#100 Rebase to 3.7.3rc1
Closed 7 months ago by churchyard. Opened 7 months ago by churchyard.
rpms/ churchyard/python3 3.7.3rc1  into  master

file modified
+2 -2

@@ -16,9 +16,9 @@ 

   

  +_WHEEL_DIR = "/usr/share/python-wheels/"

   

- -_SETUPTOOLS_VERSION = "40.6.2"

+ -_SETUPTOOLS_VERSION = "40.8.0"

   

- -_PIP_VERSION = "18.1"

+ -_PIP_VERSION = "19.0.3"

  +def _get_most_recent_wheel_version(pkg):

  +    prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))

  +    suffix = "-py2.py3-none-any.whl"

file removed
-111

@@ -1,111 +0,0 @@ 

- From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001

- From: Christian Heimes <christian@python.org>

- Date: Tue, 15 Jan 2019 18:16:30 +0100

- Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser

- 

- CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did

- not handle CRL distribution points with empty DP or URI correctly. A

- malicious or buggy certificate can result into segfault.

- 

- Signed-off-by: Christian Heimes <christian@python.org>

- ---

-  Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++

-  Lib/test/test_ssl.py                          | 22 +++++++++++++++++++

-  .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++

-  Modules/_ssl.c                                |  4 ++++

-  4 files changed, 51 insertions(+)

-  create mode 100644 Lib/test/talos-2019-0758.pem

-  create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- 

- diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem

- new file mode 100644

- index 000000000000..13b95a77fd8a

- --- /dev/null

- +++ b/Lib/test/talos-2019-0758.pem

- @@ -0,0 +1,22 @@

- +-----BEGIN CERTIFICATE-----

- +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO

- +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7

- +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh

- +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB

- +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES

- +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD

- +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C

- +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP

- +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF

- +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp

- +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io

- +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7

- +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu

- +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG

- +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p

- +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr

- +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit

- +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV

- +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+

- +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==

- +-----END CERTIFICATE-----

- diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

- index 7f6b93148f45..1fc657f4d867 100644

- --- a/Lib/test/test_ssl.py

- +++ b/Lib/test/test_ssl.py

- @@ -115,6 +115,7 @@ def data_file(*name):

-  BADKEY = data_file("badkey.pem")

-  NOKIACERT = data_file("nokia.pem")

-  NULLBYTECERT = data_file("nullbytecert.pem")

- +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")

-  

-  DHFILE = data_file("ffdh3072.pem")

-  BYTES_DHFILE = os.fsencode(DHFILE)

- @@ -348,6 +349,27 @@ def test_parse_cert(self):

-          self.assertEqual(p['crlDistributionPoints'],

-                           ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

-  

- +    def test_parse_cert_CVE_2019_5010(self):

- +        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)

- +        if support.verbose:

- +            sys.stdout.write("\n" + pprint.pformat(p) + "\n")

- +        self.assertEqual(

- +            p,

- +            {

- +                'issuer': (

- +                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),

- +                'notAfter': 'Jun 14 18:00:58 2028 GMT',

- +                'notBefore': 'Jun 18 18:00:58 2018 GMT',

- +                'serialNumber': '02',

- +                'subject': ((('countryName', 'UK'),),

- +                            (('commonName',

- +                              'codenomicon-vm-2.test.lal.cisco.com'),)),

- +                'subjectAltName': (

- +                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),

- +                'version': 3

- +            }

- +        )

- +

-      def test_parse_cert_CVE_2013_4238(self):

-          p = ssl._ssl._test_decode_cert(NULLBYTECERT)

-          if support.verbose:

- diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- new file mode 100644

- index 000000000000..dffe347eec84

- --- /dev/null

- +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- @@ -0,0 +1,3 @@

- +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did

- +not handle CRL distribution points with empty DP or URI correctly. A

- +malicious or buggy certificate can result into segfault.

- diff --git a/Modules/_ssl.c b/Modules/_ssl.c

- index 4e3352d9e661..0e720e268d93 100644

- --- a/Modules/_ssl.c

- +++ b/Modules/_ssl.c

- @@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {

-          STACK_OF(GENERAL_NAME) *gns;

-  

-          dp = sk_DIST_POINT_value(dps, i);

- +        if (dp->distpoint == NULL) {

- +            /* Ignore empty DP value, CVE-2019-5010 */

- +            continue;

- +        }

-          gns = dp->distpoint->name.fullname;

-  

-          for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

file removed
-150

@@ -1,150 +0,0 @@ 

- From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001

- From: Steve Dower <steve.dower@microsoft.com>

- Date: Thu, 7 Mar 2019 09:08:18 -0800

- Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize

-  to separators (GH-12201)

- 

- ---

-  Doc/library/urllib.parse.rst                  | 18 +++++++++++++++

-  Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++

-  Lib/urllib/parse.py                           | 17 ++++++++++++++

-  .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++

-  4 files changed, 61 insertions(+)

-  create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst

- 

- diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst

- index 0c8f0f607314..b565e1edd321 100644

- --- a/Doc/library/urllib.parse.rst

- +++ b/Doc/library/urllib.parse.rst

- @@ -124,6 +124,11 @@ or on combining URL components into a URL string.

