diff --git a/00189-use-rpm-wheels.patch b/00189-use-rpm-wheels.patch index 1afdab1..ffb80af 100644 --- a/00189-use-rpm-wheels.patch +++ b/00189-use-rpm-wheels.patch @@ -16,9 +16,9 @@ index 4748ba4..fc02255 100644 +_WHEEL_DIR = "/usr/share/python-wheels/" --_SETUPTOOLS_VERSION = "40.6.2" +-_SETUPTOOLS_VERSION = "40.8.0" --_PIP_VERSION = "18.1" +-_PIP_VERSION = "19.0.3" +def _get_most_recent_wheel_version(pkg): + prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg)) + suffix = "-py2.py3-none-any.whl" diff --git a/00317-CVE-2019-5010.patch b/00317-CVE-2019-5010.patch deleted file mode 100644 index 62e931e..0000000 --- a/00317-CVE-2019-5010.patch +++ /dev/null @@ -1,111 +0,0 @@ -From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 15 Jan 2019 18:16:30 +0100 -Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser - -CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did -not handle CRL distribution points with empty DP or URI correctly. A -malicious or buggy certificate can result into segfault. - -Signed-off-by: Christian Heimes ---- - Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ - Lib/test/test_ssl.py | 22 +++++++++++++++++++ - .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ - Modules/_ssl.c | 4 ++++ - 4 files changed, 51 insertions(+) - create mode 100644 Lib/test/talos-2019-0758.pem - create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst - -diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem -new file mode 100644 -index 000000000000..13b95a77fd8a ---- /dev/null -+++ b/Lib/test/talos-2019-0758.pem -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO -+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 -+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh -+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB -+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES -+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD -+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C -+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP -+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF -+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp -+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io -+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 -+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu -+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG -+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p -+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr -+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit -+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV -+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ -+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== -+-----END CERTIFICATE----- -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 7f6b93148f45..1fc657f4d867 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -115,6 +115,7 @@ def data_file(*name): - BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") -+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") - - DHFILE = data_file("ffdh3072.pem") - BYTES_DHFILE = os.fsencode(DHFILE) -@@ -348,6 +349,27 @@ def test_parse_cert(self): - self.assertEqual(p['crlDistributionPoints'], - ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) - -+ def test_parse_cert_CVE_2019_5010(self): -+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) -+ if support.verbose: -+ sys.stdout.write("\n" + pprint.pformat(p) + "\n") -+ self.assertEqual( -+ p, -+ { -+ 'issuer': ( -+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), -+ 'notAfter': 'Jun 14 18:00:58 2028 GMT', -+ 'notBefore': 'Jun 18 18:00:58 2018 GMT', -+ 'serialNumber': '02', -+ 'subject': ((('countryName', 'UK'),), -+ (('commonName', -+ 'codenomicon-vm-2.test.lal.cisco.com'),)), -+ 'subjectAltName': ( -+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), -+ 'version': 3 -+ } -+ ) -+ - def test_parse_cert_CVE_2013_4238(self): - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: -diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -new file mode 100644 -index 000000000000..dffe347eec84 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -@@ -0,0 +1,3 @@ -+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did -+not handle CRL distribution points with empty DP or URI correctly. A -+malicious or buggy certificate can result into segfault. -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index 4e3352d9e661..0e720e268d93 100644 ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) { - STACK_OF(GENERAL_NAME) *gns; - - dp = sk_DIST_POINT_value(dps, i); -+ if (dp->distpoint == NULL) { -+ /* Ignore empty DP value, CVE-2019-5010 */ -+ continue; -+ } - gns = dp->distpoint->name.fullname; - - for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { diff --git a/00320-CVE-2019-9636.patch b/00320-CVE-2019-9636.patch deleted file mode 100644 index 49967d5..0000000 --- a/00320-CVE-2019-9636.patch +++ /dev/null @@ -1,150 +0,0 @@ -From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001 -From: Steve Dower -Date: Thu, 7 Mar 2019 09:08:18 -0800 -Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize - to separators (GH-12201) - ---- - Doc/library/urllib.parse.rst | 18 +++++++++++++++ - Lib/test/test_urlparse.py | 23 +++++++++++++++++++ - Lib/urllib/parse.py | 17 ++++++++++++++ - .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ - 4 files changed, 61 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst - -diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst -index 0c8f0f607314..b565e1edd321 100644 ---- a/Doc/library/urllib.parse.rst -+++ b/Doc/library/urllib.parse.rst -@@ -124,6 +124,11 @@ or on combining URL components into a URL string. - Unmatched square brackets in the :attr:`netloc` attribute will raise a - :exc:`ValueError`. - -+ Characters in the :attr:`netloc` attribute that decompose under NFKC -+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, -+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is -+ decomposed before parsing, no error will be raised. -+ - .. versionchanged:: 3.2 - Added IPv6 URL parsing capabilities. - -@@ -136,6 +141,10 @@ or on combining URL components into a URL string. - Out-of-range port numbers now raise :exc:`ValueError`, instead of - returning :const:`None`. - -+ .. versionchanged:: 3.7.3 -+ Characters that affect netloc parsing under NFKC normalization will -+ now raise :exc:`ValueError`. -+ - - .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) - -@@ -257,10 +266,19 @@ or on combining URL components into a URL string. - Unmatched square brackets in the :attr:`netloc` attribute will raise a - :exc:`ValueError`. - -+ Characters in the :attr:`netloc` attribute that decompose under NFKC -+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``, -+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is -+ decomposed before parsing, no error will be raised. -+ - .. versionchanged:: 3.6 - Out-of-range port numbers now raise :exc:`ValueError`, instead of - returning :const:`None`. - -+ .. versionchanged:: 3.7.3 -+ Characters that affect netloc parsing under NFKC normalization will -+ now raise :exc:`ValueError`. -+ - - .. function:: urlunsplit(parts) - -diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py -index be50b47603aa..e6638aee2244 100644 ---- a/Lib/test/test_urlparse.py -+++ b/Lib/test/test_urlparse.py -@@ -1,3 +1,5 @@ -+import sys -+import unicodedata - import unittest - import urllib.parse - -@@ -984,6 +986,27 @@ def test_all(self): - expected.append(name) - self.assertCountEqual(urllib.parse.__all__, expected) - -+ def test_urlsplit_normalization(self): -+ # Certain characters should never occur in the netloc, -+ # including under normalization. -+ # Ensure that ALL of them are detected and cause an error -+ illegal_chars = '/:#?@' -+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} -+ denorm_chars = [ -+ c for c in map(chr, range(128, sys.maxunicode)) -+ if (hex_chars & set(unicodedata.decomposition(c).split())) -+ and c not in illegal_chars -+ ] -+ # Sanity check that we found at least one such character -+ self.assertIn('\u2100', denorm_chars) -+ self.assertIn('\uFF03', denorm_chars) -+ -+ for scheme in ["http", "https", "ftp"]: -+ for c in denorm_chars: -+ url = "{}://netloc{}false.netloc/path".format(scheme, c) -+ with self.subTest(url=url, char='{:04X}'.format(ord(c))): -+ with self.assertRaises(ValueError): -+ urllib.parse.urlsplit(url) - - class Utility_Tests(unittest.TestCase): - """Testcase to test the various utility functions in the urllib.""" -diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py -index f691ab74f87f..39c5d6a80824 100644 ---- a/Lib/urllib/parse.py -+++ b/Lib/urllib/parse.py -@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0): - delim = min(delim, wdelim) # use earliest delim position - return url[start:delim], url[delim:] # return (domain, rest) - -+def _checknetloc(netloc): -+ if not netloc or netloc.isascii(): -+ return -+ # looking for characters like \u2100 that expand to 'a/c' -+ # IDNA uses NFKC equivalence, so normalize for this check -+ import unicodedata -+ netloc2 = unicodedata.normalize('NFKC', netloc) -+ if netloc == netloc2: -+ return -+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay -+ for c in '/?