pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2021Q4]: pkgsrc/lang/python27 Pullup ticket #6595 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/f7b8181da04d
branches: pkgsrc-2021Q4
changeset: 374942:f7b8181da04d
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Thu Mar 03 19:33:58 2022 +0000
description:
Pullup ticket #6595 - requested by gutteridge
lang/python27: security fix (CVE-2021-4189, CVE-2022-0391)
Revisions pulled up:
- lang/python27/Makefile 1.99
- lang/python27/distinfo 1.89
- lang/python27/patches/patch-Doc_library_urlparse.rst 1.2
- lang/python27/patches/patch-Lib_ftplib.py 1.1
- lang/python27/patches/patch-Lib_test_test__ftplib.py 1.1
- lang/python27/patches/patch-Lib_test_test__urlparse.py 1.2
- lang/python27/patches/patch-Lib_urlparse.py 1.3
---
Module Name: pkgsrc
Committed By: gutteridge
Date: Fri Feb 25 22:41:32 UTC 2022
Modified Files:
pkgsrc/lang/python27: Makefile distinfo
pkgsrc/lang/python27/patches: patch-Doc_library_urlparse.rst
patch-Lib_test_test__urlparse.py patch-Lib_urlparse.py
Added Files:
pkgsrc/lang/python27/patches: patch-Lib_ftplib.py
patch-Lib_test_test__ftplib.py
Log Message:
python27: fix two security issues
Addresses CVE-2021-4189 and CVE-2022-0391. Patches sourced via Fedora.
diffstat:
lang/python27/Makefile | 5 +-
lang/python27/distinfo | 10 +-
lang/python27/patches/patch-Doc_library_urlparse.rst | 43 ++++++++++-
lang/python27/patches/patch-Lib_ftplib.py | 32 +++++++++
lang/python27/patches/patch-Lib_test_test__ftplib.py | 56 +++++++++++++++
lang/python27/patches/patch-Lib_test_test__urlparse.py | 64 +++++++++++++++++-
lang/python27/patches/patch-Lib_urlparse.py | 42 ++++++++++-
7 files changed, 235 insertions(+), 17 deletions(-)
diffs (truncated from 393 to 300 lines):
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/Makefile
--- a/lang/python27/Makefile Thu Mar 03 19:32:33 2022 +0000
+++ b/lang/python27/Makefile Thu Mar 03 19:33:58 2022 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.96 2021/12/08 16:05:22 adam Exp $
+# $NetBSD: Makefile,v 1.96.2.1 2022/03/03 19:33:58 bsiegert Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
-PKGREVISION= 6
+# NOTE: The nb7 update was not pulled up.
+PKGREVISION= 8
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/distinfo
--- a/lang/python27/distinfo Thu Mar 03 19:32:33 2022 +0000
+++ b/lang/python27/distinfo Thu Mar 03 19:33:58 2022 +0000
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.87 2021/10/27 23:58:55 gutteridge Exp $
+$NetBSD: distinfo,v 1.87.2.1 2022/03/03 19:33:58 bsiegert Exp $
BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
Size (Python-2.7.18.tar.xz) = 12854736 bytes
SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
-SHA1 (patch-Doc_library_urlparse.rst) = f9714b945a2bacb4ec5360c151a42192e00f08ad
+SHA1 (patch-Doc_library_urlparse.rst) = ceaea3a4577ba7d3055ffb3b3c8ffbbdda7e1d32
SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
SHA1 (patch-Lib___osx__support.py) = 4389472565616b3875c699f6e3e74850d5fde712
@@ -20,6 +20,7 @@
SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
@@ -28,13 +29,14 @@
SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
-SHA1 (patch-Lib_test_test__urlparse.py) = 257cb3bf7a0e9b5e0dcb204f675959b10953ba7b
+SHA1 (patch-Lib_test_test__urlparse.py) = d98df667a34eebb994fe1d54a1decb8359df897e
SHA1 (patch-Lib_urllib2.py) = 0cc0dc811bb9544496962e08b040b5c96fb9073c
-SHA1 (patch-Lib_urlparse.py) = 69db5325a19474113e72c1feeb895a25534412c4
+SHA1 (patch-Lib_urlparse.py) = 1f102bb85acd99a8be976f9d5b0fdb1a7abf5725
SHA1 (patch-Mac_Tools_pythonw.c) = 2b9a60d4b349c240471fd305be69c28e0f654cdc
SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
SHA1 (patch-Modules___ctypes_callbacks.c) = 8c335edfc9d2ef47988c5bdf1c3dd8473757637b
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/patches/patch-Doc_library_urlparse.rst
--- a/lang/python27/patches/patch-Doc_library_urlparse.rst Thu Mar 03 19:32:33 2022 +0000
+++ b/lang/python27/patches/patch-Doc_library_urlparse.rst Thu Mar 03 19:33:58 2022 +0000
@@ -1,12 +1,26 @@
-$NetBSD: patch-Doc_library_urlparse.rst,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Doc_library_urlparse.rst,v 1.1.4.1 2022/03/03 19:33:58 bsiegert Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
--- Doc/library/urlparse.rst.orig 2020-04-19 21:13:39.000000000 +0000
+++ Doc/library/urlparse.rst
-@@ -136,7 +136,7 @@ The :mod:`urlparse` module defines the f
+@@ -125,6 +125,9 @@ The :mod:`urlparse` module defines the f
+ decomposed before parsing, or is not a Unicode string, no error will be
+ raised.
