#48 Obsolete python34u and backport Fedora CVE fixes
Merged 4 years ago by carlwgeorge. Opened 4 years ago by carlwgeorge.
rpms/ carlwgeorge/python34 rhbz1750764  into  epel7

@@ -0,0 +1,42 @@ 

+ diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py

+ index 77c2007..c6c54b0 100644

+ --- a/Lib/test/test_urlparse.py

+ +++ b/Lib/test/test_urlparse.py

+ @@ -885,6 +885,12 @@ class UrlParseTestCase(unittest.TestCase):

+          self.assertIn('\u2100', denorm_chars)

+          self.assertIn('\uFF03', denorm_chars)

+  

+ +        # bpo-36742: Verify port separators are ignored when they

+ +        # existed prior to decomposition

+ +        urllib.parse.urlsplit('http://\u30d5\u309a:80')

+ +        with self.assertRaises(ValueError):

+ +            urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380')

+ +

+          for scheme in ["http", "https", "ftp"]:

+              for c in denorm_chars:

+                  url = "{}://netloc{}false.netloc/path".format(scheme, c)

+ diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py

+ index 243f470..da3a40c 100644

+ --- a/Lib/urllib/parse.py

+ +++ b/Lib/urllib/parse.py

+ @@ -322,13 +322,16 @@ def _checknetloc(netloc):

+      # looking for characters like \u2100 that expand to 'a/c'

+      # IDNA uses NFKC equivalence, so normalize for this check

+      import unicodedata

+ -    netloc2 = unicodedata.normalize('NFKC', netloc)

+ -    if netloc == netloc2:

+ +    n = netloc.rpartition('@')[2] # ignore anything to the left of '@'

+ +    n = n.replace(':', '')        # ignore characters already included

+ +    n = n.replace('#', '')        # but not the surrounding text

+ +    n = n.replace('?', '')

+ +    netloc2 = unicodedata.normalize('NFKC', n)

+ +    if n == netloc2:

+          return

+ -    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay

+      for c in '/?#@:':

+          if c in netloc2:

+ -            raise ValueError("netloc '" + netloc2 + "' contains invalid " +

+ +            raise ValueError("netloc '" + netloc + "' contains invalid " +

+                               "characters under NFKC normalization")

+  

+  def urlsplit(url, scheme='', allow_fragments=True):

@@ -0,0 +1,95 @@ 

+ diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py

+ index 37a9fbcbb67d..facc208fde12 100644

+ --- a/Lib/email/_header_value_parser.py

+ +++ b/Lib/email/_header_value_parser.py

+ @@ -1964,6 +1964,8 @@ def get_domain(value):

+          token, value = get_dot_atom(value)

+      except errors.HeaderParseError:

+          token, value = get_atom(value)

+ +    if value and value[0] == '@':

+ +        raise errors.HeaderParseError('Invalid Domain')

+      if leader is not None:

+          token[:0] = [leader]

+      domain.append(token)

+ diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py

+ index cdfa3729adc7..41ff6f8c000d 100644

+ --- a/Lib/email/_parseaddr.py

+ +++ b/Lib/email/_parseaddr.py

+ @@ -379,7 +379,12 @@ def getaddrspec(self):

+          aslist.append('@')

+          self.pos += 1

+          self.gotonext()

+ -        return EMPTYSTRING.join(aslist) + self.getdomain()

+ +        domain = self.getdomain()

+ +        if not domain:

+ +            # Invalid domain, return an empty address instead of returning a

+ +            # local part to denote failed parsing.

+ +            return EMPTYSTRING

+ +        return EMPTYSTRING.join(aslist) + domain

+  

+      def getdomain(self):

+          """Get the complete domain name from an address."""

+ @@ -394,6 +399,10 @@ def getdomain(self):

+              elif self.field[self.pos] == '.':

+                  self.pos += 1

+                  sdlist.append('.')

+ +            elif self.field[self.pos] == '@':

+ +                # bpo-34155: Don't parse domains with two `@` like

+ +                # `a@malicious.org@important.com`.

