From af519ff8e30836fe162756d013a3e8a78c691482 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 20 Sep 2021 22:04:28 +0000 Subject: [PATCH] import python38-3.8.12-1.module+el8.6.0+12642+c3710b74 --- .gitignore | 2 +- .python38.metadata | 2 +- SOURCES/00189-use-rpm-wheels.patch | 21 ++- SOURCES/00329-fips.patch | 261 +++++++++++++++-------------- SOURCES/00359-CVE-2021-23336.patch | 47 +++--- SOURCES/00360-CVE-2021-3426.patch | 100 ----------- SOURCES/00365-CVE-2021-29921.patch | 62 ------- SPECS/python38.spec | 31 ++-- 8 files changed, 178 insertions(+), 348 deletions(-) delete mode 100644 SOURCES/00360-CVE-2021-3426.patch delete mode 100644 SOURCES/00365-CVE-2021-29921.patch diff --git a/.gitignore b/.gitignore index 9cecbd0..54e205c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/Python-3.8.8-noexe.tar.xz +SOURCES/Python-3.8.12-noexe.tar.xz diff --git a/.python38.metadata b/.python38.metadata index f8bee15..81f65aa 100644 --- a/.python38.metadata +++ b/.python38.metadata @@ -1 +1 @@ -e3e4bc64d5e353b8db5882570d6eaec8e4d42f71 SOURCES/Python-3.8.8-noexe.tar.xz +d6a093ce67cb3c7b43a75c1925b8823e571a8311 SOURCES/Python-3.8.12-noexe.tar.xz diff --git a/SOURCES/00189-use-rpm-wheels.patch b/SOURCES/00189-use-rpm-wheels.patch index 5243305..c4132aa 100644 --- a/SOURCES/00189-use-rpm-wheels.patch +++ b/SOURCES/00189-use-rpm-wheels.patch @@ -1,4 +1,4 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From 7558ea14881f9afdf622375b5140b209c0c2f84d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 15 Aug 2018 15:36:29 +0200 Subject: [PATCH] 00189: Instead of bundled wheels, use our RPM packaged wheels @@ -8,11 +8,11 @@ We keep them in /usr/share/python-wheels Downstream only: upstream bundles We might eventually pursuit upstream support, but it's low prio --- - Lib/ensurepip/__init__.py | 32 ++++++++++++++++++++++---------- - 1 file changed, 22 insertions(+), 10 deletions(-) + Lib/ensurepip/__init__.py | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py -index 38bb42104b..413c1b300e 100644 +index 597a1ef..3c2287f 100644 --- a/Lib/ensurepip/__init__.py +++ b/Lib/ensurepip/__init__.py @@ -1,6 +1,7 @@ @@ -24,16 +24,16 @@ index 38bb42104b..413c1b300e 100644 import sys import runpy import tempfile -@@ -9,10 +10,24 @@ import subprocess +@@ -9,9 +10,24 @@ import subprocess __all__ = ["version", "bootstrap"] +-_SETUPTOOLS_VERSION = "56.0.0" +_WHEEL_DIR = "/usr/share/python38-wheels/" --_SETUPTOOLS_VERSION = "49.2.1" +-_PIP_VERSION = "21.1.1" +_wheels = {} - --_PIP_VERSION = "20.2.3" ++ +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + _wheels[pkg] = {} @@ -51,7 +51,7 @@ index 38bb42104b..413c1b300e 100644 _PROJECTS = [ ("setuptools", _SETUPTOOLS_VERSION, "py3"), -@@ -102,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, +@@ -101,13 +117,10 @@ def _bootstrap(*, root=None, upgrade=False, user=False, # additional paths that need added to sys.path additional_paths = [] for project, version, py_tag in _PROJECTS: @@ -69,3 +69,6 @@ index 38bb42104b..413c1b300e 100644 additional_paths.append(os.path.join(tmpdir, wheel_name)) +-- +2.31.1 + diff --git a/SOURCES/00329-fips.patch b/SOURCES/00329-fips.patch index 1c12d5d..d955f73 100644 --- a/SOURCES/00329-fips.patch +++ b/SOURCES/00329-fips.patch @@ -1,4 +1,4 @@ -From 7b70e87ecc1a75f005bdffd644ceca6c9e9679fa Mon Sep 17 00:00:00 2001 +From 9e1da6c093529d7b314f3703158a213824c3521e Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 16:19:52 +0200 Subject: [PATCH 01/36] Expose OpenSSL FIPS_mode() as hashlib.get_fips_mode() @@ -26,12 +26,12 @@ index 56873b7..63ae836 100644 for __func_name in __always_supported: # try them all, some may not work due to the OpenSSL diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index edadbcb..9874b06 100644 +index 93bf25f..2409522 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -26,6 +26,9 @@ +@@ -33,6 +33,9 @@ #include - #include "openssl/err.h" + #include +/* Expose FIPS_mode */ +#include @@ -39,7 +39,7 @@ index edadbcb..9874b06 100644 #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" #endif -@@ -1072,12 +1075,46 @@ generate_hash_name_list(void) +@@ -1079,12 +1082,46 @@ generate_hash_name_list(void) return state.set; } @@ -123,10 +123,10 @@ index 9aaea47..30fd8a9 100644 -/*[clinic end generated code: output=38c2637f67e9bb79 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From 4e1fa0339c257987984caa278516d46c35463385 Mon Sep 17 00:00:00 2001 +From 5a8faeb61d7acd6c7036efe24efe269c683dc1a0 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 25 Jul 2019 17:04:06 +0200 Subject: [PATCH 02/36] Use python's fall backs for the crypto it implements @@ -422,10 +422,10 @@ index 8b53d23..e9abcbb 100644 self._test_pbkdf2_hmac(py_hashlib.pbkdf2_hmac) -- -2.25.4 +2.31.1 -From 91b5c97d586a98cb95e215ecd2c02b18c8783e7a Mon Sep 17 00:00:00 2001 +From d21c5a098dda889de21985e57f12852ce9fbbcf1 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 17:19:06 +0200 Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode, @@ -438,8 +438,8 @@ Subject: [PATCH 03/36] Disable Python's hash implementations in FIPS mode, Modules/_blake2/blake2s_impl.c | 5 +++ Modules/_hashopenssl.c | 37 +------------------ Modules/_sha3/sha3module.c | 5 +++ - setup.py | 47 ++++++++++++------------ - 7 files changed, 110 insertions(+), 58 deletions(-) + setup.py | 48 +++++++++++++------------ + 7 files changed, 111 insertions(+), 58 deletions(-) create mode 100644 Include/_hashopenssl.h diff --git a/Include/_hashopenssl.h b/Include/_hashopenssl.h @@ -596,10 +596,10 @@ index ef2f7e1..389711a 100644 if (self->lock == NULL && buf.len >= HASHLIB_GIL_MINSIZE) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 