pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/python27 python27: add backported security fix fo...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/bc6447b4e7df
branches:  trunk
changeset: 391323:bc6447b4e7df
user:      gutteridge <gutteridge%pkgsrc.org@localhost>
date:      Sun Jan 08 00:54:29 2023 +0000

description:
python27: add backported security fix for CVE-2022-45061

diffstat:

 lang/python27/Makefile                               |   4 +-
 lang/python27/distinfo                               |   4 +-
 lang/python27/patches/patch-Lib_encodings_idna.py    |  47 ++++++++++++++++++++
 lang/python27/patches/patch-Lib_test_test__codecs.py |  21 ++++++++
 4 files changed, 73 insertions(+), 3 deletions(-)

diffs (116 lines):

diff -r 355a2718dec2 -r bc6447b4e7df lang/python27/Makefile
--- a/lang/python27/Makefile    Sun Jan 08 00:46:20 2023 +0000
+++ b/lang/python27/Makefile    Sun Jan 08 00:54:29 2023 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.104 2022/08/11 01:32:50 gutteridge Exp $
+# $NetBSD: Makefile,v 1.105 2023/01/08 00:54:29 gutteridge Exp $
 
 .include "dist.mk"
 
 PKGNAME=       python27-${PY_DISTVERSION}
-PKGREVISION=   9
+PKGREVISION=   10
 CATEGORIES=    lang python
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
diff -r 355a2718dec2 -r bc6447b4e7df lang/python27/distinfo
--- a/lang/python27/distinfo    Sun Jan 08 00:46:20 2023 +0000
+++ b/lang/python27/distinfo    Sun Jan 08 00:54:29 2023 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.91 2022/08/11 01:32:50 gutteridge Exp $
+$NetBSD: distinfo,v 1.92 2023/01/08 00:54:29 gutteridge Exp $
 
 BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
 SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
@@ -20,6 +20,7 @@
 SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
 SHA1 (patch-Lib_distutils_unixccompiler.py) = 4e2425ae15d9f0383f83779e77d8b6ebce374967
 SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_encodings_idna.py) = 47436d4c45599556f4861d062ce398702fc63325
 SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
 SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
 SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
@@ -31,6 +32,7 @@
 SHA1 (patch-Lib_test_mailcap.txt) = 80923517cb616f7de97df11ee8632465cce8d10c
 SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
 SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__codecs.py) = 825b5e5d57ffcb97542fc6eef149ac74c950f711
 SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
 SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
 SHA1 (patch-Lib_test_test__mailcap.py) = 6b869c9e9d9ef097d6fc4aef967e7b7bca3bd41c
diff -r 355a2718dec2 -r bc6447b4e7df lang/python27/patches/patch-Lib_encodings_idna.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_encodings_idna.py Sun Jan 08 00:54:29 2023 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-Lib_encodings_idna.py,v 1.1 2023/01/08 00:54:29 gutteridge Exp $
+
+Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/64f3700b7679f9f8a385d99e3862a758b14e1d28/f/00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
+
+--- Lib/encodings/idna.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/encodings/idna.py
+@@ -39,23 +39,21 @@ def nameprep(label):
+ 
+     # Check bidi
+     RandAL = map(stringprep.in_table_d1, label)
+-    for c in RandAL:
+-        if c:
+-            # There is a RandAL char in the string. Must perform further
+-            # tests:
+-            # 1) The characters in section 5.8 MUST be prohibited.
+-            # This is table C.8, which was already checked
+-            # 2) If a string contains any RandALCat character, the string
+-            # MUST NOT contain any LCat character.
+-            if filter(stringprep.in_table_d2, label):
+-                raise UnicodeError("Violation of BIDI requirement 2")
+-
+-            # 3) If a string contains any RandALCat character, a
+-            # RandALCat character MUST be the first character of the
+-            # string, and a RandALCat character MUST be the last
+-            # character of the string.
+-            if not RandAL[0] or not RandAL[-1]:
+-                raise UnicodeError("Violation of BIDI requirement 3")
++    if any(RandAL):
++        # There is a RandAL char in the string. Must perform further
++        # tests:
++        # 1) The characters in section 5.8 MUST be prohibited.
++        # This is table C.8, which was already checked
++        # 2) If a string contains any RandALCat character, the string
++        # MUST NOT contain any LCat character.
++        if any(stringprep.in_table_d2(x) for x in label):
++            raise UnicodeError("Violation of BIDI requirement 2")
++        # 3) If a string contains any RandALCat character, a
++        # RandALCat character MUST be the first character of the
++        # string, and a RandALCat character MUST be the last
++        # character of the string.
++        if not RandAL[0] or not RandAL[-1]:
++            raise UnicodeError("Violation of BIDI requirement 3")
+ 
+     return label
+ 
diff -r 355a2718dec2 -r bc6447b4e7df lang/python27/patches/patch-Lib_test_test__codecs.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__codecs.py      Sun Jan 08 00:54:29 2023 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-Lib_test_test__codecs.py,v 1.1 2023/01/08 00:54:29 gutteridge Exp $
+
+Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/64f3700b7679f9f8a385d99e3862a758b14e1d28/f/00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
+
+--- Lib/test/test_codecs.py.orig       2020-04-19 21:13:39.000000000 +0000
++++ Lib/test/test_codecs.py
+@@ -1318,6 +1318,12 @@ class IDNACodecTest(unittest.TestCase):
+         self.assertEqual(u"pyth\xf6n.org".encode("idna"), "xn--pythn-mua.org")
+         self.assertEqual(u"pyth\xf6n.org.".encode("idna"), "xn--pythn-mua.org.")
+ 
++    def test_builtin_decode_length_limit(self):
++        with self.assertRaisesRegexp(UnicodeError, "too long"):
++            (b"xn--016c"+b"a"*1100).decode("idna")
++        with self.assertRaisesRegexp(UnicodeError, "too long"):
++            (b"xn--016c"+b"a"*70).decode("idna")
++
+     def test_stream(self):
+         import StringIO
+         r = codecs.getreader("idna")(StringIO.StringIO("abc"))



Home | Main Index | Thread Index | Old Index