From f1894aa7790980b0561b0c5108012fe1a29ccd32 Mon Sep 17 00:00:00 2001 From: Miro Hrončok Date: Jun 30 2016 14:51:30 +0000 Subject: Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647) Raise an error when STARTTLS fails - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 - rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679 - Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be --- diff --git a/009-raise-an-error-when-STARTTLS-fails.patch b/009-raise-an-error-when-STARTTLS-fails.patch new file mode 100644 index 0000000..102b323 --- /dev/null +++ b/009-raise-an-error-when-STARTTLS-fails.patch @@ -0,0 +1,35 @@ +From 935f806ae382a45620873dea0eafc536c9e01323 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= +Date: Thu, 30 Jun 2016 14:51:24 +0200 +Subject: [PATCH] Raise an error when STARTTLS fails + +CVE-2016-0772 python: smtplib StartTLS stripping attack +rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 +rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679 + +Based on an upstream change by Benjamin Peterson +- in changeset 101886:b3ce713fb9be 2.7 +- https://hg.python.org/cpython/rev/b3ce713fb9be +--- + lib-python/2.7/smtplib.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib-python/2.7/smtplib.py b/lib-python/2.7/smtplib.py +index 8388b98..e1651c0 100755 +--- a/lib-python/2.7/smtplib.py ++++ b/lib-python/2.7/smtplib.py +@@ -656,6 +656,11 @@ class SMTP: + self.ehlo_resp = None + self.esmtp_features = {} + self.does_esmtp = 0 ++ else: ++ # RFC 3207: ++ # 501 Syntax error (no parameters allowed) ++ # 454 TLS not available due to temporary reason ++ raise SMTPResponseException(resp, reply) + return (resp, reply) + + def sendmail(self, from_addr, to_addrs, msg, mail_options=[], +-- +2.9.0 + diff --git a/pypy.spec b/pypy.spec index 1ff2087..d3e41ea 100644 --- a/pypy.spec +++ b/pypy.spec @@ -1,6 +1,6 @@ Name: pypy Version: 5.0.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Python implementation with a Just-In-Time compiler Group: Development/Languages @@ -153,6 +153,13 @@ Patch1: 006-always-log-stdout.patch # community that won't make sense outside of it). [Sorry to be a killjoy] Patch2: 007-remove-startup-message.patch +# CVE-2016-0772 python: smtplib StartTLS stripping attack +# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 +# rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679 +# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be +# Raise an error when STARTTLS fails +Patch3: 009-raise-an-error-when-STARTTLS-fails.patch + # Build-time requirements: # pypy's can be rebuilt using itself, rather than with CPython; doing so @@ -268,6 +275,7 @@ Build of PyPy with support for micro-threads for massive concurrency %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Replace /usr/local/bin/python shebangs with /usr/bin/python: find -name "*.py" -exec \ sed \ @@ -710,6 +718,13 @@ CheckPyPy %{name}-c-stackless %changelog +* Thu Jun 30 2016 Miro Hrončok - 5.0.1-3 +- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack +- Raise an error when STARTTLS fails +- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 +- rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679 +- Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be + * Fri May 13 2016 Miro Hrončok - 5.0.1-2 - Move header files back to %%{pypy_include_dir} (rhbz#1328025)