import python39-3.9.2-2.module+el8.5.0+10860+d51d22f2

2021-05-05 21:29:35 +00:00 · 2021-05-05 21:29:35 +00:00 · 6821411dff
commit 6821411dff
parent 2d44d33028
2 changed files with 112 additions and 1 deletions
--- a/SOURCES/00360-CVE-2021-3426.patch
+++ b/SOURCES/00360-CVE-2021-3426.patch
@ -0,0 +1,100 @@
 From ed753d94856213ae9fc028195f670e66a24e2334 Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 29 Mar 2021 06:08:00 -0700
 Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
 could be abused to read arbitrary files on the disk (directory
 traversal vulnerability). Moreover, even source code of Python
 modules can contain sensitive data like passwords. Vulnerability
 reported by David Schwörer.
 (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
 Co-authored-by: Victor Stinner <vstinner@python.org>
 ---
 Lib/pydoc.py                                   | 18 ------------------
 Lib/test/test_pydoc.py                         |  6 ------
 .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
 3 files changed, 4 insertions(+), 24 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 diff --git a/Lib/pydoc.py b/Lib/pydoc.py
 index 35ef3ebdc688e6..ffa4b62c1f17b7 100755
 --- a/Lib/pydoc.py
 +++ b/Lib/pydoc.py
@@ -2457,9 +2457,6 @@ def page(self, title, contents):
 %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
 </body></html>''' % (title, css_link, html_navbar(), contents)
 -        def filelink(self, url, path):
 -            return '<a href="getfile?key=%s">%s</a>' % (url, path)
 -
     html = _HTMLDoc()
@@ -2545,19 +2542,6 @@ def bltinlink(name):
             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
         return 'Search Results', contents
 -    def html_getfile(path):
 -        """Get and display a source file listing safely."""
 -        path = urllib.parse.unquote(path)
 -        with tokenize.open(path) as fp:
 -            lines = html.escape(fp.read())
 -        body = '<pre>%s</pre>' % lines
 -        heading = html.heading(
 -            '<big><big><strong>File Listing</strong></big></big>',
 -            '#ffffff', '#7799ee')
 -        contents = heading + html.bigsection(
 -            'File: %s' % path, '#ffffff', '#ee77aa', body)
 -        return 'getfile %s' % path, contents
 -
     def html_topics():
         """Index of topic texts available."""
@@ -2649,8 +2633,6 @@ def get_html_page(url):
                 op, _, url = url.partition('=')
                 if op == "search?key":
                     title, content = html_search(url)
 -                elif op == "getfile?key":
 -                    title, content = html_getfile(url)
                 elif op == "topic?key":
                     # try topics first, then objects.
                     try:
 diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
 index ffabb7f1b94072..0bbdc42c635be4 100644
 --- a/Lib/test/test_pydoc.py
 +++ b/Lib/test/test_pydoc.py
@@ -1374,18 +1374,12 @@ def test_url_requests(self):
             ("topic?key=def", "Pydoc: KEYWORD def"),
             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
             ("foobar", "Pydoc: Error - foobar"),
 -            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
             ]
         with self.restrict_walk_packages():
             for url, title in requests:
                 self.call_url_handler(url, title)
 -            path = string.__file__
 -            title = "Pydoc: getfile " + path
 -            url = "getfile?key=" + path
 -            self.call_url_handler(url, title)
 -
 class TestHelper(unittest.TestCase):
     def test_keywords(self):
 diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 new file mode 100644
 index 00000000000000..4b42dd05305a83
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
 +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
 +could be abused to read arbitrary files on the disk (directory traversal
 +vulnerability). Moreover, even source code of Python modules can contain
 +sensitive data like passwords. Vulnerability reported by David Schwörer.
--- a/SPECS/python39.spec
+++ b/SPECS/python39.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@ -383,6 +383,12 @@ Patch329: 00329-fips.patch
 # a nightmare because it's basically a binary file.
 Patch353: 00353-architecture-names-upstream-downstream.patch
 # 00360 #
 # CVE-2021-3426: information disclosure via pydoc
 # Upstream: https://bugs.python.org/issue42988
 # Main BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1935913
 Patch360: 00360-CVE-2021-3426.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -771,6 +777,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %apply_patch -q %{PATCH328}
 %apply_patch -q %{PATCH329}
 %apply_patch -q %{PATCH353}
 %apply_patch -q %{PATCH360}
 # Remove all exe files to ensure we are not shipping prebuilt binaries
 # note that those are only used to create Microsoft Windows installers
@ -1934,6 +1941,10 @@ fi
 # ======================================================
 %changelog
 * Fri Apr 30 2021 Charalampos Stratakis <cstratak@redhat.com> - 3.9.2-2
 - Security fix for CVE-2021-3426: information disclosure via pydoc
 Resolves: rhbz#1935913
 * Wed Mar 03 2021 Lumír Balhar <lbalhar@redhat.com> - 3.9.2-1
 - Update to 3.9.2 to fix CVE-2021-23336
 Resolves: rhbz#1928904