From 13fbcf0a6d6eb0797913fc88a8655b476b688ed4 Mon Sep 17 00:00:00 2001 From: Carl George Date: Oct 04 2019 00:37:06 +0000 Subject: [PATCH 1/3] Obsolete IUS python34u packages The IUS repository previously maintained a python34u package. Python 3.4 is EOL upstream, meaning IUS pacakges will be retired soon. As a coordinated effort, obsolete it here to transition users to the EPEL package. https://github.com/iusrepo/packaging/issues/7 --- diff --git a/python34.spec b/python34.spec index cf4c5f9..103b503 100644 --- a/python34.spec +++ b/python34.spec @@ -153,7 +153,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python%{pyshortver} Version: %{pybasever}.10 -Release: 2%{?dist} +Release: 4%{?dist} License: Python @@ -545,6 +545,16 @@ Provides: bundled(python%{pyshortver}-pip) = 9.0.1 Provides: bundled(python%{pyshortver}-setuptools) = 28.8.0 %endif +# The IUS repository previously maintained a python34u package. Python 3.4 is +# EOL upstream, meaning IUS pacakges will be retired soon. As a coordinated +# effort, obsolete it here to transition users to the EPEL package. See this +# issue for more details: +# https://github.com/iusrepo/packaging/issues/7 +Provides: python34u = %{version}-%{release} +Provides: python34u%{?_isa} = %{version}-%{release} +Obsoletes: python34u < 3.4.8-2 + + %description Python 3 is a new version of the language that is incompatible with the 2.x line of releases. The language is mostly the same, but many details, especially @@ -566,6 +576,12 @@ Requires: expat >= 2.0.1-11.el6_2 Requires: expat >= 2.1.0 %endif +# Obsolete IUS package +Provides: python34u-libs = %{version}-%{release} +Provides: python34u-libs%{?_isa} = %{version}-%{release} +Obsoletes: python34u-libs < 3.4.8-2 + + %description libs This package contains files used to embed Python 3 into applications. @@ -581,6 +597,12 @@ Requires: python3-other-rpm-macros %endif Conflicts: %{name} < %{version}-%{release} +# Obsolete IUS package +Provides: python34u-devel = %{version}-%{release} +Provides: python34u-devel%{?_isa} = %{version}-%{release} +Obsoletes: python34u-devel < 3.4.8-2 + + %description devel This package contains libraries and header files used to build applications with and native libraries for Python 3 @@ -590,6 +612,12 @@ Summary: A collection of tools included with Python 3 Requires: %{name} = %{version}-%{release} Requires: %{name}-tkinter = %{version}-%{release} +# Obsolete IUS package +Provides: python34u-tools = %{version}-%{release} +Provides: python34u-tools%{?_isa} = %{version}-%{release} +Obsoletes: python34u-tools < 3.4.8-2 + + %description tools This package contains several tools included with Python 3 @@ -597,6 +625,12 @@ This package contains several tools included with Python 3 Summary: A GUI toolkit for Python 3 Requires: %{name} = %{version}-%{release} +# Obsolete IUS package +Provides: python34u-tkinter = %{version}-%{release} +Provides: python34u-tkinter%{?_isa} = %{version}-%{release} +Obsoletes: python34u-tkinter < 3.4.8-2 + + %description tkinter The Tkinter (Tk interface) program is an graphical user interface for the Python scripting language. @@ -606,6 +640,12 @@ Summary: The test modules from the main python 3 package Requires: %{name} = %{version}-%{release} Requires: %{name}-tools = %{version}-%{release} +# Obsolete IUS package +Provides: python34u-test = %{version}-%{release} +Provides: python34u-test%{?_isa} = %{version}-%{release} +Obsoletes: python34u-test < 3.4.8-2 + + %description test The test modules from the main %{name} package. These are in a separate package to save space, as they are almost never used @@ -628,6 +668,12 @@ Requires: %{name}-test%{?_isa} = %{version}-%{release} Requires: %{name}-tkinter%{?_isa} = %{version}-%{release} Requires: %{name}-tools%{?_isa} = %{version}-%{release} +# Obsolete IUS package +Provides: python34u-debug = %{version}-%{release} +Provides: python34u-debug%{?