PR#41: Fix CVE-2019-10160 (rhbz#1718867) - rpms/python34

rpms / python34

#41 Fix CVE-2019-10160 (rhbz#1718867)

Merged 4 years ago by cstratak. Opened 4 years ago by cstratak.

rpms/ cstratak/python34 f31 into f31

Fix CVE-2019-10160 (rhbz#1718867)

Charalampos Stratakis • 4 years ago

090c8ed

00320-CVE-2019-10160.patch

file added

+42

		`@@ -0,0 +1,42 @@`
		`+ diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py`
		`+ index 77c2007..c6c54b0 100644`
		`+ --- a/Lib/test/test_urlparse.py`
		`+ +++ b/Lib/test/test_urlparse.py`
		`+ @@ -885,6 +885,12 @@ class UrlParseTestCase(unittest.TestCase):`
		`+ self.assertIn('\u2100', denorm_chars)`
		`+ self.assertIn('\uFF03', denorm_chars)`
		`+`
		`+ + # bpo-36742: Verify port separators are ignored when they`
		`+ + # existed prior to decomposition`
		`+ + urllib.parse.urlsplit('http://\u30d5\u309a:80')`
		`+ + with self.assertRaises(ValueError):`
		`+ + urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')`
		`+ +`
		`+ for scheme in ["http", "https", "ftp"]:`
		`+ for c in denorm_chars:`
		`+ url = "{}://netloc{}false.netloc/path".format(scheme, c)`
		`+ diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py`
		`+ index 243f470..da3a40c 100644`
		`+ --- a/Lib/urllib/parse.py`
		`+ +++ b/Lib/urllib/parse.py`
		`+ @@ -322,13 +322,16 @@ def _checknetloc(netloc):`
		`+ # looking for characters like \u2100 that expand to 'a/c'`
		`+ # IDNA uses NFKC equivalence, so normalize for this check`
		`+ import unicodedata`
		`+ - netloc2 = unicodedata.normalize('NFKC', netloc)`
		`+ - if netloc == netloc2:`
		`+ + n = netloc.rpartition('@')[2] # ignore anything to the left of '@'`
		`+ + n = n.replace(':', '') # ignore characters already included`
		`+ + n = n.replace('#', '') # but not the surrounding text`
		`+ + n = n.replace('?', '')`
		`+ + netloc2 = unicodedata.normalize('NFKC', n)`
		`+ + if n == netloc2:`
		`+ return`
		`+ - _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay`
		`+ for c in '/?#@:':`
		`+ if c in netloc2:`
		`+ - raise ValueError("netloc '" + netloc2 + "' contains invalid " +`
		`+ + raise ValueError("netloc '" + netloc + "' contains invalid " +`
		`+ "characters under NFKC normalization")`
		`+`
		`+ def urlsplit(url, scheme='', allow_fragments=True):`

python34.spec

file modified

+11 -1

		`@@ -113,7 +113,7 @@`
		`#global prerel ...`
		`%global upstream_version %{general_version}%{?prerel}`
		`Version: %{general_version}%{?prerel:~%{prerel}}`
		`- Release: 4%{?dist}`
		`+ Release: 5%{?dist}`
		`License: Python`

		`# Whether to use RPM build wheels from the python-{pip,setuptools}-wheel package`
		`@@ -510,6 +510,12 @@`
		`# https://bugzilla.redhat.com/show_bug.cgi?id=1652843`
		`Patch315: 00315-test_email-mktime.patch`

		`+ # 00320 #`
		`+ # Security fix for CVE-2019-10160: Information Disclosure due to urlsplit improper NFKC normalization`
		`+ # Fixed upstream for later branches: https://bugs.python.org/issue36742`
		`+ # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1718867`
		`+ Patch320: 00320-CVE-2019-10160.patch`
		`+`
		`# 00321 #`
		`# OpenSSL 1.1.1 support for Python 3.4`
		`# https://bugzilla.redhat.com/show_bug.cgi?id=1685612`
		`@@ -686,6 +692,7 @@`
		`%patch273 -p1`
		`%patch290 -p1`
		`%patch315 -p1`
		`+ %patch320 -p1`
		`%patch321 -p1`
		`%patch322 -p1`

		`@@ -1225,6 +1232,9 @@`
		`# ======================================================`

		`%changelog`
		`+ * Thu Sep 05 2019 Charalampos Stratakis <cstratak@redhat.com> - 3.4.10-5`
		`+ - Fix CVE-2019-10160 (rhbz#1718867)`
		`+`
		`* Sat Aug 10 2019 Miro Hrončok <mhroncok@redhat.com> - 3.4.10-4`
		`- Build against OpenSSL 1.1.x, not 1.0.x`