9874b06..d733a39 100644 +index 2409522..a51c502 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -17,6 +17,7 @@ +@@ -24,6 +24,7 @@ #include "structmember.h" #include "hashlib.h" #include "pystrhex.h" @@ -607,18 +607,18 @@ index 9874b06..d733a39 100644 /* EVP is the preferred interface to hashing in OpenSSL */ -@@ -24,10 +25,6 @@ +@@ -31,10 +32,6 @@ #include /* We use the object interface to discover what hashes OpenSSL supports. */ #include --#include "openssl/err.h" +-#include - -/* Expose FIPS_mode */ -#include #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" -@@ -69,38 +66,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype" +@@ -76,38 +73,6 @@ class _hashlib.HASH "EVPobject *" "&EVPtype" [clinic start generated code]*/ /*[clinic end generated code: output=da39a3ee5e6b4b0d input=a881a5092eecad28]*/ @@ -695,10 +695,10 @@ index c1fb618..34d09b4 100644 return NULL; } diff --git a/setup.py b/setup.py -index 84f7300..06d1ce6 100644 +index c28c096..a11bbda 100644 --- a/setup.py +++ b/setup.py -@@ -1688,7 +1688,6 @@ class PyBuildExt(build_ext): +@@ -1673,7 +1673,6 @@ class PyBuildExt(build_ext): def detect_modules(self): self.configure_compiler() self.init_inc_lib_dirs() @@ -706,7 +706,7 @@ index 84f7300..06d1ce6 100644 self.detect_simple_extensions() if TEST_EXTENSIONS: self.detect_test_extensions() -@@ -2187,7 +2186,7 @@ class PyBuildExt(build_ext): +@@ -2161,7 +2160,7 @@ class PyBuildExt(build_ext): sources=sources, depends=depends)) @@ -715,7 +715,7 @@ index 84f7300..06d1ce6 100644 # Detect SSL support for the socket module (via _ssl) config_vars = sysconfig.get_config_vars() -@@ -2208,7 +2207,7 @@ class PyBuildExt(build_ext): +@@ -2182,7 +2181,7 @@ class PyBuildExt(build_ext): if not openssl_libs: # libssl and libcrypto not found self.missing.extend(['_ssl', '_hashlib']) @@ -724,7 +724,7 @@ index 84f7300..06d1ce6 100644 # Find OpenSSL includes ssl_incs = find_file( -@@ -2216,7 +2215,7 @@ class PyBuildExt(build_ext): +@@ -2190,7 +2189,7 @@ class PyBuildExt(build_ext): ) if ssl_incs is None: self.missing.extend(['_ssl', '_hashlib']) @@ -733,7 +733,7 @@ index 84f7300..06d1ce6 100644 # OpenSSL 1.0.2 uses Kerberos for KRB5 ciphers krb5_h = find_file( -@@ -2226,12 +2225,23 @@ class PyBuildExt(build_ext): +@@ -2200,12 +2199,24 @@ class PyBuildExt(build_ext): if krb5_h: ssl_incs.extend(krb5_h) @@ -749,6 +749,7 @@ index 84f7300..06d1ce6 100644 + def detect_openssl_hashlib(self): + + config_vars = sysconfig.get_config_vars() ++ + if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"): self.add(Extension( @@ -757,10 +758,10 @@ index 84f7300..06d1ce6 100644 - library_dirs=openssl_libdirs, - libraries=openssl_libs, + **self.detect_openssl_args(), - depends=['socketmodule.h', '_ssl/debughelpers.c']) - ) - else: -@@ -2239,22 +2249,12 @@ class PyBuildExt(build_ext): + depends=[ + 'socketmodule.h', + '_ssl/debughelpers.c', +@@ -2218,22 +2229,12 @@ class PyBuildExt(build_ext): self.add(Extension('_hashlib', ['_hashopenssl.c'], depends=['hashlib.h'], @@ -787,7 +788,7 @@ index 84f7300..06d1ce6 100644 blake2_deps = glob(os.path.join(escape(self.srcdir), 'Modules/_blake2/impl/*')) -@@ -2264,6 +2264,7 @@ class PyBuildExt(build_ext): +@@ -2243,6 +2244,7 @@ class PyBuildExt(build_ext): ['_blake2/blake2module.c', '_blake2/blake2b_impl.c', '_blake2/blake2s_impl.c'], @@ -795,7 +796,7 @@ index 84f7300..06d1ce6 100644 depends=blake2_deps)) sha3_deps = glob(os.path.join(escape(self.srcdir), -@@ -2271,7 +2272,9 @@ class PyBuildExt(build_ext): +@@ -2250,7 +2252,9 @@ class PyBuildExt(build_ext): sha3_deps.append('hashlib.h') self.add(Extension('_sha3', ['_sha3/sha3module.c'], @@ -807,10 +808,10 @@ index 84f7300..06d1ce6 100644 def detect_nis(self): if MS_WINDOWS or CYGWIN or HOST_PLATFORM == 'qnx6': -- -2.25.4 +2.31.1 -From d9b8f21a1b5feb177ece4c595ce8b639f02548c8 Mon Sep 17 00:00:00 2001 +From 668177d86702b10da881f76cf17bda44d8823be9 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 12 Dec 2019 16:58:31 +0100 Subject: [PATCH 04/36] Expose all hashes available to OpenSSL @@ -821,10 +822,10 @@ Subject: [PATCH 04/36] Expose all hashes available to OpenSSL 2 files changed, 447 insertions(+), 1 deletion(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index d733a39..6982268 100644 +index a51c502..713e15a 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -194,6 +194,12 @@ py_digest_by_name(const char *name) +@@ -201,6 +201,12 @@ py_digest_by_name(const char *name) else if (!strcmp(name, "blake2b512")) { digest = EVP_blake2b512(); } @@ -837,7 +838,7 @@ index d733a39..6982268 100644 #endif } -@@ -712,6 +718,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) +@@ -719,6 +725,142 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj) return EVP_fast_new(module, data_obj, EVP_sha512()); } @@ -980,7 +981,7 @@ index d733a39..6982268 100644 /*[clinic input] _hashlib.pbkdf2_hmac as pbkdf2_hmac -@@ -1087,6 +1229,14 @@ static struct PyMethodDef EVP_functions[] = { +@@ -1094,6 +1236,14 @@ static struct PyMethodDef EVP_functions[] = { _HASHLIB_OPENSSL_SHA256_METHODDEF _HASHLIB_OPENSSL_SHA384_METHODDEF _HASHLIB_OPENSSL_SHA512_METHODDEF @@ -1309,10 +1310,10 @@ index 30fd8a9..e96a752 100644 -/*[clinic end generated code: output=5467006d93e7479e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=be8e21a10dff71e7 input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From d4c78750ffb431fe34a18aab7cdf84d3a68d7fc1 Mon Sep 17 00:00:00 2001 +From 7137c003853b8672eed4d28fe8703756b75ab790 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 25 Jul 2019 18:13:45 +0200 Subject: [PATCH 05/36] Fix tests @@ -1441,10 +1442,10 @@ index e9abcbb..2a55fd4 