import python39-3.9.16-1.module+el8.8.0+17625+b531f198
This commit is contained in:
parent
3855b0b69c
commit
e214a8c9c3
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/Python-3.9.14.tar.xz
|
||||
SOURCES/Python-3.9.16.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
fa48bd60aee6abf2d41aafb273ebf9fb6b790458 SOURCES/Python-3.9.14.tar.xz
|
||||
19acd6a341e4f2d7ff97c10c2eada258e9898624 SOURCES/Python-3.9.16.tar.xz
|
||||
|
@ -1,150 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Viktorin <encukou@gmail.com>
|
||||
Date: Fri, 3 Jun 2022 11:43:35 +0200
|
||||
Subject: [PATCH] 00382: CVE-2015-20107
|
||||
|
||||
Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
|
||||
Upstream: https://github.com/python/cpython/issues/68966
|
||||
|
||||
Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
---
|
||||
Doc/library/mailcap.rst | 12 +++++++++
|
||||
Lib/mailcap.py | 26 +++++++++++++++++--
|
||||
Lib/test/test_mailcap.py | 8 ++++--
|
||||
...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 +++
|
||||
4 files changed, 46 insertions(+), 4 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
|
||||
diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
|
||||
index a22b5b9c9e..7aa3380fec 100644
|
||||
--- a/Doc/library/mailcap.rst
|
||||
+++ b/Doc/library/mailcap.rst
|
||||
@@ -60,6 +60,18 @@ standard. However, mailcap files are supported on most Unix systems.
|
||||
use) to determine whether or not the mailcap line applies. :func:`findmatch`
|
||||
will automatically check such conditions and skip the entry if the check fails.
|
||||
|
||||
+ .. versionchanged:: 3.11
|
||||
+
|
||||
+ To prevent security issues with shell metacharacters (symbols that have
|
||||
+ special effects in a shell command line), ``findmatch`` will refuse
|
||||
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
|
||||
+ into the returned command line.
|
||||
+
|
||||
+ If a disallowed character appears in *filename*, ``findmatch`` will always
|
||||
+ return ``(None, None)`` as if no entry was found.
|
||||
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
|
||||
+ ``findmatch`` will ignore all mailcap entries which use that value.
|
||||
+ A :mod:`warning <warnings>` will be raised in either case.
|
||||
|
||||
.. function:: getcaps()
|
||||
|
||||
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
|
||||
index ae416a8e9f..444c6408b5 100644
|
||||
--- a/Lib/mailcap.py
|
||||
+++ b/Lib/mailcap.py
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
import os
|
||||
import warnings
|
||||
+import re
|
||||
|
||||
__all__ = ["getcaps","findmatch"]
|
||||
|
||||
@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
|
||||
else:
|
||||
return 1, 0
|
||||
|
||||
+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
|
||||
+
|
||||
+class UnsafeMailcapInput(Warning):
|
||||
+ """Warning raised when refusing unsafe input"""
|
||||
+
|
||||
|
||||
# Part 1: top-level interface.
|
||||
|
||||
@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
|
||||
entry to use.
|
||||
|
||||
"""
|
||||
+ if _find_unsafe(filename):
|
||||
+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None, None
|
||||
entries = lookup(caps, MIMEtype, key)
