import python38-3.8.8-2.module+el8.5.0+10859+59137bee

SOURCES/00360-CVE-2021-3426.patch

@@ -0,0 +1,100 @@
+From 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 29 Mar 2021 06:02:40 -0700
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index dc3377d68f8caa..afec613dd85a06 100644
+--- a/Lib/pydoc.py
++++ b/Lib/pydoc.py
+@@ -2364,9 +2364,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2452,19 +2449,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2556,8 +2540,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index c80477c50f0980..72ed8a93b712b0 100644
+--- a/Lib/test/test_pydoc.py
++++ b/Lib/test/test_pydoc.py
+@@ -1360,18 +1360,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 00000000000000..4b42dd05305a83
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
++could be abused to read arbitrary files on the disk (directory traversal
++vulnerability). Moreover, even source code of Python modules can contain
++sensitive data like passwords. Vulnerability reported by David Schwörer.

SPECS/python38.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -357,6 +357,12 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904
 Patch359: 00359-CVE-2021-23336.patch
 
+# 00360 #
+# CVE-2021-3426: information disclosure via pydoc
+# Upstream: https://bugs.python.org/issue42988
+# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
+Patch360: 00360-CVE-2021-3426.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -705,6 +711,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch329 -p1
 %patch353 -p1
 %patch359 -p1
+%patch360 -p1
 
 # Remove files that should be generated by the build
 # (This is after patching, so that we can use patches directly from upstream)
@@ -1793,6 +1800,10 @@ fi
 # ======================================================
 
 %changelog
+* Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.8.8-2
+- Security fix for CVE-2021-3426: information disclosure via pydoc
+Resolves: rhbz#1935913
+
 * Mon Mar 15 2021 Lumír Balhar <lbalhar@redhat.com> - 3.8.8-1
 - Update to 3.8.8 and fix CVE-2021-23336
 Resolves: rhbz#1928904