pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/python27 python27: fix two security issues



details:   https://anonhg.NetBSD.org/pkgsrc/rev/531631bda70c
branches:  trunk
changeset: 374741:531631bda70c
user:      gutteridge <gutteridge%pkgsrc.org@localhost>
date:      Fri Feb 25 22:41:32 2022 +0000

description:
python27: fix two security issues

Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora.

diffstat:

 lang/python27/Makefile                                 |   4 +-
 lang/python27/distinfo                                 |  10 +-
 lang/python27/patches/patch-Doc_library_urlparse.rst   |  43 ++++++++++-
 lang/python27/patches/patch-Lib_ftplib.py              |  32 +++++++++
 lang/python27/patches/patch-Lib_test_test__ftplib.py   |  56 +++++++++++++++
 lang/python27/patches/patch-Lib_test_test__urlparse.py |  64 +++++++++++++++++-
 lang/python27/patches/patch-Lib_urlparse.py            |  42 ++++++++++-
 7 files changed, 234 insertions(+), 17 deletions(-)

diffs (truncated from 392 to 300 lines):

diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/Makefile
--- a/lang/python27/Makefile    Fri Feb 25 21:42:51 2022 +0000
+++ b/lang/python27/Makefile    Fri Feb 25 22:41:32 2022 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.98 2022/01/20 12:57:13 jperkin Exp $
+# $NetBSD: Makefile,v 1.99 2022/02/25 22:41:32 gutteridge Exp $
 
 .include "dist.mk"
 
 PKGNAME=       python27-${PY_DISTVERSION}
-PKGREVISION=   7
+PKGREVISION=   8
 CATEGORIES=    lang python
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/distinfo
--- a/lang/python27/distinfo    Fri Feb 25 21:42:51 2022 +0000
+++ b/lang/python27/distinfo    Fri Feb 25 22:41:32 2022 +0000
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.88 2022/01/12 08:49:01 wiz Exp $
+$NetBSD: distinfo,v 1.89 2022/02/25 22:41:32 gutteridge Exp $
 
 BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
 SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
 Size (Python-2.7.18.tar.xz) = 12854736 bytes
 SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
-SHA1 (patch-Doc_library_urlparse.rst) = f9714b945a2bacb4ec5360c151a42192e00f08ad
+SHA1 (patch-Doc_library_urlparse.rst) = ceaea3a4577ba7d3055ffb3b3c8ffbbdda7e1d32
 SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
 SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
 SHA1 (patch-Lib___osx__support.py) = 4389472565616b3875c699f6e3e74850d5fde712
@@ -19,6 +19,7 @@
 SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
 SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
 SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
 SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
 SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
 SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
@@ -27,13 +28,14 @@
 SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
 SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
 SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
 SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
 SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
 SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
 SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = 257cb3bf7a0e9b5e0dcb204f675959b10953ba7b
+SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
 SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 69db5325a19474113e72c1feeb895a25534412c4
+SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
 SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
 SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
 SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/patches/patch-Doc_library_urlparse.rst
--- a/lang/python27/patches/patch-Doc_library_urlparse.rst      Fri Feb 25 21:42:51 2022 +0000
+++ b/lang/python27/patches/patch-Doc_library_urlparse.rst      Fri Feb 25 22:41:32 2022 +0000
@@ -1,12 +1,26 @@
-$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Doc_library_urlparse.rst,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
 
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
 --- Doc/library/urlparse.rst.orig      2020-04-19 21:13:39.000000000 +0000
 +++ Doc/library/urlparse.rst
-@@ -136,7 +136,7 @@ The :mod:`urlparse` module defines the f
+@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the f
+    decomposed before parsing, or is not a Unicode string, no error will be
+    raised.
+ 
++   Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
++   ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
++
+    .. versionchanged:: 2.5
+       Added attributes to return value.
+ 
+@@ -136,7 +139,7 @@ The :mod:`urlparse` module defines the f
        now raise :exc:`ValueError`.
  
  
@@ -15,7 +29,7 @@
  
     Parse a query string given as a string argument (data of type
     :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a
-@@ -157,6 +157,15 @@ The :mod:`urlparse` module defines the f
+@@ -157,6 +160,15 @@ The :mod:`urlparse` module defines the f
     read. If set, then throws a :exc:`ValueError` if there are more than
     *max_num_fields* fields read.
  
@@ -31,7 +45,7 @@
     Use the :func:`urllib.urlencode` function to convert such dictionaries into
     query strings.
  
-@@ -186,6 +195,9 @@ The :mod:`urlparse` module defines the f
+@@ -186,6 +198,9 @@ The :mod:`urlparse` module defines the f
     read. If set, then throws a :exc:`ValueError` if there are more than
     *max_num_fields* fields read.
  
@@ -41,7 +55,7 @@
     Use the :func:`urllib.urlencode` function to convert such lists of pairs into
     query strings.
  
-@@ -195,6 +207,7 @@ The :mod:`urlparse` module defines the f
+@@ -195,6 +210,7 @@ The :mod:`urlparse` module defines the f
     .. versionchanged:: 2.7.16
        Added *max_num_fields* parameter.
  