|
||||
# XXX This code should somehow check for the needsterminal flag.
|
||||
for e in entries:
|
||||
if 'test' in e:
|
||||
test = subst(e['test'], filename, plist)
|
||||
+ if test is None:
|
||||
+ continue
|
||||
if test and os.system(test) != 0:
|
||||
continue
|
||||
command = subst(e[key], MIMEtype, filename, plist)
|
||||
- return command, e
|
||||
+ if command is not None:
|
||||
+ return command, e
|
||||
return None, None
|
||||
|
||||
def lookup(caps, MIMEtype, key=None):
|
||||
@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
elif c == 's':
|
||||
res = res + filename
|
||||
elif c == 't':
|
||||
+ if _find_unsafe(MIMEtype):
|
||||
+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
res = res + MIMEtype
|
||||
elif c == '{':
|
||||
start = i
|
||||
@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
|
||||
i = i+1
|
||||
name = field[start:i]
|
||||
i = i+1
|
||||
- res = res + findparam(name, plist)
|
||||
+ param = findparam(name, plist)
|
||||
+ if _find_unsafe(param):
|
||||
+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
|
||||
+ warnings.warn(msg, UnsafeMailcapInput)
|
||||
+ return None
|
||||
+ res = res + param
|
||||
# XXX To do:
|
||||
# %n == number of parts if type is multipart/*
|
||||
# %F == list of alternating type and filename for parts
|
||||
diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
|
||||
index c08423c670..920283d9a2 100644
|
||||
--- a/Lib/test/test_mailcap.py
|
||||
+++ b/Lib/test/test_mailcap.py
|
||||
@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):
|
||||
(["", "audio/*", "foo.txt"], ""),
|
||||
(["echo foo", "audio/*", "foo.txt"], "echo foo"),
|
||||
(["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
|
||||
- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
|
||||
+ (["echo %t", "audio/*", "foo.txt"], None),
|
||||
+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
|
||||
(["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
|
||||
(["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
|
||||
(["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
|
||||
@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):
|
||||
('"An audio fragment"', audio_basic_entry)),
|
||||
([c, "audio/*"],
|
||||
{"filename": fname},
|
||||
- ("/usr/local/bin/showaudio audio/*", audio_entry)),
|
||||
+ (None, None)),
|
||||
+ ([c, "audio/wav"],
|
||||
+ {"filename": fname},
|
||||
+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
|
||||
([c, "message/external-body"],
|
||||
{"plist": plist},
|
||||
("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
|
||||
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
new file mode 100644
|
||||
index 0000000000..da81a1f699
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
|
||||
@@ -0,0 +1,4 @@
|
||||
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
|
||||
+MIME types, parameters) into shell commands. Instead of using such text, it
|
||||
+will warn and act as if a match was not found (or for test commands, as if
|
||||
+the test failed).
|
@ -1,64 +0,0 @@
|
||||
From 85178d5849a4d9b5b46e7b91b1ebad7425139b44 Mon Sep 17 00:00:00 2001
|
||||
From: "Gregory P. Smith" <greg@krypto.org>
|
||||
Date: Thu, 20 Oct 2022 15:30:09 -0700
|
||||
Subject: [PATCH] gh-97514: Don't use Linux abstract sockets for
|
||||
multiprocessing (GH-98501)
|
||||
|
||||
Linux abstract sockets are insecure as they lack any form of filesystem
|
||||
permissions so their use allows anyone on the system to inject code into
|
||||
the process.
|
||||
|
||||
This removes the default preference for abstract sockets in
|
||||
multiprocessing introduced in Python 3.9+ via
|
||||
https://github.com/python/cpython/pull/18866 while fixing
|
||||
https://github.com/python/cpython/issues/84031.
|
||||
|
||||
Explicit use of an abstract socket by a user now generates a
|
||||
RuntimeWarning. If we choose to keep this warning, it should be
|
||||
backported to the 3.7 and 3.8 branches.
|
||||
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
|
||||
|
||||
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
||||
---
|
||||
Lib/multiprocessing/connection.py | 5 -----
|
||||
.../2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst | 15 +++++++++++++++
|
||||
2 files changed, 15 insertions(+), 5 deletions(-)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
|
||||
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
|
||||
index 510e4b5aba44..8e2facf92a94 100644
|
||||
--- a/Lib/multiprocessing/connection.py
|
||||
+++ b/Lib/multiprocessing/connection.py
|
||||
@@ -73,11 +73,6 @@ def arbitrary_address(family):
|
||||
if family == 'AF_INET':
|
||||
return ('localhost', 0)
|
||||
elif family == 'AF_UNIX':
|
||||
- # Prefer abstract sockets if possible to avoid problems with the address
|
||||
- # size. When coding portable applications, some implementations have
|
||||
- # sun_path as short as 92 bytes in the sockaddr_un struct.