+ +                return EMPTYSTRING

+              elif self.field[self.pos] in self.atomends:

+                  break

+              else:

+ diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py

+ index b1e7dff2405d..8ae617a6bd58 100644

+ --- a/Lib/test/test_email/test__header_value_parser.py

+ +++ b/Lib/test/test_email/test__header_value_parser.py

+ @@ -1418,6 +1418,16 @@ def test_get_addr_spec_dot_atom(self):

+          self.assertEqual(addr_spec.domain, 'example.com')

+          self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')

+  

+ +    def test_get_addr_spec_multiple_domains(self):

+ +        with self.assertRaises(errors.HeaderParseError):

+ +            parser.get_addr_spec('star@a.star@example.com')

+ +

+ +        with self.assertRaises(errors.HeaderParseError):

+ +            parser.get_addr_spec('star@a@example.com')

+ +

+ +        with self.assertRaises(errors.HeaderParseError):

+ +            parser.get_addr_spec('star@172.17.0.1@example.com')

+ +

+      # get_obs_route

+  

+      def test_get_obs_route_simple(self):

+ diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py

+ index 9b86a2aee9ac..d4c3447e63d0 100644

+ --- a/Lib/test/test_email/test_email.py

+ +++ b/Lib/test/test_email/test_email.py

+ @@ -3015,6 +3015,20 @@ def test_parseaddr_empty(self):

+          self.assertEqual(utils.parseaddr('<>'), ('', ''))

+          self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')

+  

+ +    def test_parseaddr_multiple_domains(self):

+ +        self.assertEqual(

+ +            utils.parseaddr('a@b@c'),

+ +            ('', '')

+ +        )

+ +        self.assertEqual(

+ +            utils.parseaddr('a@b.c@c'),

+ +            ('', '')

+ +        )

+ +        self.assertEqual(

+ +            utils.parseaddr('a@172.17.0.1@c'),

+ +            ('', '')

+ +        )

+ +

+      def test_noquote_dump(self):

+          self.assertEqual(

+              utils.formataddr(('A Silly Person', 'person@dom.ain')),

+ diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst

+ new file mode 100644

+ index 000000000000..50292e29ed1d

+ --- /dev/null

+ +++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst

+ @@ -0,0 +1 @@

+ +Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.

file modified
+68 -1
@@ -153,7 +153,7 @@ 

  Summary: Version 3 of the Python programming language aka Python 3000

  Name: python%{pyshortver}

  Version: %{pybasever}.10

- Release: 2%{?dist}

+ Release: 4%{?dist}

  License: Python

  

  
@@ -509,6 +509,20 @@ 

  # but the LIBPL variable defined there doesn't respect libdir macro

  Patch205: 00205-make-libpl-respect-lib64.patch

  

+ # 00320 #

+ # Security fix for CVE-2019-10160: Information Disclosure due to urlsplit improper NFKC normalization

+ # Fixed upstream for later branches: https://bugs.python.org/issue36742

+ # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1718867

+ Patch320: 00320-CVE-2019-10160.patch

+ 

+ # 00332 #

+ # Fix CVE-2019-16056: Don't parse email addresses containing

+ # multiple '@' characters.

+ # Fixed upstream and backported from the 3.5 branch:

+ # https://bugs.python.org/issue34155

+ # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1750457

+ Patch332: 00332-CVE-2019-16056.patch

+ 

  # (New patches go here ^^^)

  #

  # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -545,6 +559,16 @@ 

  Provides: bundled(python%{pyshortver}-setuptools) = 28.8.0

  %endif

  

+ # The IUS repository previously maintained a python34u package.  Python 3.4 is

+ # EOL upstream, meaning IUS pacakges will be retired soon.  As a coordinated

+ # effort, obsolete it here to transition users to the EPEL package.  See this

+ # issue for more details:

+ # https://github.com/iusrepo/packaging/issues/7

+ Provides: python34u = %{version}-%{release}

+ Provides: python34u%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u < 3.4.8-2

The latest ISU version is 3.4.10-3. Is this the latest ISU version that was named including the "u"?

