [
|
||||||
|
+ "000.000.000.000",
|
||||||
|
+ "192.168.000.001",
|
||||||
|
+ "016.016.016.016",
|
||||||
|
+ "192.168.000.001",
|
||||||
|
+ "001.000.008.016",
|
||||||
|
+ "01.2.3.40",
|
||||||
|
+ "1.02.3.40",
|
||||||
|
+ "1.2.03.40",
|
||||||
|
+ "1.2.3.040",
|
||||||
|
+ ]
|
||||||
|
+ for address in addresses:
|
||||||
|
+ with self.subTest(address=address):
|
||||||
|
+ with self.assertAddressError(msg):
|
||||||
|
+ self.factory(address)
|
||||||
|
|
||||||
|
def test_int(self):
|
||||||
|
self.assertInstancesEqual(0, "0.0.0.0")
|
||||||
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
|||||||
#global prerel ...
|
#global prerel ...
|
||||||
%global upstream_version %{general_version}%{?prerel}
|
%global upstream_version %{general_version}%{?prerel}
|
||||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
|
|
||||||
# Exclude i686 arch. Due to a modularity issue it's being added to the
|
# Exclude i686 arch. Due to a modularity issue it's being added to the
|
||||||
@ -363,6 +363,12 @@ Patch359: 00359-CVE-2021-23336.patch
|
|||||||
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
|
# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
|
||||||
Patch360: 00360-CVE-2021-3426.patch
|
Patch360: 00360-CVE-2021-3426.patch
|
||||||
|
|
||||||
|
# 00365 #
|
||||||
|
# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module
|
||||||
|
# Upstream: https://bugs.python.org/issue36384
|
||||||
|
# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458
|
||||||
|
Patch365: 00365-CVE-2021-29921.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||||
@ -712,6 +718,7 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||||||
%patch353 -p1
|
%patch353 -p1
|
||||||
%patch359 -p1
|
%patch359 -p1
|
||||||
%patch360 -p1
|
%patch360 -p1
|
||||||
|
%patch365 -p1
|
||||||
|
|
||||||
# Remove files that should be generated by the build
|
# Remove files that should be generated by the build
|
||||||
# (This is after patching, so that we can use patches directly from upstream)
|
# (This is after patching, so that we can use patches directly from upstream)
|
||||||
@ -1800,6 +1807,10 @@ fi
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 27 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-3
|
||||||
|
- Security fix for CVE-2021-29921: Leading zeros in IPv4 addresses are no longer tolerated
|
||||||
|
Resolves: rhbz#1957458
|
||||||
|
|
||||||
* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-2
|
* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-2
|
||||||
- Security fix for CVE-2021-3426: information disclosure via pydoc
|
- Security fix for CVE-2021-3426: information disclosure via pydoc
|
||||||
Resolves: rhbz#1935913
|
Resolves: rhbz#1935913
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user