|
||||
- if util.abstract_sockets_supported:
|
||||
- return f"\0listener-{os.getpid()}-{next(_mmap_counter)}"
|
||||
return tempfile.mktemp(prefix='listener-', dir=util.get_temp_dir())
|
||||
elif family == 'AF_PIPE':
|
||||
return tempfile.mktemp(prefix=r'\\.\pipe\pyc-%d-%d-' %
|
||||
diff --git a/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
new file mode 100644
|
||||
index 000000000000..02d95b570520
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2022-09-07-10-42-00.gh-issue-97514.Yggdsl.rst
|
||||
@@ -0,0 +1,15 @@
|
||||
+On Linux the :mod:`multiprocessing` module returns to using filesystem backed
|
||||
+unix domain sockets for communication with the *forkserver* process instead of
|
||||
+the Linux abstract socket namespace. Only code that chooses to use the
|
||||
+:ref:`"forkserver" start method <multiprocessing-start-methods>` is affected.
|
||||
+
|
||||
+Abstract sockets have no permissions and could allow any user on the system in
|
||||
+the same `network namespace
|
||||
+<https://man7.org/linux/man-pages/man7/network_namespaces.7.html>`_ (often the
|
||||
+whole system) to inject code into the multiprocessing *forkserver* process.
|
||||
+This was a potential privilege escalation. Filesystem based socket permissions
|
||||
+restrict this to the *forkserver* process user as was the default in Python 3.8
|
||||
+and earlier.
|
||||
+
|
||||
+This prevents Linux `CVE-2022-42919
|
||||
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42919>`_.
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmMXib8ACgkQsmmV4xAl
|
||||
BWiwtA/+LhNMVhCwNFNtDaxDLv2Pt43oX07ka9kuRau6WU0bicf4zBboQW2Ut9en
|
||||
epdnw06klvOrb2wlxU4jeWdzuq5bNlhW3rVyT2npbRfYeXqsi/i+sY9eV5SFRPAM
|
||||
eZrnCOkuWJxTy/XRQsPFbhE0bG+npoR80RpDtZ9EfjKyL2PSyOsvudKHjepcdHMi
|
||||
tCzcmHwJbakD18g268RiDZsR8q7lSQW0c3OhOPwXfFV2Xh+jS8eEEcdp2QSBq/S9
|
||||
+HIHEAYJWvAEtg9q3KMKDWOi5rd0Q6Cw4zcO8GI0HTCkNsnJmtLUJ4qTTZWOHC5t
|
||||
M8Z0hzuXI9wK23GpxWuThuaMyQCW5HX8tBVuxaHNyWuJ4T6ID0eJJP4ijLNMXv4U
|
||||
Q0MRbLYtIIagB8BsZtBnEIIsQ1k7THdJ5KAsWIjVaPe80yQWLOrmuXulJi+E4F/C
|
||||
bBKcsFXC605xg5C3AQk58QXpyLDoPtLtRVVPtVi1aqpHCLRCikHA8kqwc7JQIf7v
|
||||
p4VsfcNsYga/EF6FArdmVz8fOpQgItvhuHgMRWBZ35p/t9Ckbl7fJQB0PYfVKYWC
|
||||
F+uNahFYvJ+gH96U6MddEzZlB0AHx3gfysBrgWXvgUAqvAZ/Vq6FiOf0jhFWUtb1
|
||||
8b7sp8GSp7QzIP9U3J75sonXEAvNOA31vuKSJ2sKdxsIP9/KgZE=
|
||||
=kQup
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/Python-3.9.16.tar.xz.asc
Normal file
16
SOURCES/Python-3.9.16.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmOPjAQACgkQsmmV4xAl
|
||||
BWjzjQ//TQ9AtAs3RwRfGfJigHl3TG5lfYYdzAZIwEtt6NUw8tVKriCBMSvsJDjD
|
||||
rlFX64SPWaDlTggnatU88sj1y4AtGpf517GbYKwJ1oLQjcCSIs6WSxD7CZAfb4CL
|
||||
257KMANkT/n46luovTraqhAyLXp8fVWIEoSt3+6RgNYshjv00V6+L0HoE6jkzBRV
|
||||
