PR#16: Security fix for CVE-2015-20107 - rpms/pypy3.9

rpms / pypy3.9

#16 Security fix for CVE-2015-20107

Merged 2 years ago by cstratak. Opened 2 years ago by cstratak.

rpms/ cstratak/pypy3.9 CVE-2015-20107 into rawhide

Security fix for CVE-2015-20107

Charalampos Stratakis • 2 years ago

5ff98c3

382-cve-2015-20107.patch

file added

+117

		`@@ -0,0 +1,117 @@`
		`+ From c3caa02fe5e48e02a2ff2c0f409317022b05d34f Mon Sep 17 00:00:00 2001`
		`+ From: Petr Viktorin <encukou@gmail.com>`
		`+ Date: Fri, 3 Jun 2022 11:43:35 +0200`
		`+ Subject: [PATCH] 00382: CVE-2015-20107`
		`+`
		`+ Make mailcap refuse to match unsafe filenames/types/params (GH-91993)`
		`+`
		`+ Upstream: https://github.com/python/cpython/issues/68966`
		`+`
		`+ Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390`
		`+ ---`
		`+ lib-python/3/mailcap.py \| 26 ++++++++++++++++++++++++--`
		`+ lib-python/3/test/test_mailcap.py \| 8 ++++++--`
		`+ 2 files changed, 30 insertions(+), 4 deletions(-)`
		`+`
		`+ diff --git a/lib-python/3/mailcap.py b/lib-python/3/mailcap.py`
		`+ index ae416a8..444c640 100644`
		`+ --- a/lib-python/3/mailcap.py`
		`+ +++ b/lib-python/3/mailcap.py`
		`+ @@ -2,6 +2,7 @@`
		`+`
		`+ import os`
		`+ import warnings`
		`+ +import re`
		`+`
		`+ __all__ = ["getcaps","findmatch"]`
		`+`
		`+ @@ -13,6 +14,11 @@ def lineno_sort_key(entry):`
		`+ else:`
		`+ return 1, 0`
		`+`
		`+ +_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search`
		`+ +`
		`+ +class UnsafeMailcapInput(Warning):`
		`+ + """Warning raised when refusing unsafe input"""`
		`+ +`
		`+`
		`+ # Part 1: top-level interface.`
		`+`
		`+ @@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):`
		`+ entry to use.`
		`+`
		`+ """`
		`+ + if _find_unsafe(filename):`
		`+ + msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)`
		`+ + warnings.warn(msg, UnsafeMailcapInput)`
		`+ + return None, None`
		`+ entries = lookup(caps, MIMEtype, key)`
		`+ # XXX This code should somehow check for the needsterminal flag.`
		`+ for e in entries:`
		`+ if 'test' in e:`
		`+ test = subst(e['test'], filename, plist)`
		`+ + if test is None:`
		`+ + continue`
		`+ if test and os.system(test) != 0:`
		`+ continue`
		`+ command = subst(e[key], MIMEtype, filename, plist)`
		`+ - return command, e`
		`+ + if command is not None:`
		`+ + return command, e`
		`+ return None, None`
		`+`
		`+ def lookup(caps, MIMEtype, key=None):`
		`+ @@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):`
		`+ elif c == 's':`
		`+ res = res + filename`
		`+ elif c == 't':`
		`+ + if _find_unsafe(MIMEtype):`
		`+ + msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)`
		`+ + warnings.warn(msg, UnsafeMailcapInput)`
		`+ + return None`
		`+ res = res + MIMEtype`
		`+ elif c == '{':`
		`+ start = i`
		`+ @@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):`
		`+ i = i+1`
		`+ name = field[start:i]`
		`+ i = i+1`
		`+ - res = res + findparam(name, plist)`
		`+ + param = findparam(name, plist)`
		`+ + if _find_unsafe(param):`
		`+ + msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)`
		`+ + warnings.warn(msg, UnsafeMailcapInput)`
		`+ + return None`
		`+ + res = res + param`
		`+ # XXX To do:`
		`+ # %n == number of parts if type is multipart/*`
		`+ # %F == list of alternating type and filename for parts`
		`+ diff --git a/lib-python/3/test/test_mailcap.py b/lib-python/3/test/test_mailcap.py`
		`+ index c08423c..920283d 100644`
		`+ --- a/lib-python/3/test/test_mailcap.py`
		`+ +++ b/lib-python/3/test/test_mailcap.py`
		`+ @@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase):`
		`+ (["", "audio/*", "foo.txt"], ""),`
		`+ (["echo foo", "audio/*", "foo.txt"], "echo foo"),`
		`+ (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),`
		`+ - (["echo %t", "audio/", "foo.txt"], "echo audio/"),`
		`+ + (["echo %t", "audio/*", "foo.txt"], None),`
		`+ + (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),`
		`+ (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),`
		`+ (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),`
		`+ (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")`
		`+ @@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase):`
		`+ ('"An audio fragment"', audio_basic_entry)),`
		`+ ([c, "audio/*"],`
		`+ {"filename": fname},`
		`+ - ("/usr/local/bin/showaudio audio/*", audio_entry)),`
		`+ + (None, None)),`
		`+ + ([c, "audio/wav"],`
		`+ + {"filename": fname},`
		`+ + ("/usr/local/bin/showaudio audio/wav", audio_entry)),`
		`+ ([c, "message/external-body"],`
		`+ {"plist": plist},`
		`+ ("showexternal /dev/null default john python.org /tmp foo bar", message_entry))`
		`+ --`
		`+ 2.35.3`
		`+`

pypy3.9.spec

file modified

+15 -1

		`@@ -10,7 +10,7 @@`
		`# by Python version as well.`
		`# This potentially allows tags like Obsoletes: pypy3 < %%{version}-%%{release}.`
		`# https://bugzilla.redhat.com/2053880`
		`- %global baserelease 1`
		`+ %global baserelease 2`
		`Release: %{baserelease}.%{pyversion}%{?dist}`
		`Summary: Python %{pyversion} implementation with a Just-In-Time compiler`

		`@@ -120,6 +120,16 @@`
		`# We conditionally apply this, but we use autosetup, so we use Source here`
		`Source189: 189-use-rpm-wheels.patch`

		`+ # 00382 #`
		`+ # CVE-2015-20107`
		`+ #`
		`+ # Make mailcap refuse to match unsafe filenames/types/params (GH-91993)`
		`+ #`
		`+ # Upstream: https://github.com/python/cpython/issues/68966`
		`+ #`
		`+ # Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390`
		`+ Patch382: 382-cve-2015-20107.patch`
		`+`
		`# Build-time requirements:`

		`# pypy's can be rebuilt using pypy2, rather than with CPython 2; doing so`
		`@@ -826,6 +836,10 @@`


		`%changelog`
		`+ * Tue Jun 28 2022 Charalampos Stratakis <cstratak@redhat.com> - 7.3.9-2.3.9`
		`+ - Security fix for CVE-2015-20107`
		`+ - Fixes: rhbz#2075390`
		`+`
		`* Wed Mar 30 2022 Miro Hrončok <mhroncok@redhat.com> - 7.3.9-1.3.9`
		`- Update to 7.3.9`
		`- Fixes: rhbz#2069873`