- bundled urllib3: fix CVE-2023-45803

- bundled pycryptodome: fix CVE-2023-52323

  Resolves: RHEL-22431, RHEL-20916

python3-syntax-fixes.patch

@@ -590,116 +590,3 @@ diff -uNr a/bundled/aliyun/colorama/demos/demo07.py b/bundled/aliyun/colorama/de
  
  
  if __name__ == '__main__':
-diff -uNr a/bundled/aliyun/pycryptodome/Doc/conf.py b/bundled/aliyun/pycryptodome/Doc/conf.py
---- a/bundled/aliyun/pycryptodome/Doc/conf.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/Doc/conf.py	2018-10-08 12:08:11.122188094 +0200
-@@ -15,7 +15,7 @@
- 
- # Modules to document with autodoc are in another directory
- sys.path.insert(0, os.path.abspath('../lib'))
--print sys.path
-+print(sys.path)
- 
- # Mock existance of native modules
- from Crypto.Util import _raw_api
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Math/Primality.py	2018-10-08 12:08:11.123188075 +0200
-@@ -302,7 +302,7 @@
-     randfunc = kwargs.pop("randfunc", None)
-     prime_filter = kwargs.pop("prime_filter", lambda x: True)
-     if kwargs:
--        print "Unknown parameters:", kwargs.keys()
-+        print("Unknown parameters:", kwargs.keys())
- 
-     if exact_bits is None:
-         raise ValueError("Missing exact_bits parameter")
-@@ -341,7 +341,7 @@
-     exact_bits = kwargs.pop("exact_bits", None)
-     randfunc = kwargs.pop("randfunc", None)
-     if kwargs:
--        print "Unknown parameters:", kwargs.keys()
-+        print("Unknown parameters:", kwargs.keys())
- 
-     if randfunc is None:
-         randfunc = Random.new().read
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/PublicKey/ECC.py	2018-10-08 12:08:11.124188057 +0200
-@@ -912,4 +912,4 @@
-     count = 30
-     for x in xrange(count):
-         _ = point * d
--    print (time.time() - start) / count * 1000, "ms"
-+    print((time.time() - start) / count * 1000, "ms")
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_AES.py	2018-10-08 12:08:11.124188057 +0200
-@@ -1276,7 +1276,7 @@
-         tests += make_block_tests(AES, "AESNI", test_data, {'use_aesni': True})
-         tests += [ TestMultipleBlocks(True) ]
-     else:
--        print "Skipping AESNI tests"
-+        print("Skipping AESNI tests")
-     return tests
- 
- if __name__ == '__main__':
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_GCM.py	2018-10-08 12:08:11.125188038 +0200
-@@ -894,7 +894,7 @@
-         if config.get('slow_tests'):
-             tests += list_test_cases(NISTTestVectorsGCM_no_clmul)
-     else:
--        print "Skipping test of PCLMULDQD in AES GCM"
-+        print("Skipping test of PCLMULDQD in AES GCM")
- 
-     return tests
- 
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/Cipher/test_pkcs1_15.py	2018-10-08 12:08:11.125188038 +0200
-@@ -39,7 +39,7 @@
-     """Convert a text string with bytes in hex form to a byte string"""
-     clean = b(rws(t))
-     if len(clean)%2 == 1:
--        print clean
-+        print(clean)
-         raise ValueError("Even number of characters expected")
-     return a2b_hex(clean)
- 
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/SelfTest/__main__.py	2018-10-08 12:08:11.126188020 +0200
-@@ -25,11 +25,11 @@
- 
- slow_tests = not "--skip-slow-tests" in sys.argv
- if not slow_tests:
--    print "Skipping slow tests"
-+    print("Skipping slow tests")
- 
- wycheproof_warnings = "--wycheproof-warnings" in sys.argv
- if wycheproof_warnings:
--    print "Printing Wycheproof warnings"
-+    print("Printing Wycheproof warnings")
- 
- config = {'slow_tests' : slow_tests, 'wycheproof_warnings' : wycheproof_warnings }
- SelfTest.run(stream=sys.stdout, verbosity=1, config=config)
-diff -uNr a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py
---- a/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-07-10 21:32:46.000000000 +0200
-+++ b/bundled/aliyun/pycryptodome/lib/Crypto/Util/RFC1751.py	2018-10-08 12:08:11.126188020 +0200
-@@ -369,13 +369,13 @@
-            ]
- 
-     for key, words in data:
--        print 'Trying key', key
-+        print('Trying key', key)
-         key=binascii.a2b_hex(key)
-         w2=key_to_english(key)
-         if w2!=words:
--            print 'key_to_english fails on key', repr(key), ', producing', str(w2)
-+            print('key_to_english fails on key', repr(key), ', producing', str(w2))
-         k2=english_to_key(words)
-         if k2!=key:
--            print 'english_to_key fails on key', repr(key), ', producing', repr(k2)
-+            print('english_to_key fails on key', repr(key), ', producing', repr(k2))

resource-agents.spec

@@ -43,7 +43,7 @@
 %global colorama_dir		%{bundled_lib_dir}/aliyun/%{colorama}
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@@ -61,6 +61,10 @@
 %global aliyuncli		aliyun-cli
 %global aliyuncli_version	2.1.10
 %global aliyuncli_dir		%{bundled_lib_dir}/aliyun/%{aliyuncli}
+## fix CVEs
+# urllib3 bundle
+%global urllib3 		urllib3
+%global urllib3_version 	1.26.18
 