+ 

+ 

  %description

  Python 3 is a new version of the language that is incompatible with the 2.x

  line of releases. The language is mostly the same, but many details, especially
@@ -566,6 +590,12 @@ 

  Requires: expat >= 2.1.0

  %endif

  

+ # Obsolete IUS package

+ Provides: python34u-libs = %{version}-%{release}

+ Provides: python34u-libs%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-libs < 3.4.8-2

+ 

+ 

  %description libs

  This package contains files used to embed Python 3 into applications.

  
@@ -581,6 +611,12 @@ 

  %endif

  Conflicts: %{name} < %{version}-%{release}

  

+ # Obsolete IUS package

+ Provides: python34u-devel = %{version}-%{release}

+ Provides: python34u-devel%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-devel < 3.4.8-2

+ 

+ 

  %description devel

  This package contains libraries and header files used to build applications

  with and native libraries for Python 3
@@ -590,6 +626,12 @@ 

  Requires: %{name} = %{version}-%{release}

  Requires: %{name}-tkinter = %{version}-%{release}

  

+ # Obsolete IUS package

+ Provides: python34u-tools = %{version}-%{release}

+ Provides: python34u-tools%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-tools < 3.4.8-2

+ 

+ 

  %description tools

  This package contains several tools included with Python 3

  
@@ -597,6 +639,12 @@ 

  Summary: A GUI toolkit for Python 3

  Requires: %{name} = %{version}-%{release}

  

+ # Obsolete IUS package

+ Provides: python34u-tkinter = %{version}-%{release}

+ Provides: python34u-tkinter%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-tkinter < 3.4.8-2

+ 

+ 

  %description tkinter

  The Tkinter (Tk interface) program is an graphical user interface for

  the Python scripting language.
@@ -606,6 +654,12 @@ 

  Requires: %{name} = %{version}-%{release}

  Requires: %{name}-tools = %{version}-%{release}

  

+ # Obsolete IUS package

+ Provides: python34u-test = %{version}-%{release}

+ Provides: python34u-test%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-test < 3.4.8-2

+ 

+ 

  %description test

  The test modules from the main %{name} package.

  These are in a separate package to save space, as they are almost never used
@@ -628,6 +682,12 @@ 

  Requires: %{name}-tkinter%{?_isa} = %{version}-%{release}

  Requires: %{name}-tools%{?_isa} = %{version}-%{release}

  

+ # Obsolete IUS package

+ Provides: python34u-debug = %{version}-%{release}

+ Provides: python34u-debug%{?_isa} = %{version}-%{release}

+ Obsoletes: python34u-debug < 3.4.8-2

+ 

+ 

  %description debug

  python%{pyshortver}-debug provides a version of the Python 3 runtime with numerous debugging

  features enabled, aimed at advanced Python users, such as developers of Python
@@ -753,6 +813,8 @@ 

  %patch196 -p1

  %patch203 -p1

  %patch205 -p1

+ %patch320 -p1

+ %patch332 -p1

  

  # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there

  # are many differences between 2.6 and the Python 3 library.
@@ -1688,6 +1750,11 @@ 

  # ======================================================

  

  %changelog

+ * Thu Oct 03 2019 Carl George <carl@george.computer> - 3.4.10-4

+ - Obsolete IUS python34u packages

+ - Fix CVE-2019-10160 (rhbz#1718867)

+ - Fix CVE-2019-16056 (rhbz#1750457)

+ 

  * Tue Apr 30 2019 Miro Hrončok <mhroncok@redhat.com> - 3.4.10-2

  - Require python3-other-rpm-macros instead of python3-rpm-macros

  

Also resolves rhbz#1750764.

The latest ISU version is 3.4.10-3. Is this the latest ISU version that was named including the "u"?

Looks good! Ship at will.

Thanks for the PR. Looks good to me as well.

Pull-Request has been merged by carlwgeorge

4 years ago