100644 @requires_sha3 def test_extra_sha3(self): -- -2.25.4 +2.31.1 -From 4ec7034d73e681041758fc80f75e061c0e506449 Mon Sep 17 00:00:00 2001 +From 94f13c68d2a4845e58d4c7b7adf01e64f993c4f5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:27:57 +0200 Subject: [PATCH 06/36] Change FIPS exceptions from _blake2, _sha3 module init @@ -1583,10 +1584,10 @@ index 34d09b4..3079e1e 100644 if ((m = PyModule_Create(&_SHA3module)) == NULL) { return NULL; -- -2.25.4 +2.31.1 -From ed6f93218c2190d34ee0b0f4c7599d306708449f Mon Sep 17 00:00:00 2001 +From 805af2c3dcbe1855a9fb8eb534b985aed338c2ba Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 11:24:09 +0200 Subject: [PATCH 07/36] Make hashlib importable under FIPS mode @@ -1618,10 +1619,10 @@ index 1bcfdf9..898e6dc 100644 -- -2.25.4 +2.31.1 -From 66c5862bb09586168caac4d6ba6142ed3198fe1d Mon Sep 17 00:00:00 2001 +From bc3f033f0a832e6b7ddf50e1059de8fc5df08d3f Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 26 Jul 2019 15:41:10 +0200 Subject: [PATCH 08/36] Implement hmac.new using new built-in module, @@ -2249,10 +2250,10 @@ index 0000000..b472a6e +} +/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ diff --git a/setup.py b/setup.py -index 06d1ce6..ca8bc2b 100644 +index a11bbda..ca30105 100644 --- a/setup.py +++ b/setup.py -@@ -2251,6 +2251,10 @@ class PyBuildExt(build_ext): +@@ -2231,6 +2231,10 @@ class PyBuildExt(build_ext): depends=['hashlib.h'], **self.detect_openssl_args()) ) @@ -2264,10 +2265,10 @@ index 06d1ce6..ca8bc2b 100644 # RHEL: Always force OpenSSL for md5, sha1, sha256, sha512; # don't build Python's implementations. -- -2.25.4 +2.31.1 -From 6ec3a1afd87a3aa411a19727e212ebf81fee49cc Mon Sep 17 00:00:00 2001 +From da75615e1f3e6b8f44a16e5113a4a6fd55e48629 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 12:45:11 +0200 Subject: [PATCH 09/36] FIPS review @@ -2479,10 +2480,10 @@ index ca95d72..216ed04 100644 + return PyModuleDef_Init(&_hmacopenssl_def); } -- -2.25.4 +2.31.1 -From 8645a4cf6ee2ad10fac3d081da78eabb06099a9c Mon Sep 17 00:00:00 2001 +From f48fab4946308008e989d845ce0dbc2cff6ce9ff Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Mon, 29 Jul 2019 13:05:04 +0200 Subject: [PATCH 10/36] revert cosmetic nitpick and remove trailing whitespace @@ -2528,10 +2529,10 @@ index 216ed04..221714c 100644 .m_methods = hmacopenssl_functions, .m_slots = hmacopenssl_slots, -- -2.25.4 +2.31.1 -From d80ae6ac0abf1e0ca5a32ff80343e927587cf5a6 Mon Sep 17 00:00:00 2001 +From dc55436077250ba791ee67692fdc8704a900987b Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Wed, 31 Jul 2019 15:43:43 +0200 Subject: [PATCH 11/36] Add initial tests for various hashes under FIPS mode @@ -2612,10 +2613,10 @@ index 0000000..bee911e +if __name__ == "__main__": + unittest.main() -- -2.25.4 +2.31.1 -From 414c04713ad89bdeeb7a074f953c0085d541eae6 Mon Sep 17 00:00:00 2001 +From 446c6a790ef878bda6137ebfc570f36dee01c380 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Thu, 1 Aug 2019 16:39:37 +0200 Subject: [PATCH 12/36] Initialize HMAC type. @@ -2681,10 +2682,10 @@ index 221714c..239445a 100644 fail: -- -2.25.4 +2.31.1 -From 0157b52ac7f15610526497f9188eb84ed3846993 Mon Sep 17 00:00:00 2001 +From 357007a6034cc3409ad2e2fe9fc77974ea6de626 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 1 Aug 2019 17:57:05 +0200 Subject: [PATCH 13/36] Use a stronger hash in multiprocessing handshake @@ -2729,10 +2730,10 @@ index 8e2facf..bb4acb6 100644 response = connection.recv_bytes(256) # reject large message if response != WELCOME: -- -2.25.4 +2.31.1 -From 3730b4186cf708bb8ea528c22734d4c1176fc9ad Mon Sep 17 00:00:00 2001 +From fddd82fedc5ea8b49ceab49296c7bddb9f3f1204 Mon Sep 17 00:00:00 2001 From: Marcel Plch Date: Fri, 2 Aug 2019 17:36:01 +0200 Subject: [PATCH 14/36] Fix refcounting @@ -2803,10 +2804,10 @@ index 239445a..9c28828 100644 -- -2.25.4 +2.31.1 -From 1873bfe385a1b952ba11c2b2f15755353f2411df Mon Sep 17 00:00:00 2001 +From 42f7d2fbefe161607ad146f44d2abd19fe804810 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 13:37:05 +0200 Subject: [PATCH 15/36] hmac: Don't default to md5 in FIPS mode @@ -2829,10 +2830,10 @@ index daabc8c..0302364 100644 result = _hmacopenssl.new(key, digestmod=name) if msg: -- -2.25.4 +2.31.1 -From f77c854b9c5aab3e2bb517b6d0c08197a116efb1 Mon Sep 17 00:00:00 2001 +From e285342c3b17de9b13ccbf2dbdb68cce5b4df86c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 14:20:58 +0200 Subject: [PATCH 16/36] Make _hmacopenssl.HMAC subclassable; subclass it as @@ -3120,10 +3121,10 @@ index b472a6e..861acc1 100644 -/*[clinic end generated code: output=10b6e8cac6d7a2c9 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From b357a1f823b7b231d1a8bc149b5a950246350d3c Mon Sep 17 00:00:00 2001 +From 5dab92e1f96fc0940a2d5d365708329e8c282587 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:10:36 +0200 Subject: [PATCH 17/36] Fix _hmacopenssl.HMAC.block_size @@ -3146,10 +3147,10 @@ index 7d3d973..a24c8ba 100644 static PyMethodDef Hmac_methods[] = { -- -2.25.4 +2.31.1 -From ee03c8ff14206070a7e4e4d13c4b067bcf25193d Mon Sep 17 00:00:00 2001 +From d39cc2e44d6debffce096b82d30909e2662379ab Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:02:08 +0200 Subject: [PATCH 18/36] distutils upload: Skip md5 checksum in FIPS mode @@ -3228,10 +3229,10 @@ index c17d8e7..b4b64e9 100644 def test_upload_fails(self): -- -2.25.4 +2.31.1 -From fd0fd3310ff7c7dae0ea4377b71928ca3e242a21 Mon Sep 17 00:00:00 2001 +From 124f7e862bdbf6615e64fedfa73a76e199d68644 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 15:32:25 +0200 Subject: [PATCH 19/36] Fix HMAC tests on FIPS mode @@ -3321,10 +3322,10 @@ index 23c108f..0a85981 