#@:': -+ if c in netloc2: -+ raise ValueError("netloc '" + netloc2 + "' contains invalid " + -+ "characters under NFKC normalization") -+ - def urlsplit(url, scheme='', allow_fragments=True): - """Parse a URL into 5 components: - :///?# -@@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True): - url, fragment = url.split('#', 1) - if '?' in url: - url, query = url.split('?', 1) -+ _checknetloc(netloc) - v = SplitResult('http', netloc, url, query, fragment) - _parse_cache[key] = v - return _coerce_result(v) -@@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True): - url, fragment = url.split('#', 1) - if '?' in url: - url, query = url.split('?', 1) -+ _checknetloc(netloc) - v = SplitResult(scheme, netloc, url, query, fragment) - _parse_cache[key] = v - return _coerce_result(v) -diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst -new file mode 100644 -index 000000000000..5546394157f9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst -@@ -0,0 +1,3 @@ -+Changes urlsplit() to raise ValueError when the URL contains characters that -+decompose under IDNA encoding (NFKC-normalization) into characters that -+affect how the URL is parsed. diff --git a/python3.spec b/python3.spec index fa16f24..66ed804 100644 --- a/python3.spec +++ b/python3.spec @@ -13,8 +13,11 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well -Version: %{pybasever}.2 -Release: 8%{?dist} +%global general_version %{pybasever}.3 +%global prerel rc1 +%global upstream_version %{general_version}%{?prerel} +Version: %{general_version}%{?prerel:~%{prerel}} +Release: 1%{?dist} License: Python @@ -198,7 +201,7 @@ BuildRequires: python-pip-wheel # Source code and patches # ======================= -Source: https://www.python.org/ftp/python/%{version}/Python-%{version}%{?prerel}.tar.xz +Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz # A simple script to check timestamps of bytecode files # Run in check section with Python that is currently being built @@ -300,16 +303,6 @@ Patch274: 00274-fix-arch-names.patch # So we mark the command as unsupported - and the tests are skipped Patch316: 00316-mark-bdist_wininst-unsupported.patch -# 00317 # -# Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser -# Fixed upstream https://bugs.python.org/issue35746 -Patch317: 00317-CVE-2019-5010.patch - -# 00320 # -# Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization -# Fixed upstream https://bugs.python.org/issue36216 -Patch320: 00320-CVE-2019-9636.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -397,8 +390,8 @@ Summary: Python runtime libraries Requires: python-setuptools-wheel Requires: python-pip-wheel %else -Provides: bundled(python3-pip) = 18.1 -Provides: bundled(python3-setuptools) = 40.6.2 +Provides: bundled(python3-pip) = 19.0.3 +Provides: bundled(python3-setuptools) = 40.8.0 %endif # There are files in the standard library that have python shebang. @@ -552,8 +545,8 @@ so extensions for both versions can co-exist in the same directory. Requires: python-setuptools-wheel Requires: python-pip-wheel %else -Provides: bundled(python3-pip) = 18.1 -Provides: bundled(python3-setuptools) = 40.6.2 +Provides: bundled(python3-pip) = 19.0.3 +Provides: bundled(python3-setuptools) = 40.8.0 %endif # The description for the flat package @@ -572,7 +565,7 @@ version once Python %{pybasever} is stable. # ====================================================== %prep -%setup -q -n Python-%{version}%{?prerel} +%setup -q -n Python-%{upstream_version} # Remove all exe files to ensure we are not shipping prebuilt binaries # note that those are only used to create Microsoft Windows installers # and that functionality is broken on Linux anyway @@ -605,8 +598,6 @@ rm Lib/ensurepip/_bundled/*.whl %patch251 -p1 %patch274 -p1 %patch316 -p1 -%patch317 -p1 -%patch320 -p1 # Remove files that should be generated by the build @@ -1527,6 +1518,9 @@ CheckPython optimized # ====================================================== %changelog +* Thu Mar 21 2019 Miro Hrončok - 3.7.3~rc1-1 +- Update to 3.7.3rc1 + * Thu Mar 14 2019 Miro Hrončok - 3.7.2-8 - Security fix for CVE-2019-9636 (#1688543, #1688546) diff --git a/sources b/sources index 64dca46..bf35992 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Python-3.7.2.tar.xz) = 6cd2d6d8455558783b99d55985cd7b22d67b98f41a09b4fdd96f680a630a4e035220d2b903f8c59ed513aa5ffe6730fa947ddb55bb72ce36f0e945ef8af5d971 +SHA512 (Python-3.7.3rc1.tar.xz) = a0266a414f5a5828587e43e95fad494be2b0ac4563faefc26ef3f36fb19abb8cfe9b845e4ffec7652ac3ce17b7f47d2b89cd2032017d0f607a9fe4a5f08c4da7