+
++ Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline
++ ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL.
++
+ .. versionchanged:: 2.5
+ Added attributes to return value.
+
+@@ -136,7 +139,7 @@ The :mod:`urlparse` module defines the f
now raise :exc:`ValueError`.
@@ -15,7 +29,7 @@
Parse a query string given as a string argument (data of type
:mimetype:`application/x-www-form-urlencoded`). Data are returned as a
-@@ -157,6 +157,15 @@ The :mod:`urlparse` module defines the f
+@@ -157,6 +160,15 @@ The :mod:`urlparse` module defines the f
read. If set, then throws a :exc:`ValueError` if there are more than
*max_num_fields* fields read.
@@ -31,7 +45,7 @@
Use the :func:`urllib.urlencode` function to convert such dictionaries into
query strings.
-@@ -186,6 +195,9 @@ The :mod:`urlparse` module defines the f
+@@ -186,6 +198,9 @@ The :mod:`urlparse` module defines the f
read. If set, then throws a :exc:`ValueError` if there are more than
*max_num_fields* fields read.
@@ -41,7 +55,7 @@
Use the :func:`urllib.urlencode` function to convert such lists of pairs into
query strings.
-@@ -195,6 +207,7 @@ The :mod:`urlparse` module defines the f
+@@ -195,6 +210,7 @@ The :mod:`urlparse` module defines the f
.. versionchanged:: 2.7.16
Added *max_num_fields* parameter.
@@ -49,3 +63,22 @@
.. function:: urlunparse(parts)
Construct a URL from a tuple as returned by ``urlparse()``. The *parts* argument
+@@ -308,6 +324,10 @@ The :mod:`urlparse` module defines the f
+
+ .. seealso::
+
++ `WHATWG`_ - URL Living standard
++ Working Group for the URL Standard that defines URLs, domains, IP addresses, the
++ application/x-www-form-urlencoded format, and their API.
++
+ :rfc:`3986` - Uniform Resource Identifiers
+ This is the current standard (STD66). Any changes to urlparse module
+ should conform to this. Certain deviations could be observed, which are
+@@ -332,6 +352,7 @@ The :mod:`urlparse` module defines the f
+ :rfc:`1738` - Uniform Resource Locators (URL)
+ This specifies the formal syntax and semantics of absolute URLs.
+
++.. _WHATWG: https://url.spec.whatwg.org/
+
+ .. _urlparse-result-object:
+
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/patches/patch-Lib_ftplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_ftplib.py Thu Mar 03 19:33:58 2022 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-Lib_ftplib.py,v 1.1.2.2 2022/03/03 19:33:58 bsiegert Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/ftplib.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/ftplib.py
+@@ -108,6 +108,8 @@ class FTP:
+ file = None
+ welcome = None
+ passiveserver = 1
++ # Disables security if set to True. https://bugs.python.org/issue43285
++ trust_server_pasv_ipv4_address = False
+
+ # Initialization method (called by class instantiation).
+ # Initialize host to localhost, port to standard ftp port
+@@ -310,8 +312,13 @@ class FTP:
+ return sock
+
+ def makepasv(self):
++ """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+ if self.af == socket.AF_INET:
+- host, port = parse227(self.sendcmd('PASV'))
++ untrusted_host, port = parse227(self.sendcmd('PASV'))
++ if self.trust_server_pasv_ipv4_address:
++ host = untrusted_host
++ else:
++ host = self.sock.getpeername()[0]
+ else:
+ host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+ return host, port
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/patches/patch-Lib_test_test__ftplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__ftplib.py Thu Mar 03 19:33:58 2022 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-Lib_test_test__ftplib.py,v 1.1.2.2 2022/03/03 19:33:58 bsiegert Exp $
+
+Fix CVE-2021-4189: ftplib should not use the host from the PASV response
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00372-CVE-2021-4189.patch
+
+--- Lib/test/test_ftplib.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/test/test_ftplib.py
+@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha
+ self.rest = None
+ self.next_retr_data = RETR_DATA
+ self.push('220 welcome')
++ # We use this as the string IPv4 address to direct the client
++ # to in response to a PASV command. To test security behavior.