100644 def test_equality(self): # Testing if the copy has the same digests. -- -2.25.4 +2.31.1 -From e0c4dfcfc3070d0b3b25f77357509b9daa5f9891 Mon Sep 17 00:00:00 2001 +From 6bc6c745da5c2d860de9f76402ccf554e398bbbc Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 16:37:12 +0200 Subject: [PATCH 20/36] test_tools: Skip md5sum tests in FIPS mode @@ -3354,10 +3355,10 @@ index fb565b7..7028a4d 100644 @classmethod def setUpClass(cls): -- -2.25.4 +2.31.1 -From 510915020bb7c7c91d297fb3330ee9be3ee16b6f Mon Sep 17 00:00:00 2001 +From 22f2476f2a19dfc4e4c25e5df2f059bf8e15d397 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 18:23:57 +0200 Subject: [PATCH 21/36] Make hashlib tests pass in FIPS mode @@ -3549,10 +3550,10 @@ index 2a55fd4..9ae5efc 100644 @support.reap_threads def test_threaded_hashing(self): -- -2.25.4 +2.31.1 -From de9997db1f55fe4c70f0a5c4fe5b497e8c6839a2 Mon Sep 17 00:00:00 2001 +From ca8655cc0f8c1bcfb5ae970d33a826c092746203 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 14 Aug 2019 14:43:07 +0200 Subject: [PATCH 22/36] distutils upload: only add md5 if available, but @@ -3619,10 +3620,10 @@ index b4b64e9..f720a79 100644 def test_upload_fails(self): -- -2.25.4 +2.31.1 -From 30407ef6fd2fb0fcb950cab57d4bd23121ef9084 Mon Sep 17 00:00:00 2001 +From 12f506902ee04749565485bb60f0b927b2895e71 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 13 Sep 2019 02:30:00 +0200 Subject: [PATCH 23/36] bpo-9216: Add usedforsecurity to hashlib constructors @@ -3656,7 +3657,7 @@ Contributed and Signed-off-by: Christian Heimes christian@python.org create mode 100644 Misc/NEWS.d/next/Library/2019-09-12-14-54-45.bpo-9216.W7QMpC.rst diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst -index a16c7cd..6eb3a7b 100644 +index f5da6ec..86b9f65 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -67,7 +67,7 @@ Constructors for hash algorithms that are always present in this module are @@ -3944,10 +3945,10 @@ index 560bd68..71c5706 100644 -/*[clinic end generated code: output=39af5a74c8805b36 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=c80d8d06ce40a192 input=a9049054013a1b77]*/ diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index 6982268..a1f81eb 100644 +index 713e15a..b4d05ab 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -521,7 +521,7 @@ static PyTypeObject EVPtype = { +@@ -528,7 +528,7 @@ static PyTypeObject EVPtype = { \ static PyObject * EVPnew(const EVP_MD *digest, @@ -3956,7 +3957,7 @@ index 6982268..a1f81eb 100644 { int result = 0; EVPobject *self; -@@ -534,6 +534,12 @@ EVPnew(const EVP_MD *digest, +@@ -541,6 +541,12 @@ EVPnew(const EVP_MD *digest, if ((self = newEVPobject()) == NULL) return NULL; @@ -3969,7 +3970,7 @@ index 6982268..a1f81eb 100644 if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) { _setException(PyExc_ValueError); Py_DECREF(self); -@@ -565,6 +571,8 @@ _hashlib.new as EVP_new +@@ -572,6 +578,8 @@ _hashlib.new as EVP_new name as name_obj: object string as data_obj: object(c_default="NULL") = b'' @@ -3978,7 +3979,7 @@ index 6982268..a1f81eb 100644 Return a new hash object using the named algorithm. -@@ -575,8 +583,9 @@ The MD5 and SHA1 algorithms are always supported. +@@ -582,8 +590,9 @@ The MD5 and SHA1 algorithms are always supported. [clinic start generated code]*/ static PyObject * @@ -3990,7 +3991,7 @@ index 6982268..a1f81eb 100644 { Py_buffer view = { 0 }; PyObject *ret_obj; -@@ -593,7 +602,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) +@@ -600,7 +609,9 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) digest = py_digest_by_name(name); @@ -4001,7 +4002,7 @@ index 6982268..a1f81eb 100644 if (data_obj) PyBuffer_Release(&view); -@@ -601,7 +612,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) +@@ -608,7 +619,8 @@ EVP_new_impl(PyObject *module, PyObject *name_obj, PyObject *data_obj) } static PyObject* @@ -4011,7 +4012,7 @@ index 6982268..a1f81eb 100644 { Py_buffer view = { 0 }; PyObject *ret_obj; -@@ -609,7 +621,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) +@@ -616,7 +628,8 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) if (data_obj) GET_BUFFER_VIEW_OR_ERROUT(data_obj, &view); @@ -4021,7 +4022,7 @@ index 6982268..a1f81eb 100644 if (data_obj) PyBuffer_Release(&view); -@@ -621,16 +634,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) +@@ -628,16 +641,19 @@ EVP_fast_new(PyObject *module, PyObject *data_obj, const EVP_MD *digest) _hashlib.openssl_md5 string as data_obj: object(py_default="b''") = NULL @@ -4044,7 +4045,7 @@ index 6982268..a1f81eb 100644 } -@@ -638,16 +654,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) +@@ -645,16 +661,19 @@ _hashlib_openssl_md5_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha1 string as data_obj: object(py_default="b''") = NULL @@ -4067,7 +4068,7 @@ index 6982268..a1f81eb 100644 } -@@ -655,16 +674,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) +@@ -662,16 +681,19 @@ _hashlib_openssl_sha1_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha224 string as data_obj: object(py_default="b''") = NULL @@ -4090,7 +4091,7 @@ index 6982268..a1f81eb 100644 } -@@ -672,16 +694,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) +@@ -679,16 +701,19 @@ _hashlib_openssl_sha224_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha256 string as data_obj: object(py_default="b''") = NULL @@ -4113,7 +4114,7 @@ index 6982268..a1f81eb 100644 } -@@ -689,16 +714,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) +@@ -696,16 +721,19 @@ _hashlib_openssl_sha256_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha384 string as data_obj: object(py_default="b''") = NULL @@ -4136,7 +4137,7 @@ index 6982268..a1f81eb 