-     Unmatched square brackets in the :attr:`netloc` attribute will raise a

-     :exc:`ValueError`.

-  

- +   Characters in the :attr:`netloc` attribute that decompose under NFKC

- +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,

- +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is

- +   decomposed before parsing, no error will be raised.

- +

-     .. versionchanged:: 3.2

-        Added IPv6 URL parsing capabilities.

-  

- @@ -136,6 +141,10 @@ or on combining URL components into a URL string.

-        Out-of-range port numbers now raise :exc:`ValueError`, instead of

-        returning :const:`None`.

-  

- +   .. versionchanged:: 3.7.3

- +      Characters that affect netloc parsing under NFKC normalization will

- +      now raise :exc:`ValueError`.

- +

-  

-  .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)

-  

- @@ -257,10 +266,19 @@ or on combining URL components into a URL string.

-     Unmatched square brackets in the :attr:`netloc` attribute will raise a

-     :exc:`ValueError`.

-  

- +   Characters in the :attr:`netloc` attribute that decompose under NFKC

- +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,

- +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is

- +   decomposed before parsing, no error will be raised.

- +

-     .. versionchanged:: 3.6

-        Out-of-range port numbers now raise :exc:`ValueError`, instead of

-        returning :const:`None`.

-  

- +   .. versionchanged:: 3.7.3

- +      Characters that affect netloc parsing under NFKC normalization will

- +      now raise :exc:`ValueError`.

- +

-  

-  .. function:: urlunsplit(parts)

-  

- diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py

- index be50b47603aa..e6638aee2244 100644

- --- a/Lib/test/test_urlparse.py

- +++ b/Lib/test/test_urlparse.py

- @@ -1,3 +1,5 @@

- +import sys

- +import unicodedata

-  import unittest

-  import urllib.parse

-  

- @@ -984,6 +986,27 @@ def test_all(self):

-                  expected.append(name)

-          self.assertCountEqual(urllib.parse.__all__, expected)

-  

- +    def test_urlsplit_normalization(self):

- +        # Certain characters should never occur in the netloc,

- +        # including under normalization.

- +        # Ensure that ALL of them are detected and cause an error

- +        illegal_chars = '/:#?@'

- +        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}

- +        denorm_chars = [

- +            c for c in map(chr, range(128, sys.maxunicode))

- +            if (hex_chars & set(unicodedata.decomposition(c).split()))

- +            and c not in illegal_chars

- +        ]

- +        # Sanity check that we found at least one such character

- +        self.assertIn('\u2100', denorm_chars)

- +        self.assertIn('\uFF03', denorm_chars)

- +

- +        for scheme in ["http", "https", "ftp"]:

- +            for c in denorm_chars:

- +                url = "{}://netloc{}false.netloc/path".format(scheme, c)

- +                with self.subTest(url=url, char='{:04X}'.format(ord(c))):

- +                    with self.assertRaises(ValueError):

- +                        urllib.parse.urlsplit(url)

-  

-  class Utility_Tests(unittest.TestCase):

-      """Testcase to test the various utility functions in the urllib."""

- diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py

- index f691ab74f87f..39c5d6a80824 100644

- --- a/Lib/urllib/parse.py

- +++ b/Lib/urllib/parse.py

- @@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):

-              delim = min(delim, wdelim)     # use earliest delim position

-      return url[start:delim], url[delim:]   # return (domain, rest)

-  

- +def _checknetloc(netloc):

- +    if not netloc or netloc.isascii():

- +        return

- +    # looking for characters like \u2100 that expand to 'a/c'

- +    # IDNA uses NFKC equivalence, so normalize for this check

- +    import unicodedata

- +    netloc2 = unicodedata.normalize('NFKC', netloc)

- +    if netloc == netloc2:

- +        return

- +    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay

- +    for c in '/?#@:':

- +        if c in netloc2:

- +            raise ValueError("netloc '" + netloc2 + "' contains invalid " +

- +                             "characters under NFKC normalization")

- +

-  def urlsplit(url, scheme='', allow_fragments=True):

-      """Parse a URL into 5 components:

-      <scheme>://<netloc>/<path>?<query>#<fragment>

- @@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True):

-                  url, fragment = url.split('#', 1)