 # determine the ras-set to process based on configure invokation
 %bcond_with rgmanager
@@ -69,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	52%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	53%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -88,6 +92,7 @@ Source7:	%{aliyunsdkcore}-%{aliyunsdkcore_version}.tar.gz
 Source8:	%{aliyunsdkecs}-%{aliyunsdkecs_version}.tar.gz
 Source9:	%{aliyunsdkvpc}-%{aliyunsdkvpc_version}.tar.gz
 Source10:	%{aliyuncli}-%{aliyuncli_version}.tar.gz
+Source11:	%{urllib3}-%{urllib3_version}.tar.gz
 Patch0: 	nova-compute-wait-NovaEvacuate.patch
 Patch1: 	bz1872754-pgsqlms-new-ra.patch
 Patch2: 	bz1995178-storage-mon-fix-typo.patch
@@ -260,6 +265,8 @@ Provides:	bundled(python-aliyun-sdk-ecs) = %{aliyunsdkecs_version}
 Provides:	bundled(python-aliyun-sdk-vpc) = %{aliyunsdkvpc_version}
 # aliyuncli bundle
 Provides:	bundled(aliyuncli) = %{aliyuncli_version}
+# urllib3 bundle
+Provides:	bundled(python-urllib3) = %{urllib3_version}
 
 %description aliyun
 Alibaba Cloud (Aliyun) resource agents allows Alibaba Cloud
@@ -299,7 +306,7 @@ Provides:	bundled(python-pyparsing) = 2.1.10
 Provides:	bundled(python-requests) = 2.10.0
 Provides:	bundled(python-six) = 1.11.0
 Provides:	bundled(python-uritemplate) = 3.0.0
-Provides:	bundled(python-urllib3) = 1.15.1
+Provides:	bundled(python-urllib3) = %{urllib3_version}
 Provides:	bundled(python-websocket) = 0.47.0
 Provides:	bundled(python-yaml) = 3.12
 # python-pyroute2 bundle
@@ -633,6 +640,9 @@ make install DESTDIR=%{buildroot}
 # google-cloud-sdk bundle
 %ifarch x86_64
 pushd %{googlecloudsdk_dir}
+# fix urllib3 CVEs
+rm -rf lib/third_party/urllib3
+%{__python3} -m pip install --target lib/third_party --no-index --find-links %{_sourcedir} urllib3
 mkdir -p %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 cp -a bin data lib %{buildroot}/usr/lib/%{name}/%{googlecloudsdk_dir}
 mkdir %{buildroot}/%{_bindir}
@@ -661,6 +671,9 @@ popd
 # python-aliyun-sdk-core bundle
 pushd %{aliyunsdkcore_dir}
 %{__python3} setup.py install -O1 --skip-build --root %{buildroot} --install-lib /usr/lib/%{name}/%{bundled_lib_dir}/aliyun
+# fix urllib3 CVEs
+rm -rf %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3
+%{__python3} -m pip install --target %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/aliyun/aliyunsdkcore/vendored/requests/packages --no-index --find-links %{_sourcedir} urllib3
 popd
 
 # python-aliyun-sdk-ecs bundle
@@ -974,6 +987,12 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Wed Jan 24 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-53
+- bundled urllib3: fix CVE-2023-45803
+- bundled pycryptodome: fix CVE-2023-52323
+
+  Resolves: RHEL-22431, RHEL-20916
+
 * Tue Nov 21 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-52
 - findif: also check that netmaskbits != EOS
 

sources

@@ -6,6 +6,7 @@ SHA512 (aliyun-python-sdk-vpc-3.0.2.tar.gz) = e9e4f8224f828a0e0737e4515799e62e4d
 SHA512 (colorama-0.3.3.tar.gz) = 2e960ee25f89ca4bc21fc5ab7dac12bd09c9139c4af04a5131ead31f01bb86af23e749e85dafe0bda814b032cc917ad03c0152b333eb532646603b470adbbb64
 SHA512 (google-cloud-sdk-360.0.0-linux-x86_64.tar.gz) = 0e441359edd981038310c7e66ed3cbdaff1c5b24264bdebdca351ea5cbdef7b54b8d9d56ee45c713f467e65f1bc949c7f5175cd06ed16eae05bd589b187b6260
 SHA512 (httplib2-0.20.4.tar.gz) = 67c553926c1e103800bf622a4bb9ee6c3222fb33526f94fc64afa7e876281551bb6e42c8fce5d956f1f64a1727a25d457d23acb26360b69493dcaa3f8991e0be
-SHA512 (pycryptodome-3.6.4.tar.gz) = b565acf2d4dad80842a677dac2e69719dedb870d93d35948f3ef04da120c89fdf80f5b08864c182e2537ff60bbce8487cec6bfe8bb9acc1833194a667932a5c6
+SHA512 (pycryptodome-3.20.0.tar.gz) = 9fed02190db9ae71b6895af2525d7670858817acf213c494969104da81138dacb11bc00be83b308e070a2c90766cd763e25a611ada402b32f6160a8ac9283f85
 SHA512 (pyparsing-2.4.7-py2.py3-none-any.whl) = acb6b4ff90254d73804621d302926deb69bc99ffde16d7aa16cba7d0af7a53c25b7197d422309d9e82a766704fd7ea4c8b078a48d2e7d8658a8b237266fe24f5
 SHA512 (pyroute2-0.4.13.tar.gz) = 7a86ef38c4892198a29b688b225df9b7fe7761a1685d7bf0430252783d93cfb13a52c82e05ba808f11b82ff3deac178585487eaa3adf77487a4e8402987fe646
+SHA512 (urllib3-1.26.18.tar.gz) = c89e93a032bf6b11375c06ef7c5abc1868f93e7655cfdca09e9bd939ad415d206ea159fe151ecd2e5f725e0e18a831c7a5382ad01dbc32264154fc8af7aec156