pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/python27 python27: fix various security issues
details: https://anonhg.NetBSD.org/pkgsrc/rev/721149c9ef11
branches: trunk
changeset: 459612:721149c9ef11
user: gutteridge <gutteridge%pkgsrc.org@localhost>
date: Sun Oct 10 03:00:59 2021 +0000
description:
python27: fix various security issues
Addresses CVE-2020-27619, CVE-2021-3177, CVE-2021-3733, CVE-2021-3737
and CVE-2021-23336. Patches mostly sourced via Fedora.
diffstat:
lang/python27/Makefile | 4 +-
lang/python27/distinfo | 18 +-
lang/python27/patches/patch-Doc_library_cgi.rst | 29 +
lang/python27/patches/patch-Doc_library_urlparse.rst | 51 +
lang/python27/patches/patch-Lib_cgi.py | 128 ++++
lang/python27/patches/patch-Lib_ctypes_test_test__parameters.py | 58 ++
lang/python27/patches/patch-Lib_httplib.py | 58 ++-
lang/python27/patches/patch-Lib_test_multibytecodec__support.py | 46 +
lang/python27/patches/patch-Lib_test_test__cgi.py | 91 +++
lang/python27/patches/patch-Lib_test_test__httplib.py | 23 +-
lang/python27/patches/patch-Lib_test_test__urlparse.py | 265 ++++++++++
lang/python27/patches/patch-Lib_urllib2.py | 11 +-
lang/python27/patches/patch-Lib_urlparse.py | 127 ++++
lang/python27/patches/patch-Modules___ctypes_callproc.c | 125 ++++-
14 files changed, 1010 insertions(+), 24 deletions(-)
diffs (truncated from 1225 to 300 lines):
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/Makefile
--- a/lang/python27/Makefile Sun Oct 10 02:48:57 2021 +0000
+++ b/lang/python27/Makefile Sun Oct 10 03:00:59 2021 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.93 2020/12/07 13:14:38 nia Exp $
+# $NetBSD: Makefile,v 1.94 2021/10/10 03:00:59 gutteridge Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/distinfo
--- a/lang/python27/distinfo Sun Oct 10 02:48:57 2021 +0000
+++ b/lang/python27/distinfo Sun Oct 10 03:00:59 2021 +0000
@@ -1,14 +1,18 @@
-$NetBSD: distinfo,v 1.84 2021/10/07 14:21:10 nia Exp $
+$NetBSD: distinfo,v 1.85 2021/10/10 03:00:59 gutteridge Exp $
RMD160 (Python-2.7.18.tar.xz) = 40a514bb05c9e631454ea8466e28f5bb229428ad
SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
Size (Python-2.7.18.tar.xz) = 12854736 bytes
+SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
+SHA1 (patch-Doc_library_urlparse.rst) = f9714b945a2bacb4ec5360c151a42192e00f08ad
SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
SHA1 (patch-Lib___osx__support.py) = 4389472565616b3875c699f6e3e74850d5fde712
+SHA1 (patch-Lib_cgi.py) = 9653904acfd2dbe03655a7cfa5688c450556671b
SHA1 (patch-Lib_ctypes_____init____.py) = 31dd0546bbe29ad1b1d481edc525ba43479c06da
SHA1 (patch-Lib_ctypes_macholib_dyld.py) = 9b7e972d4c71311742ca8b3501382182a4c9e2fe
SHA1 (patch-Lib_ctypes_test_test__macholib.py) = 4479d315cd037f4c9138e8f5baa8eb1685932baa
+SHA1 (patch-Lib_ctypes_test_test__parameters.py) = 8f8bb50515bc7e89ab59363b10af4d5391957eb7
SHA1 (patch-Lib_ctypes_util.py) = 6fa516c7b43f08992427a0afcbe80c17bcc070f1
SHA1 (patch-Lib_distutils_command_build__ext.py) = ea4feba4e93dbcff07050c82a00d591bb650e934
SHA1 (patch-Lib_distutils_command_install.py) = e6aef090b444b455fe351308d251e670329b7dc3
@@ -16,21 +20,25 @@
SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
-SHA1 (patch-Lib_httplib.py) = 375d80eb79209f53046c62db128d8d3f64d9e765
+SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
SHA1 (patch-Lib_plistlib.py) = 96ae702995d434e2d7ec0ac62e37427a90b61d13
SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5cbfec279a05945dffafea1b1131a76f0e
SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
-SHA1 (patch-Lib_test_test__httplib.py) = 9d37263e36110838e0b5f413ff4747deb3966dfe
+SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
+SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_urllib2.py) = 33a85593da702447fa3ea74b4e3d36d0016f70b5
+SHA1 (patch-Lib_test_test__urlparse.py) = 257cb3bf7a0e9b5e0dcb204f675959b10953ba7b
+SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
+SHA1 (patch-Lib_urlparse.py) = ec45dd48966eb806a5c0e79af6a7369fb45b9859
SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
-SHA1 (patch-Modules___ctypes_callproc.c) = adac5eb047eb58c14003ea9237d5d34e8b327b2f
+SHA1 (patch-Modules___ctypes_callproc.c) = 7b669f9c081bbc2b7fce2c827703f52b7389d592
SHA1 (patch-Modules___ctypes_ctypes.h) = 07e9d5ecf8309a3ca4bf8382411d56dda08d7b27
SHA1 (patch-Modules___ctypes_malloc__closure.c) = 25d470cc66d218446227c7c1bd7ade409c53b8d0
SHA1 (patch-Modules___multiprocessing_multiprocessing.h) = 7ca8fe22ba4bdcde6d39dd50fe2e86c25994c146
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/patches/patch-Doc_library_cgi.rst
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Doc_library_cgi.rst Sun Oct 10 03:00:59 2021 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-Doc_library_cgi.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+
+Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+
+--- Doc/library/cgi.rst.orig 2020-04-19 21:13:39.000000000 +0000
++++ Doc/library/cgi.rst
+@@ -285,10 +285,10 @@ These are useful if you want more contro
+ algorithms implemented in this module in other circumstances.