@@ -49,3 +63,22 @@
  .. function:: urlunparse(parts)
  
     Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument
+@@ -308,6 +324,10 @@ The :mod:`urlparse` module defines the f
+ 
+ .. seealso::
+ 
++   `WHATWG`_ -  URL Living standard
++      Working Group for the URL Standard that defines URLs, domains, IP addresses, the
++      application/x-www-form-urlencoded format, and their API.
++
+    :rfc:`3986` - Uniform Resource Identifiers
+       This is the current standard (STD66). Any changes to urlparse module
+       should conform to this. Certain deviations could be observed, which are
+@@ -332,6 +352,7 @@ The :mod:`urlparse` module defines the f
+    :rfc:`1738` - Uniform Resource Locators (URL)
+       This specifies the formal syntax and semantics of absolute URLs.
+ 
++.. _WHATWG: https://url.spec.whatwg.org/
+ 
+ .. _urlparse-result-object:
+ 
diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/patches/patch-Lib_ftplib.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_ftplib.py Fri Feb 25 22:41:32 2022 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-Lib_ftplib.py,v 1.1 2022/02/25 22:41:32 gutteridge Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/ftplib.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/ftplib.py
+@@ -108,6 +108,8 @@ class FTP:
+     file = None
+     welcome = None
+     passiveserver = 1
++    # Disables security if set to True. https://bugs.python.org/issue43285
++    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
++        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
++            untrusted_host, port = parse227(self.sendcmd('PASV'))
++            if self.trust_server_pasv_ipv4_address:
++                host = untrusted_host
++            else:
++                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/patches/patch-Lib_test_test__ftplib.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__ftplib.py      Fri Feb 25 22:41:32 2022 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-Lib_test_test__ftplib.py,v 1.1 2022/02/25 22:41:32 gutteridge Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/test/test_ftplib.py.orig       2020-04-19 21:13:39.000000000 +0000
++++ Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
++        # We use this as the string IPv4 address to direct the client
++        # to in response to a PASV command.  To test security behavior.
++        # https://bugs.python.org/issue43285/.
++        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha
+         sock.bind((self.socket.getsockname()[0], 0))
+         sock.listen(5)
+         sock.settimeout(10)
+-        ip, port = sock.getsockname()[:2]
++        port = sock.getsockname()[1]
++        ip = self.fake_pasv_server_ip
+         ip = ip.replace('.', ',')
+         p1, p2 = divmod(port, 256)
+         self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
++    def test_makepasv_issue43285_security_disabled(self):
++        """Test the opt-in to the old vulnerable behavior."""
++        self.client.trust_server_pasv_ipv4_address = True
++        bad_host, port = self.client.makepasv()
++        self.assertEqual(
++                bad_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((self.client.sock.getpeername()[0], port),
++                                 timeout=TIMEOUT).close()
++
++    def test_makepasv_issue43285_security_enabled_default(self):
++        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++        trusted_host, port = self.client.makepasv()
++        self.assertNotEqual(
++                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+     def test_line_too_long(self):
+         self.assertRaises(ftplib.Error, self.client.sendcmd,
+                           'x' * self.client.maxline * 2)
diff -r d8a9b4d4b2da -r 531631bda70c lang/python27/patches/patch-Lib_test_test__urlparse.py
--- a/lang/python27/patches/patch-Lib_test_test__urlparse.py    Fri Feb 25 21:42:51 2022 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__urlparse.py    Fri Feb 25 22:41:32 2022 +0000
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.2 2022/02/25 22:41:32 gutteridge Exp $
 
 Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
 Via Fedora:
 https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
 
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
 --- Lib/test/test_urlparse.py.orig     2020-04-19 21:13:39.000000000 +0000
 +++ Lib/test/test_urlparse.py
 @@ -3,6 +3,12 @@ import sys
@@ -130,7 +134,63 @@
      def test_roundtrips(self):
          testcases = [
              ('file:///tmp/junk.txt',
-@@ -626,6 +700,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertEqual(p1.path, '863-1234')
+         self.assertEqual(p1.params, 'phone-context=+1-914-555')
+ 
++    def test_urlsplit_remove_unsafe_bytes(self):
++        # Remove ASCII tabs and newlines from input, for http common case scenario.
++        url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, "http")
++        self.assertEqual(p.netloc, "www.python.org")
++        self.assertEqual(p.path, "/javascript:alert('msg')/")
++        self.assertEqual(p.query, "query=something")
++        self.assertEqual(p.fragment, "fragment")
++        self.assertEqual(p.username, None)
++        self.assertEqual(p.password, None)
++        self.assertEqual(p.hostname, "www.python.org")
++        self.assertEqual(p.port, None)
++        self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
++        url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.scheme, b"http")
++        self.assertEqual(p.netloc, b"www.python.org")
++        self.assertEqual(p.path, b"/javascript:alert('msg')/")
++        self.assertEqual(p.query, b"query=something")
++        self.assertEqual(p.fragment, b"fragment")
++        self.assertEqual(p.username, None)
++        self.assertEqual(p.password, None)
++        self.assertEqual(p.hostname, b"www.python.org")
++        self.assertEqual(p.port, None)
++        self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # any scheme
++        url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++        # Remove ASCII tabs and newlines from input as bytes, any scheme.
++        url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++        p = urlparse.urlsplit(url)
++        self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++



Home | Main Index | Thread Index | Old Index