100644 } -@@ -706,152 +734,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) +@@ -713,152 +741,179 @@ _hashlib_openssl_sha384_impl(PyObject *module, PyObject *data_obj) _hashlib.openssl_sha512 string as data_obj: object(py_default="b''") = NULL @@ -5729,7 +5730,7 @@ index 459a934..b8185b6 100644 -/*[clinic end generated code: output=580df4b667084a7e input=a9049054013a1b77]*/ +/*[clinic end generated code: output=bbfa72d8703c82b5 input=a9049054013a1b77]*/ diff --git a/Modules/md5module.c b/Modules/md5module.c -index c2ebaaf..fdc4d7b 100644 +index 64fab80..ee4efe4 100644 --- a/Modules/md5module.c +++ b/Modules/md5module.c @@ -503,13 +503,15 @@ static PyTypeObject MD5type = { @@ -5751,7 +5752,7 @@ index c2ebaaf..fdc4d7b 100644 MD5object *new; Py_buffer buf; diff --git a/Modules/sha1module.c b/Modules/sha1module.c -index ce2ad26..4d191c3 100644 +index 4a8dbd8..aec0bad 100644 --- a/Modules/sha1module.c +++ b/Modules/sha1module.c @@ -480,13 +480,15 @@ static PyTypeObject SHA1type = { @@ -5773,7 +5774,7 @@ index ce2ad26..4d191c3 100644 SHA1object *new; Py_buffer buf; diff --git a/Modules/sha256module.c b/Modules/sha256module.c -index b8d6c4c..245f4c0 100644 +index a1c8b1a..8777c59 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -601,13 +601,15 @@ static PyTypeObject SHA256type = { @@ -5813,7 +5814,7 @@ index b8d6c4c..245f4c0 100644 SHAobject *new; Py_buffer buf; diff --git a/Modules/sha512module.c b/Modules/sha512module.c -index 98b9791..df4f9d2 100644 +index 4167fd3..504d40a 100644 --- a/Modules/sha512module.c +++ b/Modules/sha512module.c @@ -666,13 +666,15 @@ static PyTypeObject SHA512type = { @@ -5853,10 +5854,10 @@ index 98b9791..df4f9d2 100644 SHAobject *new; Py_buffer buf; -- -2.25.4 +2.31.1 -From 095d8ea318b20b5d42ada0367ca770c15e6f6fa2 Mon Sep 17 00:00:00 2001 +From 041f34e22d7c458b611a72e3927deb85f20d1a85 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:09:39 +0200 Subject: [PATCH 24/36] Test the usedforsecurity flag @@ -6099,10 +6100,10 @@ index 08bb91f..1368e91 100644 class KDFTests(unittest.TestCase): -- -2.25.4 +2.31.1 -From 59b7e853d919380ca6c11655bbc7041ee395417d Mon Sep 17 00:00:00 2001 +From 6ae69003979add3243d700e1f5154cf83818ea62 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 29 Aug 2019 10:25:28 +0200 Subject: [PATCH 25/36] Skip error checking in _hashlib.get_fips_mode @@ -6113,10 +6114,10 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1745499 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c -index a1f81eb..eff331b 100644 +index b4d05ab..a48b607 100644 --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -1253,20 +1253,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) +@@ -1260,20 +1260,22 @@ _hashlib_get_fips_mode_impl(PyObject *module) /*[clinic end generated code: output=ad8a7793310d3f98 input=f42a2135df2a5e11]*/ { @@ -6154,10 +6155,10 @@ index a1f81eb..eff331b 100644 -- -2.25.4 +2.31.1 -From 7f5432d72546f60078989b6cadf26cd51de84ebd Mon Sep 17 00:00:00 2001 +From 95b58ae12206c7889e0159a720c1a96fcb2dc050 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 10 Oct 2019 13:04:50 +0200 Subject: [PATCH 26/36] Skip error checking in _Py_hashlib_fips_error @@ -6192,10 +6193,10 @@ index 47ed003..d4cbdef 100644 } PyErr_Format(exc, "%s is not available in FIPS mode", name); -- -2.25.4 +2.31.1 -From 05f7188136bda8eeec06428aa4ddf9ab14a178a0 Mon Sep 17 00:00:00 2001 +From ba0462edf8fb3ae3cb04151460002cf687758605 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 5 Aug 2019 19:12:38 +0200 Subject: [PATCH 27/36] Fixups @@ -6234,10 +6235,10 @@ index 0a85981..0b481ec 100644 h1 = hmac.HMAC(b"key", digestmod="sha1") h2 = h1.copy() -- -2.25.4 +2.31.1 -From 0f707443431d9dc22218be7208d940f4d42f122d Mon Sep 17 00:00:00 2001 +From d2596ea3fab68d2fc586abaae64323599c2a74c8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 26 Aug 2019 19:39:48 +0200 Subject: [PATCH 28/36] Don't re-export get_fips_mode from hashlib @@ -6550,7 +6551,7 @@ index 0b481ec..cc77928 100644 def test_realcopy(self): # Testing if the copy method created a real copy. diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py -index d0c9862..9a44c0d 100644 +index c9205ae..e4d7fb4 100644 --- a/Lib/test/test_smtplib.py +++ b/Lib/test/test_smtplib.py @@ -17,6 +17,8 @@ import select @@ -6562,7 +6563,7 @@ index d0c9862..9a44c0d 100644 import unittest from test import support, mock_socket -@@ -1021,7 +1023,7 @@ class SMTPSimTests(unittest.TestCase): +@@ -1059,7 +1061,7 @@ class SMTPSimTests(unittest.TestCase): def testAUTH_multiple(self): # Test that multiple authentication methods are tried. @@ -6604,10 +6605,10 @@ index 1cb358f..6f5cb7f 100644 from test import support -- -2.25.4 +2.31.1 -From 9515f9be3409fdc59cf9c09dd200917483e1651a Mon Sep 17 00:00:00 2001 +From 7873a4a314732768bc4d11a095ae50f0553bdebd Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 20 Nov 2019 10:59:25 +0100 Subject: [PATCH 29/36] Use FIPS compliant CSPRNG @@ -6624,7 +6625,7 @@ Signed-off-by: Christian Heimes 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py -index 2a4ae15..5ad5bd6 100644 +index 5302b1c..ed335ad 100644 --- a/Lib/test/test_os.py +++ b/Lib/test/test_os.py @@ -1546,6 +1546,11 @@ class GetRandomTests(unittest.TestCase): @@ -6640,7 +6641,7 @@ index 2a4ae15..5ad5bd6 100644 def test_getrandom_type(self): data = os.getrandom(16) diff --git a/Makefile.pre.in b/Makefile.pre.in -index 917303d..ddfbfd0 100644 +index 381a8ab..e7778f4 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -116,7 +116,7 @@ PY_STDMODULE_CFLAGS= $(PY_CFLAGS) $(PY_CFLAGS_NODIST) $(PY_CPPFLAGS) $(CFLAGSFOR @@ -6653,10 +6654,10 @@ index 917303d..ddfbfd0 100644 CFLAGS_ALIASING=@CFLAGS_ALIASING@ diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c -index 726e372..9a1249a 100644 +index d7edabe..f825d5a 100644 --- a/Modules/posixmodule.c +++ b/Modules/posixmodule.c -@@ -388,6 +388,9 @@ extern char *ctermid_r(char *); +@@ -389,6 +389,9 @@ extern char *ctermid_r(char *); #define MODNAME "posix" #endif @@ -6666,7 +6667,7 @@ index 726e372..9a1249a 100644 #if defined(__sun) /* Something to implement in autoconf, not present in autoconf 2.69 */ #define HAVE_STRUCT_STAT_ST_FSTYPE 1 -@@ -13558,6 +13561,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags) +@@ -13650,6 +13653,11 @@ os_getrandom_impl(PyObject *module, Py_ssize_t size, int flags) return posix_error(); } @@ -6772,10 +6773,10 @@ index eb2b6d0..cb38cfe 100644 return win32_urandom((unsigned char *)buffer, size, raise); #else -- -2.25.4 +2.31.1 -From ba95383d9b37f252bd153674404dc4055d49bf82 Mon Sep 17 00:00:00 2001 +From 99ee25369116bf17731502e77a81bd0c5ac59b38 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 28 Nov 2019 17:26:02 +0100 Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG @@ -6786,7 +6787,7 @@ Subject: [PATCH 30/36] Fixups for FIPS compliant CSPRNG 2 files changed, 5 insertions(+), 31 deletions(-) diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py -index 5ad5bd6..ae53de9 100644 +index ed335ad..f306316 100644 --- a/Lib/test/test_os.py +++ b/Lib/test/test_os.py @@ -28,6 +28,7 @@ import time @@ -6871,10 +6872,10 @@ index cb38cfe..08fa29a 100644 return 0; } -- -2.25.4 +2.31.1 -From 496a58146aa42b97661c5ea1afeaa223e8fd4ceb Mon Sep 17 00:00:00 2001 +From 3750c8b8b4c09c6bc795721bc353da23b015fe4d Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 2 Apr 2020 16:50:37 +0200 Subject: [PATCH 31/36] Do not raise a ValueError if digestmod is missing in @@ -6901,10 +6902,10 @@ index 5055027..ee1ad76 100644 return digestmod.lower() elif callable(digestmod): -- -2.25.4 +2.31.1 -From 3f346ea93c2504e169a2df21e2de206031a08600 Mon Sep 17 00:00:00 2001 +From 737af204f04bb39e5f87d53fe07713137639234e Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Thu, 2 Apr 2020 16:55:36 +0200 Subject: [PATCH 32/36] Regenerate the clinic files @@ -6988,10 +6989,10 @@ index 861acc1..527be83 100644 -/*[clinic end generated code: output=d93ad460795d49b5 input=a9049054013a1b77]*/ +/*[clinic end generated code: output=9b75c31e1116bf6f input=a9049054013a1b77]*/ -- -2.25.4 +2.31.1 -From f4465980ae75c0e56cd1edecf9a42fa38b9cd12a Mon Sep 17 00:00:00 2001 +From d0e7edf46ceef6ffb6075bb8b8b966f31df018fc Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 7 Apr 2020 15:16:45 +0200 Subject: [PATCH 33/36] Pass kwargs (like usedforsecurity) through __hash_new @@ -7023,10 +7024,10 @@ index 2fc214e..785858f 100644 try: -- -2.25.4 +2.31.1 -From 6c0ba219c01052f8b079ce67b89a75920b3aa867 Mon Sep 17 00:00:00 2001 +From 0e3f635871d22831cbb5f0bffb9962f2a1ad29eb Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 7 Apr 2020 15:18:48 +0200 Subject: [PATCH 34/36] Adjust new upstream test for failing hashes with @@ -7069,10 +7070,10 @@ index a4b7840..a858bf4 100644 self.assertRaises(ValueError, hashlib.new, 'spam spam spam spam spam') self.assertRaises(TypeError, hashlib.new, 1) -- -2.25.4 +2.31.1 -From 041105f888785599e58213dfea55115a4e861d77 Mon Sep 17 00:00:00 2001 +From 8145cfd2f71749a9fe844e5abc725f36e9085b22 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Fri, 24 Apr 2020 19:57:16 +0200 Subject: [PATCH 35/36] Skip the test_with_digestmod_no_default under FIPS @@ -7115,10 +7116,10 @@ index cc77928..fd068e0 100644 class ConstructorTestCase(unittest.TestCase): -- -2.25.4 +2.31.1 -From e20750200d560a549cbbf224ded74bb086ef3e66 Mon Sep 17 00:00:00 2001 +From 969498fda9699b2e9d2df4a78a671e37d578daea Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 31 Mar 2020 18:00:42 +0200 Subject: [PATCH 36/36] Add a sentinel value on the Hmac_members table of the @@ -7141,5 +7142,5 @@ index 9577cad..4bd7c15 100644 PyDoc_STRVAR(hmactype_doc, -- -2.25.4 +2.31.1 diff --git a/SOURCES/00359-CVE-2021-23336.patch b/SOURCES/00359-CVE-2021-23336.patch index f6ed9e6..33e91c2 100644 --- a/SOURCES/00359-CVE-2021-23336.patch +++ b/SOURCES/00359-CVE-2021-23336.patch @@ -1,4 +1,4 @@ -From a11d61081c3887c2b4c36e8726597e05f789c2e2 Mon Sep 17 00:00:00 2001 +From 78da9e020385fe78e36c20f99a0910bbc4a0c100 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 1 Apr 2021 08:18:07 +0200 Subject: [PATCH] CVE-2021-23336: Add `separator` argument to parse_qs; warn @@ -21,15 +21,13 @@ Co-authored-by: Adam Goldschmidt Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo --- - Doc/library/cgi.rst | 2 +- - Doc/library/urllib.parse.rst | 12 +- - Lib/cgi.py | 4 +- - Lib/test/test_cgi.py | 29 +++ - Lib/test/test_urlparse.py | 232 +++++++++++++++++- - Lib/urllib/parse.py | 77 +++++- - .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 + - 7 files changed, 340 insertions(+), 17 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst + Doc/library/cgi.rst | 2 +- + Doc/library/urllib.parse.rst | 12 +- + Lib/cgi.py | 4 +- + Lib/test/test_cgi.py | 29 +++++ + Lib/test/test_urlparse.py | 232 ++++++++++++++++++++++++++++++++++- + Lib/urllib/parse.py | 78 +++++++++++- + 6 files changed, 339 insertions(+), 18 deletions(-) diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst index 880074b..d8a6dc1 100644 @@ -45,7 +43,7 @@ index 880074b..d8a6dc1 100644 Parse a query in the environment or from a file (the file defaults to ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst -index fcad707..9bcef69 100644 +index a6cfc5d..85b2448 100644 --- a/Doc/library/urllib.parse.rst +++ b/Doc/library/urllib.parse.rst @@ -165,7 +165,7 @@ or on