+
+
+-.. function:: parse(fp[, environ[, keep_blank_values[, strict_parsing]]])
++.. function:: parse(fp[, environ[, keep_blank_values[, strict_parsing[, separator]]]])
+
+ Parse a query in the environment or from a file (the file defaults to
+- ``sys.stdin`` and environment defaults to ``os.environ``). The *keep_blank_values* and *strict_parsing* parameters are
++ ``sys.stdin`` and environment defaults to ``os.environ``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are
+ passed to :func:`urlparse.parse_qs` unchanged.
+
+
+@@ -316,7 +316,6 @@ algorithms implemented in this module in
+ Note that this does not parse nested multipart parts --- use
+ :class:`FieldStorage` for that.
+
+-
+ .. function:: parse_header(string)
+
+ Parse a MIME header (such as :mailheader:`Content-Type`) into a main value and a
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/patches/patch-Doc_library_urlparse.rst
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Doc_library_urlparse.rst Sun Oct 10 03:00:59 2021 +0000
@@ -0,0 +1,51 @@
+$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+
+Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+
+--- Doc/library/urlparse.rst.orig 2020-04-19 21:13:39.000000000 +0000
++++ Doc/library/urlparse.rst
+@@ -136,7 +136,7 @@ The :mod:`urlparse` module defines the f
+ now raise :exc:`ValueError`.
+
+
+-.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]])
++.. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields[, separator]]]])
+
+ Parse a query string given as a string argument (data of type
+ :mimetype:`application/x-www-form-urlencoded`). Data are returned as a
+@@ -157,6 +157,15 @@ The :mod:`urlparse` module defines the f
+ read. If set, then throws a :exc:`ValueError` if there are more than
+ *max_num_fields* fields read.
+
++ The optional argument *separator* is the symbol to use for separating the
++ query arguments. It is recommended to set it to ``'&'`` or ``';'``.
++ It defaults to ``'&'``; a warning is raised if this default is used.
++ This default may be changed with the following environment variable settings:
++
++ - ``PYTHON_URLLIB_QS_SEPARATOR='&'``: use only ``&`` as separator, without warning (as in Python 3.6.13+ or 3.10)
++ - ``PYTHON_URLLIB_QS_SEPARATOR=';'``: use only ``;`` as separator
++ - ``PYTHON_URLLIB_QS_SEPARATOR=legacy``: use both ``&`` and ``;`` (as in previous versions of Python)
++
+ Use the :func:`urllib.urlencode` function to convert such dictionaries into
+ query strings.
+
+@@ -186,6 +195,9 @@ The :mod:`urlparse` module defines the f
+ read. If set, then throws a :exc:`ValueError` if there are more than
+ *max_num_fields* fields read.
+
++ The optional argument *separator* is the symbol to use for separating the
++ query arguments. It works as in :py:func:`parse_qs`.
++
+ Use the :func:`urllib.urlencode` function to convert such lists of pairs into
+ query strings.
+
+@@ -195,6 +207,7 @@ The :mod:`urlparse` module defines the f
+ .. versionchanged:: 2.7.16
+ Added *max_num_fields* parameter.
+
++
+ .. function:: urlunparse(parts)
+
+ Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/patches/patch-Lib_cgi.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_cgi.py Sun Oct 10 03:00:59 2021 +0000
@@ -0,0 +1,128 @@
+$NetBSD: patch-Lib_cgi.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+
+Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+
+--- Lib/cgi.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/cgi.py
+@@ -121,7 +121,8 @@ log = initlog # The current lo
+ # 0 ==> unlimited input
+ maxlen = 0
+
+-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0):
++def parse(fp=None, environ=os.environ, keep_blank_values=0,
++ strict_parsing=0, separator=None):
+ """Parse a query in the environment or from a file (default stdin)
+
+ Arguments, all optional:
+@@ -140,6 +141,8 @@ def parse(fp=None, environ=os.environ, k
+ strict_parsing: flag indicating what to do with parsing errors.
+ If false (the default), errors are silently ignored.
+ If true, errors raise a ValueError exception.
++
++ separator: str. The symbol to use for separating the query arguments.