_isa} = %{version}-%{release} +Obsoletes: python34u-debug < 3.4.8-2 + + %description debug python%{pyshortver}-debug provides a version of the Python 3 runtime with numerous debugging features enabled, aimed at advanced Python users, such as developers of Python @@ -1688,6 +1734,9 @@ CheckPython optimized # ====================================================== %changelog +* Thu Oct 03 2019 Carl George - 3.4.10-4 +- Obsolete IUS python34u packages + * Tue Apr 30 2019 Miro Hrončok - 3.4.10-2 - Require python3-other-rpm-macros instead of python3-rpm-macros From 608809bc9014692a5998078acf8b197cb49e4e1c Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Oct 04 2019 00:37:16 +0000 Subject: [PATCH 2/3] Fix CVE-2019-10160 (rhbz#1718867) --- diff --git a/00320-CVE-2019-10160.patch b/00320-CVE-2019-10160.patch new file mode 100644 index 0000000..cf7d5db --- /dev/null +++ b/00320-CVE-2019-10160.patch @@ -0,0 +1,42 @@ +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 77c2007..c6c54b0 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -885,6 +885,12 @@ class UrlParseTestCase(unittest.TestCase): + self.assertIn('\u2100', denorm_chars) + self.assertIn('\uFF03', denorm_chars) + ++ # bpo-36742: Verify port separators are ignored when they ++ # existed prior to decomposition ++ urllib.parse.urlsplit('http://\u30d5\u309a:80') ++ with self.assertRaises(ValueError): ++ urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380') ++ + for scheme in ["http", "https", "ftp"]: + for c in denorm_chars: + url = "{}://netloc{}false.netloc/path".format(scheme, c) +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 243f470..da3a40c 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -322,13 +322,16 @@ def _checknetloc(netloc): + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata +- netloc2 = unicodedata.normalize('NFKC', netloc) +- if netloc == netloc2: ++ n = netloc.rpartition('@')[2] # ignore anything to the left of '@' ++ n = n.replace(':', '') # ignore characters already included ++ n = n.replace('#', '') # but not the surrounding text ++ n = n.replace('?', '') ++ netloc2 = unicodedata.normalize('NFKC', n) ++ if n == netloc2: + return +- _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: +- raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++ raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + + def urlsplit(url, scheme='', allow_fragments=True): diff --git a/python34.spec b/python34.spec index 103b503..e460f17 100644 --- a/python34.spec +++ b/python34.spec @@ -509,6 +509,12 @@ Patch203: 00203-disable-threading-test-koji.patch # but the LIBPL variable defined there doesn't respect libdir macro Patch205: 00205-make-libpl-respect-lib64.patch +# 00320 # +# Security fix for CVE-2019-10160: Information Disclosure due to urlsplit improper NFKC normalization +# Fixed upstream for later branches: https://bugs.python.org/issue36742 +# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1718867 +Patch320: 00320-CVE-2019-10160.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -799,6 +805,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch196 -p1 %patch203 -p1 %patch205 -p1 +%patch320 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1736,6 +1743,7 @@ CheckPython optimized %changelog * Thu Oct 03 2019 Carl George - 3.4.10-4 - Obsolete IUS python34u packages +- Fix CVE-2019-10160 (rhbz#1718867) * Tue Apr 30 2019 Miro Hrončok - 3.4.10-2 - Require python3-other-rpm-macros instead of python3-rpm-macros From e226b559602b18339a2ab8206b06444309519a13 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Oct 04 2019 00:37:16 +0000 Subject: [PATCH 3/3] Fix CVE-2019-16056 (rhbz#1750457) --- diff --git a/00332-CVE-2019-16056.patch b/00332-CVE-2019-16056.patch new file mode 100644 index 0000000..4e3cd12 --- /dev/null +++ b/00332-CVE-2019-16056.patch @@ -0,0 +1,95 @@ +diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py +index 37a9fbcbb67d..facc208fde12 100644 +--- a/Lib/email/_header_value_parser.py ++++ b/Lib/email/_header_value_parser.py +@@ -1964,6 +1964,8 @@ def