++ # https://bugs.python.org/issue43285/.
++ self.fake_pasv_server_ip = '252.253.254.255'
+
+ def collect_incoming_data(self, data):
+ self.in_buffer.append(data)
+@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha
+ sock.bind((self.socket.getsockname()[0], 0))
+ sock.listen(5)
+ sock.settimeout(10)
+- ip, port = sock.getsockname()[:2]
++ port = sock.getsockname()[1]
++ ip = self.fake_pasv_server_ip
+ ip = ip.replace('.', ',')
+ p1, p2 = divmod(port, 256)
+ self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
+ # IPv4 is in use, just make sure send_epsv has not been used
+ self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+
++ def test_makepasv_issue43285_security_disabled(self):
++ """Test the opt-in to the old vulnerable behavior."""
++ self.client.trust_server_pasv_ipv4_address = True
++ bad_host, port = self.client.makepasv()
++ self.assertEqual(
++ bad_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((self.client.sock.getpeername()[0], port),
++ timeout=TIMEOUT).close()
++
++ def test_makepasv_issue43285_security_enabled_default(self):
++ self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++ trusted_host, port = self.client.makepasv()
++ self.assertNotEqual(
++ trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+ def test_line_too_long(self):
+ self.assertRaises(ftplib.Error, self.client.sendcmd,
+ 'x' * self.client.maxline * 2)
diff -r 0fb03c345a50 -r f7b8181da04d lang/python27/patches/patch-Lib_test_test__urlparse.py
--- a/lang/python27/patches/patch-Lib_test_test__urlparse.py Thu Mar 03 19:32:33 2022 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__urlparse.py Thu Mar 03 19:33:58 2022 +0000
@@ -1,9 +1,13 @@
-$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1 2021/10/10 03:00:59 gutteridge Exp $
+$NetBSD: patch-Lib_test_test__urlparse.py,v 1.1.4.1 2022/03/03 19:33:58 bsiegert Exp $
Fix CVE-2021-23336: Add `separator` argument to parse_qs; warn with default
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/blob/rawhide/f/00359-CVE-2021-23336.patch
+Fix CVE-2022-0391: urlparse does not sanitize URLs containing ASCII newline and tabs
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/40dd05e5d77dbfa81777c9f84b704bc2239bf710/f/00377-CVE-2022-0391.patch
+
--- Lib/test/test_urlparse.py.orig 2020-04-19 21:13:39.000000000 +0000
+++ Lib/test/test_urlparse.py
@@ -3,6 +3,12 @@ import sys
@@ -130,7 +134,63 @@
def test_roundtrips(self):
testcases = [
('file:///tmp/junk.txt',
-@@ -626,6 +700,132 @@ class UrlParseTestCase(unittest.TestCase
+@@ -544,6 +618,55 @@ class UrlParseTestCase(unittest.TestCase
+ self.assertEqual(p1.path, '863-1234')
+ self.assertEqual(p1.params, 'phone-context=+1-914-555')
+
++ def test_urlsplit_remove_unsafe_bytes(self):
++ # Remove ASCII tabs and newlines from input, for http common case scenario.
++ url = "h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, "http")
++ self.assertEqual(p.netloc, "www.python.org")
++ self.assertEqual(p.path, "/javascript:alert('msg')/")
++ self.assertEqual(p.query, "query=something")
++ self.assertEqual(p.fragment, "fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, "www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, for http common case scenario.
++ url = b"h\nttp://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.scheme, b"http")
++ self.assertEqual(p.netloc, b"www.python.org")
++ self.assertEqual(p.path, b"/javascript:alert('msg')/")
++ self.assertEqual(p.query, b"query=something")
++ self.assertEqual(p.fragment, b"fragment")
++ self.assertEqual(p.username, None)
++ self.assertEqual(p.password, None)
++ self.assertEqual(p.hostname, b"www.python.org")
++ self.assertEqual(p.port, None)
++ self.assertEqual(p.geturl(), b"http://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # any scheme
++ url = "x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.geturl(), "x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
++
++ # Remove ASCII tabs and newlines from input as bytes, any scheme.
++ url = b"x-new-scheme\t://www.python\n.org\t/java\nscript:\talert('msg\r\n')/?query\n=\tsomething#frag\nment"
++ p = urlparse.urlsplit(url)
++ self.assertEqual(p.geturl(), b"x-new-scheme://www.python.org/javascript:alert('msg')/?query=something#fragment")
Home |
Main Index |
Thread Index |
Old Index