+ """
+ if fp is None:
+ fp = sys.stdin
+@@ -171,25 +174,26 @@ def parse(fp=None, environ=os.environ, k
+ else:
+ qs = ""
+ environ['QUERY_STRING'] = qs # XXX Shouldn't, really
+- return urlparse.parse_qs(qs, keep_blank_values, strict_parsing)
++ return urlparse.parse_qs(qs, keep_blank_values, strict_parsing, separator=separator)
+
+
+ # parse query string function called from urlparse,
+ # this is done in order to maintain backward compatibility.
+
+-def parse_qs(qs, keep_blank_values=0, strict_parsing=0):
++def parse_qs(qs, keep_blank_values=0, strict_parsing=0, separator=None):
+ """Parse a query given as a string argument."""
+ warn("cgi.parse_qs is deprecated, use urlparse.parse_qs instead",
+ PendingDeprecationWarning, 2)
+- return urlparse.parse_qs(qs, keep_blank_values, strict_parsing)
++ return urlparse.parse_qs(qs, keep_blank_values, strict_parsing,
++ separator=separator)
+
+
+-def parse_qsl(qs, keep_blank_values=0, strict_parsing=0, max_num_fields=None):
++def parse_qsl(qs, keep_blank_values=0, strict_parsing=0, max_num_fields=None, separator=None):
+ """Parse a query given as a string argument."""
+ warn("cgi.parse_qsl is deprecated, use urlparse.parse_qsl instead",
+ PendingDeprecationWarning, 2)
+ return urlparse.parse_qsl(qs, keep_blank_values, strict_parsing,
+- max_num_fields)
++ max_num_fields, separator=separator)
+
+ def parse_multipart(fp, pdict):
+ """Parse multipart input.
+@@ -288,7 +292,6 @@ def parse_multipart(fp, pdict):
+
+ return partdict
+
+-
+ def _parseparam(s):
+ while s[:1] == ';':
+ s = s[1:]
+@@ -395,7 +398,7 @@ class FieldStorage:
+
+ def __init__(self, fp=None, headers=None, outerboundary="",
+ environ=os.environ, keep_blank_values=0, strict_parsing=0,
+- max_num_fields=None):
++ max_num_fields=None, separator=None):
+ """Constructor. Read multipart/* until last part.
+
+ Arguments, all optional:
+@@ -430,6 +433,7 @@ class FieldStorage:
+ self.keep_blank_values = keep_blank_values
+ self.strict_parsing = strict_parsing
+ self.max_num_fields = max_num_fields
++ self.separator = separator
+ if 'REQUEST_METHOD' in environ:
+ method = environ['REQUEST_METHOD'].upper()
+ self.qs_on_post = None
+@@ -613,7 +617,8 @@ class FieldStorage:
+ if self.qs_on_post:
+ qs += '&' + self.qs_on_post
+ query = urlparse.parse_qsl(qs, self.keep_blank_values,
+- self.strict_parsing, self.max_num_fields)
++ self.strict_parsing, self.max_num_fields,
++ self.separator)
+ self.list = [MiniFieldStorage(key, value) for key, value in query]
+ self.skip_lines()
+
+@@ -629,7 +634,8 @@ class FieldStorage:
+ query = urlparse.parse_qsl(self.qs_on_post,
+ self.keep_blank_values,
+ self.strict_parsing,
+- self.max_num_fields)
++ self.max_num_fields,
++ self.separator)
+ self.list.extend(MiniFieldStorage(key, value)
+ for key, value in query)
+ FieldStorageClass = None
+@@ -649,7 +655,8 @@ class FieldStorage:
+ headers = rfc822.Message(self.fp)
+ part = klass(self.fp, headers, ib,
+ environ, keep_blank_values, strict_parsing,
+- max_num_fields)
++ max_num_fields,
++ separator=self.separator)
+
+ if max_num_fields is not None:
+ max_num_fields -= 1
+@@ -817,10 +824,11 @@ class FormContentDict(UserDict.UserDict)
+ form.dict == {key: [val, val, ...], ...}
+
+ """
+- def __init__(self, environ=os.environ, keep_blank_values=0, strict_parsing=0):
++ def __init__(self, environ=os.environ, keep_blank_values=0, strict_parsing=0, separator=None):
+ self.dict = self.data = parse(environ=environ,
+ keep_blank_values=keep_blank_values,
+- strict_parsing=strict_parsing)
++ strict_parsing=strict_parsing,
++ separator=separator)
+ self.query_string = environ['QUERY_STRING']
+
+
diff -r 6b15b7803d67 -r 721149c9ef11 lang/python27/patches/patch-Lib_ctypes_test_test__parameters.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_ctypes_test_test__parameters.py Sun Oct 10 03:00:59 2021 +0000
@@ -0,0 +1,58 @@
+$NetBSD: patch-Lib_ctypes_test_test__parameters.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+
+Fix CVE-2021-3177: Replace snprintf with Python unicode formatting in ctypes param reprs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00357-CVE-2021-3177.patch
+
+--- Lib/ctypes/test/test_parameters.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/ctypes/test/test_parameters.py
Home |
Main Index |
Thread Index |
Old Index