combining URL components into a URL string. @@ -144,7 +142,7 @@ index 4e1506a..49b6926 100644 # test dict interface self.assertEqual(len(expect), len(fs)) diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index 90c8d69..90349ee 100644 +index 0f99130..4e0d7e5 100644 --- a/Lib/test/test_urlparse.py +++ b/Lib/test/test_urlparse.py @@ -2,6 +2,11 @@ import sys @@ -294,7 +292,7 @@ index 90c8d69..90349ee 100644 def test_roundtrips(self): str_cases = [ ('file:///tmp/junk.txt', -@@ -871,8 +961,8 @@ class UrlParseTestCase(unittest.TestCase): +@@ -919,8 +1009,8 @@ class UrlParseTestCase(unittest.TestCase): def test_parse_qsl_max_num_fields(self): with self.assertRaises(ValueError): @@ -305,8 +303,8 @@ index 90c8d69..90349ee 100644 def test_parse_qs_separator(self): parse_qs_semicolon_cases = [ -@@ -912,6 +1002,136 @@ class UrlParseTestCase(unittest.TestCase): - self.assertEqual(result, expect, "Error parsing %r" % orig) +@@ -964,6 +1054,136 @@ class UrlParseTestCase(unittest.TestCase): + self.assertEqual(result_bytes, expect, "Error parsing %r" % orig) + @contextlib.contextmanager @@ -443,7 +441,7 @@ index 90c8d69..90349ee 100644 # Other tests incidentally urlencode things; test non-covered cases: # Sequence and object values. diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index 0c1c94f..83638bb 100644 +index f0d9d4d..70fc268 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -28,6 +28,7 @@ test_urlparse.py provides a good indicator of parsing behavior. @@ -454,7 +452,7 @@ index 0c1c94f..83638bb 100644 import sys import collections import warnings -@@ -650,7 +651,7 @@ def unquote(string, encoding='utf-8', errors='replace'): +@@ -660,7 +661,7 @@ def unquote(string, encoding='utf-8', errors='replace'): def parse_qs(qs, keep_blank_values=False, strict_parsing=False, @@ -463,7 +461,7 @@ index 0c1c94f..83638bb 100644 """Parse a query given as a string argument. Arguments: -@@ -690,9 +691,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, +@@ -700,9 +701,16 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, parsed_result[name] = [value] return parsed_result @@ -481,9 +479,11 @@ index 0c1c94f..83638bb 100644 """Parse a query given as a string argument. Arguments: -@@ -722,18 +730,77 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, +@@ -731,20 +739,78 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, + Returns a list, as G-d intended. """ qs, _coerce_result = _coerce_args(qs) +- separator, _ = _coerce_args(separator) - if not separator or (not isinstance(separator, (str, bytes))): + if isinstance(separator, bytes): @@ -562,13 +562,6 @@ index 0c1c94f..83638bb 100644 r = [] for name_value in pairs: if not name_value and not strict_parsing: -diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst -new file mode 100644 -index 0000000..bc82c96 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst -@@ -0,0 +1 @@ -+Make it possible to fix web cache poisoning vulnerability by allowing the user to choose a custom separator query args. -- -2.30.2 +2.31.1 diff --git a/SOURCES/00360-CVE-2021-3426.patch b/SOURCES/00360-CVE-2021-3426.patch deleted file mode 100644 index 1856431..0000000 --- a/SOURCES/00360-CVE-2021-3426.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 29 Mar 2021 06:02:40 -0700 -Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2021-3426: Remove the "getfile" feature of the pydoc module which -could be abused to read arbitrary files on the disk (directory -traversal vulnerability). Moreover, even source code of Python -modules can contain sensitive data like passwords. Vulnerability -reported by David Schwörer. -(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) - -Co-authored-by: Victor Stinner ---- - Lib/pydoc.py | 18 ------------------ - Lib/test/test_pydoc.py | 6 ------ - .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ - 3 files changed, 4 insertions(+), 24 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst - -diff --git a/Lib/pydoc.py b/Lib/pydoc.py -index dc3377d68f8caa..afec613dd85a06 100644 ---- a/Lib/pydoc.py -+++ b/Lib/pydoc.py -@@ -2364,9 +2364,6 @@ def page(self, title, contents): - %s%s
%s
- ''' % (title, css_link, html_navbar(), contents) - -- def filelink(self, url, path): -- return '%s' % (url, path) -- - - html = _HTMLDoc() - -@@ -2452,19 +2449,6 @@ def bltinlink(name): - 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) - return 'Search Results', contents - -- def html_getfile(path): -- """Get and display a source file listing safely.""" -- path = urllib.parse.unquote(path) -- with tokenize.open(path) as fp: -- lines = html.escape(fp.read()) -- body = '
%s
' % lines -- heading = html.heading( -- 'File Listing', -- '#ffffff', '#7799ee') -- contents = heading + html.bigsection( -- 'File: %s' % path, '#ffffff', '#ee77aa', body) -- return 'getfile %s' % path, contents -- - def html_topics(): - """Index of topic texts available.""" - -@@ -2556,8 +2540,6 @@ def get_html_page(url): - op, _, url = url.partition('=') - if op == "search?key": - title, content = html_search(url) -- elif op == "getfile?key": -- title, content = html_getfile(url) - elif op == "topic?key": - # try topics first, then objects. - try: -diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py -index c80477c50f0980..72ed8a93b712b0 100644 ---- a/Lib/test/test_pydoc.py -+++ b/Lib/test/test_pydoc.py -@@ -1360,18 +1360,12 @@ def test_url_requests(self): - ("topic?key=def", "Pydoc: KEYWORD def"), - ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), - ("foobar", "Pydoc: Error - foobar"), -- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), - ] - - with self.restrict_walk_packages(): - for url, title in requests: - self.call_url_handler(url, title) - -- path = string.