From 8032bb001b099d398197c5530ef1a01af04fb1fe Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Nov 03 2014 15:19:58 +0000 Subject: Fix CVE-2014-4650 - CGIHTTPServer URL handling Resolves: rhbz#1113529 Conflicts: python3.spec --- diff --git a/00197-fix-CVE-2014-4650.patch b/00197-fix-CVE-2014-4650.patch new file mode 100644 index 0000000..6ab8137 --- /dev/null +++ b/00197-fix-CVE-2014-4650.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Benjamin Peterson +# Date 1402796473 25200 +# Node ID 847e288d6e93dba049c280f40979e16a1378d0f6 +# Parent 6f1f387759913d91cb307d2783b3a40c48fe7424# Parent 5676797f3a3eccaf38e2c500e77ed39c68923cc9 +merge 3.3 (#21766) + +diff --git a/Lib/http/server.py b/Lib/http/server.py +--- a/Lib/http/server.py ++++ b/Lib/http/server.py +@@ -977,7 +977,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRe + (and the next character is a '/' or the end of the string). + + """ +- collapsed_path = _url_collapse_path(self.path) ++ collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) + dir_sep = collapsed_path.find('/', 1) + head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] + if head in self.cgi_directories: +diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py +--- a/Lib/test/test_httpservers.py ++++ b/Lib/test/test_httpservers.py +@@ -485,6 +485,11 @@ class CGIHTTPServerTestCase(BaseTestCase + (res.read(), res.getheader('Content-type'), res.status)) + self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + ++ def test_urlquote_decoding_in_cgi_check(self): ++ res = self.request('/cgi-bin%2ffile1.py') ++ self.assertEqual((b'Hello World\n', 'text/html', 200), ++ (res.read(), res.getheader('Content-type'), res.status)) ++ + + class SocketlessRequestHandler(SimpleHTTPRequestHandler): + def __init__(self): diff --git a/python3.spec b/python3.spec index 74fc7c0..b726582 100644 --- a/python3.spec +++ b/python3.spec @@ -126,7 +126,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 17%{?dist} +Release: 18%{?dist} License: Python Group: Development/Languages @@ -658,6 +658,14 @@ Patch193: 00193-skip-correct-num-of-pycfile-bytes-in-modulefinder.patch # rhbz#1112293 Patch194: 00194-json-add-boundary-check.patch +# 00197 +# +# The CGIHTTPServer Python module did not properly handle URL-encoded +# path separators in URLs. This may have enabled attackers to disclose a CGI +# script's source code or execute arbitrary scripts in the server's +# document root. +Patch197: 00197-fix-CVE-2014-4650.patch + # (New patches go here ^^^) # @@ -925,6 +933,7 @@ done %patch192 -p1 %patch193 -p1 %patch194 -p1 +%patch197 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1780,6 +1789,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Mon Nov 03 2014 Slavek Kabrda - 3.3.2-18 +- Fix CVE-2014-4650 - CGIHTTPServer URL handling +Resolves: rhbz#1113529 + * Mon Jun 30 2014 Miro HronĨok - 3.3.2-17 - Rewrite the config wrapper from Bash to Python, so it can be interpreted with Python