-              if '?' in url:

-                  url, query = url.split('?', 1)

- +            _checknetloc(netloc)

-              v = SplitResult('http', netloc, url, query, fragment)

-              _parse_cache[key] = v

-              return _coerce_result(v)

- @@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True):

-          url, fragment = url.split('#', 1)

-      if '?' in url:

-          url, query = url.split('?', 1)

- +    _checknetloc(netloc)

-      v = SplitResult(scheme, netloc, url, query, fragment)

-      _parse_cache[key] = v

-      return _coerce_result(v)

- diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst

- new file mode 100644

- index 000000000000..5546394157f9

- --- /dev/null

- +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst

- @@ -0,0 +1,3 @@

- +Changes urlsplit() to raise ValueError when the URL contains characters that

- +decompose under IDNA encoding (NFKC-normalization) into characters that

- +affect how the URL is parsed.

file modified
+14 -20

@@ -13,8 +13,11 @@ 

  

  #  WARNING  When rebasing to a new Python version,

  #           remember to update the python3-docs package as well

- Version: %{pybasever}.2

- Release: 8%{?dist}

+ %global general_version %{pybasever}.3

+ %global prerel rc1

+ %global upstream_version %{general_version}%{?prerel}

+ Version: %{general_version}%{?prerel:~%{prerel}}

+ Release: 1%{?dist}

  License: Python

  

  

@@ -198,7 +201,7 @@ 

  # Source code and patches

  # =======================

  

- Source: https://www.python.org/ftp/python/%{version}/Python-%{version}%{?prerel}.tar.xz

+ Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz

  

  # A simple script to check timestamps of bytecode files

  # Run in check section with Python that is currently being built

@@ -300,16 +303,6 @@ 

  # So we mark the command as unsupported - and the tests are skipped

  Patch316: 00316-mark-bdist_wininst-unsupported.patch

  

- # 00317 #

- # Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser

- # Fixed upstream https://bugs.python.org/issue35746

- Patch317: 00317-CVE-2019-5010.patch

- 

- # 00320 #

- # Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization

- # Fixed upstream https://bugs.python.org/issue36216

- Patch320: 00320-CVE-2019-9636.patch

- 

  # (New patches go here ^^^)

  #

  # When adding new patches to "python" and "python3" in Fedora, EL, etc.,

@@ -397,8 +390,8 @@ 

  Requires: python-setuptools-wheel

  Requires: python-pip-wheel

  %else

- Provides: bundled(python3-pip) = 18.1

- Provides: bundled(python3-setuptools) = 40.6.2

+ Provides: bundled(python3-pip) = 19.0.3

+ Provides: bundled(python3-setuptools) = 40.8.0

  %endif

  

  # There are files in the standard library that have python shebang.

@@ -552,8 +545,8 @@ 

  Requires: python-setuptools-wheel

  Requires: python-pip-wheel

  %else

- Provides: bundled(python3-pip) = 18.1

- Provides: bundled(python3-setuptools) = 40.6.2

+ Provides: bundled(python3-pip) = 19.0.3

+ Provides: bundled(python3-setuptools) = 40.8.0

  %endif

  

  # The description for the flat package

@@ -572,7 +565,7 @@ 

  # ======================================================

  

  %prep

- %setup -q -n Python-%{version}%{?prerel}

+ %setup -q -n Python-%{upstream_version}

  # Remove all exe files to ensure we are not shipping prebuilt binaries

  # note that those are only used to create Microsoft Windows installers

  # and that functionality is broken on Linux anyway

@@ -605,8 +598,6 @@ 

  %patch251 -p1

  %patch274 -p1

  %patch316 -p1

- %patch317 -p1

- %patch320 -p1

  

  

  # Remove files that should be generated by the build

@@ -1527,6 +1518,9 @@ 

  # ======================================================

  

  %changelog

+ * Thu Mar 21 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.3~rc1-1

+ - Update to 3.7.3rc1

+ 

  * Thu Mar 14 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.2-8

  - Security fix for CVE-2019-9636 (#1688543, #1688546)

  

file modified
+1 -1

@@ -1,1 +1,1 @@ 

- SHA512 (Python-3.7.2.tar.xz) = 6cd2d6d8455558783b99d55985cd7b22d67b98f41a09b4fdd96f680a630a4e035220d2b903f8c59ed513aa5ffe6730fa947ddb55bb72ce36f0e945ef8af5d971

+ SHA512 (Python-3.7.3rc1.tar.xz) = a0266a414f5a5828587e43e95fad494be2b0ac4563faefc26ef3f36fb19abb8cfe9b845e4ffec7652ac3ce17b7f47d2b89cd2032017d0f607a9fe4a5f08c4da7