si6KHDUCyIydOJEtAt79w5Ze/pFxJjIlGZ6WxyRVEy77cyQKh0g4dSdQ15HZAsfr
|
||||
fvv8rOmd8VXwIMi4xaUaHMddQxNrydDldDpKR4L1Lay/nY3OvSLI1AMw0D7n/FVO
|
||||
HxgYvxwkRqHPgbDIBLoHe7nsou0621ELS+j6M7cRoqAjsSfEOwpHOBw7k4+zOoa3
|
||||
4FHvru6TmT1p2iT6GSRllp/XspAzSelJeaFWA0Rs57MQ14gtXrw5hQHyZ1NgMzZi
|
||||
TMpnj0tGHufQYn2ZQqGUIySvtH3S5eIZgZGdPETJ5k09mcRVEKcdujTbkrIcOYtC
|
||||
GoPCw+3Qe7feVZLzElnsela9bDZi3uWfZh2kVyhZPAvxXJ0VNVCLvPlCKpr0R7t5
|
||||
JJ7jMpblsA05FT6ZanbqWNFZtCHMjlkK1259oST3BMbBSHTFgY/KGJEHQTkYU3M2
|
||||
U5OSn4za47qFBTVIXQsqkLGEBU/wrxtNmerJel8YW3ZIrkoTv2E=
|
||||
=dXB5
|
||||
-----END PGP SIGNATURE-----
|
@ -13,11 +13,11 @@ URL: https://www.python.org/
|
||||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
%global general_version %{pybasever}.14
|
||||
%global general_version %{pybasever}.16
|
||||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 2%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: Python
|
||||
|
||||
# Exclude i686 arch. Due to a modularity issue it's being added to the
|
||||
@ -415,26 +415,6 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
|
||||
# Upstream: https://bugs.python.org/issue46811
|
||||
Patch378: 00378-support-expat-2-4-5.patch
|
||||
|
||||
# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
|
||||
# CVE-2015-20107
|
||||
#
|
||||
# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
|
||||
#
|
||||
# Upstream: https://github.com/python/cpython/issues/68966
|
||||
#
|
||||
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
|
||||
Patch382: 00382-cve-2015-20107.patch
|
||||
|
||||
# 00391 #
|
||||
# CVE-2022-42919
|
||||
#
|
||||
# Local privilege escalation via the multiprocessing forkserver start method.
|
||||
#
|
||||
# Upstream: https://github.com/python/cpython/issues/97514
|
||||
#
|
||||
# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2138705
|
||||
Patch391: 00391-cve-2022-42919.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
@ -846,8 +826,6 @@ rm Lib/ensurepip/_bundled/*.whl
|
||||
%apply_patch -q %{PATCH329}
|
||||
%apply_patch -q %{PATCH353}
|
||||
%apply_patch -q %{PATCH378}
|
||||
%apply_patch -q %{PATCH382}
|
||||
%apply_patch -q %{PATCH391}
|
||||
|
||||
# Remove all exe files to ensure we are not shipping prebuilt binaries
|
||||
# note that those are only used to create Microsoft Windows installers
|
||||
@ -2014,6 +1992,11 @@ fi
|
||||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Tue Dec 13 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.9.16-1
|
||||
- Update to 3.9.16
|
||||
- Security fix for CVE-2022-45061
|
||||
Resolves: rhbz#2144072
|
||||
|
||||
* Mon Nov 07 2022 Lumír Balhar <lbalhar@redhat.com> - 3.9.14-2
|
||||
- Fix for CVE-2022-42919
|
||||
Resolves: rhbz#2138705
|
||||
|
Loading…
Reference in New Issue
Block a user