__file__ -- title = "Pydoc: getfile " + path -- url = "getfile?key=" + path -- self.call_url_handler(url, title) -- - - class TestHelper(unittest.TestCase): - def test_keywords(self): -diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst -new file mode 100644 -index 00000000000000..4b42dd05305a83 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst -@@ -0,0 +1,4 @@ -+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which -+could be abused to read arbitrary files on the disk (directory traversal -+vulnerability). Moreover, even source code of Python modules can contain -+sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/SOURCES/00365-CVE-2021-29921.patch b/SOURCES/00365-CVE-2021-29921.patch deleted file mode 100644 index b3f8176..0000000 --- a/SOURCES/00365-CVE-2021-29921.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst -index 2cdfddb..d464d2a 100644 ---- a/Doc/library/ipaddress.rst -+++ b/Doc/library/ipaddress.rst -@@ -104,8 +104,7 @@ write code that handles both IP versions correctly. Address objects are - 1. A string in decimal-dot notation, consisting of four decimal integers in - the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each - integer represents an octet (byte) in the address. Leading zeroes are -- tolerated only for values less than 8 (as there is no ambiguity -- between the decimal and octal interpretations of such strings). -+ not tolerated to prevent confusion with octal notation. - 2. An integer that fits into 32 bits. - 3. An integer packed into a :class:`bytes` object of length 4 (most - significant octet first). -diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py -index 28b7b61..d351f07 100644 ---- a/Lib/ipaddress.py -+++ b/Lib/ipaddress.py -@@ -1173,6 +1173,11 @@ class _BaseV4: - if len(octet_str) > 3: - msg = "At most 3 characters permitted in %r" - raise ValueError(msg % octet_str) -+ # Handle leading zeros as strict as glibc's inet_pton() -+ # See security bug bpo-36384 -+ if octet_str != '0' and octet_str[0] == '0': -+ msg = "Leading zeros are not permitted in %r" -+ raise ValueError(msg % octet_str) - # Convert to integer (we know digits are legal) - octet_int = int(octet_str, 10) - if octet_int > 255: -diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py -index 2f1c5b6..1297b83 100644 ---- a/Lib/test/test_ipaddress.py -+++ b/Lib/test/test_ipaddress.py -@@ -97,10 +97,23 @@ class CommonTestMixin: - class CommonTestMixin_v4(CommonTestMixin): - - def test_leading_zeros(self): -- self.assertInstancesEqual("000.000.000.000", "0.0.0.0") -- self.assertInstancesEqual("192.168.000.001", "192.168.0.1") -- self.assertInstancesEqual("016.016.016.016", "16.16.16.16") -- self.assertInstancesEqual("001.000.008.016", "1.0.8.16") -+ # bpo-36384: no leading zeros to avoid ambiguity with octal notation -+ msg = "Leading zeros are not permitted in '\d+'" -+ addresses = [ -+ "000.000.000.000", -+ "192.168.000.001", -+ "016.016.016.016", -+ "192.168.000.001", -+ "001.000.008.016", -+ "01.2.3.40", -+ "1.02.3.40", -+ "1.2.03.40", -+ "1.2.3.040", -+ ] -+ for address in addresses: -+ with self.subTest(address=address): -+ with self.assertAddressError(msg): -+ self.factory(address) - - def test_int(self): - self.assertInstancesEqual(0, "0.0.0.0") diff --git a/SPECS/python38.spec b/SPECS/python38.spec index 7c9dc69..f91e05e 100644 --- a/SPECS/python38.spec +++ b/SPECS/python38.spec @@ -13,11 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -%global general_version %{pybasever}.8 +%global general_version %{pybasever}.12 #global prerel ... %global upstream_version %{general_version}%{?prerel} Version: %{general_version}%{?prerel:~%{prerel}} -Release: 4%{?dist} +Release: 1%{?dist} License: Python # Exclude i686 arch. Due to a modularity issue it's being added to the @@ -357,18 +357,6 @@ Patch353: 00353-architecture-names-upstream-downstream.patch # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1928904 Patch359: 00359-CVE-2021-23336.patch -# 00360 # -# CVE-2021-3426: information disclosure via pydoc -# Upstream: https://bugs.python.org/issue42988 -# Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913 -Patch360: 00360-CVE-2021-3426.patch - -# 00365 # -# CVE-2021-29921: Improper input validation of octal strings in the ipaddress module -# Upstream: https://bugs.python.org/issue36384 -# Main bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1957458 -Patch365: 00365-CVE-2021-29921.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -661,8 +649,8 @@ The debug runtime additionally supports debug builds of C-API extensions Requires: python38-setuptools-wheel Requires: python38-pip-wheel %else -Provides: bundled(python38-pip) = 19.2.3 -Provides: bundled(python38-setuptools) = 41.2.0 +Provides: bundled(python38-pip) = 21.1.1 +Provides: bundled(python38-setuptools) = 56.0.0 %endif # The description for the flat package @@ -725,8 +713,6 @@ rm Lib/ensurepip/_bundled/*.whl %patch329 -p1 %patch353 -p1 %patch359 -p1 -%patch360 -p1 -%patch365 -p1 # Remove files that should be generated by the build # (This is after patching, so that we can use patches directly from upstream) @@ -1815,6 +1801,15 @@ fi # ====================================================== %changelog +* Wed Sep 15 2021 Charalampos Stratakis - 3.8.12-1 +- Update to 3.8.12 +Resolves: rhbz#2004587 + +* Tue Sep 07 2021 Charalampos Stratakis - 3.8.11-1 +- Update to 3.8.11 +- Fix for CVE-2021-3733 and CVE-2021-3737 +Resolves: rhbz#1995234, rhbz#1995162 + * Mon Aug 02 2021 Tomas Orsava - 3.8.8-4 - Adjusted the postun scriptlets to enable upgrading to RHEL 9 - Resolves: rhbz#1933055