get_domain(value): + token, value = get_dot_atom(value) + except errors.HeaderParseError: + token, value = get_atom(value) ++ if value and value[0] == '@': ++ raise errors.HeaderParseError('Invalid Domain') + if leader is not None: + token[:0] = [leader] + domain.append(token) +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index cdfa3729adc7..41ff6f8c000d 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -379,7 +379,12 @@ def getaddrspec(self): + aslist.append('@') + self.pos += 1 + self.gotonext() +- return EMPTYSTRING.join(aslist) + self.getdomain() ++ domain = self.getdomain() ++ if not domain: ++ # Invalid domain, return an empty address instead of returning a ++ # local part to denote failed parsing. ++ return EMPTYSTRING ++ return EMPTYSTRING.join(aslist) + domain + + def getdomain(self): + """Get the complete domain name from an address.""" +@@ -394,6 +399,10 @@ def getdomain(self): + elif self.field[self.pos] == '.': + self.pos += 1 + sdlist.append('.') ++ elif self.field[self.pos] == '@': ++ # bpo-34155: Don't parse domains with two `@` like ++ # `a@malicious.org@important.com`. ++ return EMPTYSTRING + elif self.field[self.pos] in self.atomends: + break + else: +diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py +index b1e7dff2405d..8ae617a6bd58 100644 +--- a/Lib/test/test_email/test__header_value_parser.py ++++ b/Lib/test/test_email/test__header_value_parser.py +@@ -1418,6 +1418,16 @@ def test_get_addr_spec_dot_atom(self): + self.assertEqual(addr_spec.domain, 'example.com') + self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com') + ++ def test_get_addr_spec_multiple_domains(self): ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a.star@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@a@example.com') ++ ++ with self.assertRaises(errors.HeaderParseError): ++ parser.get_addr_spec('star@172.17.0.1@example.com') ++ + # get_obs_route + + def test_get_obs_route_simple(self): +diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py +index 9b86a2aee9ac..d4c3447e63d0 100644 +--- a/Lib/test/test_email/test_email.py ++++ b/Lib/test/test_email/test_email.py +@@ -3015,6 +3015,20 @@ def test_parseaddr_empty(self): + self.assertEqual(utils.parseaddr('<>'), ('', '')) + self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '') + ++ def test_parseaddr_multiple_domains(self): ++ self.assertEqual( ++ utils.parseaddr('a@b@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@b.c@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ utils.parseaddr('a@172.17.0.1@c'), ++ ('', '') ++ ) ++ + def test_noquote_dump(self): + self.assertEqual( + utils.formataddr(('A Silly Person', 'person@dom.ain')), +diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +new file mode 100644 +index 000000000000..50292e29ed1d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +@@ -0,0 +1 @@ ++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic. diff --git a/python34.spec b/python34.spec index e460f17..41c935d 100644 --- a/python34.spec +++ b/python34.spec @@ -515,6 +515,14 @@ Patch205: 00205-make-libpl-respect-lib64.patch # Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1718867 Patch320: 00320-CVE-2019-10160.patch +# 00332 # +# Fix CVE-2019-16056: Don't parse email addresses containing +# multiple '@' characters. +# Fixed upstream and backported from the 3.5 branch: +# https://bugs.python.org/issue34155 +# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1750457 +Patch332: 00332-CVE-2019-16056.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -806,6 +814,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch203 -p1 %patch205 -p1 %patch320 -p1 +%patch332 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1744,6 +1753,7 @@ CheckPython optimized * Thu Oct 03 2019 Carl George - 3.4.10-4 - Obsolete IUS python34u packages - Fix CVE-2019-10160 (rhbz#1718867) +- Fix CVE-2019-16056 (rhbz#1750457) * Tue Apr 30 2019 Miro Hrončok - 3.4.10-2 - Require python3-other-rpm-macros instead of python3-rpm-macros