#32 F29: Update to 3.6.9 (cherry-picked)
Merged 2 months ago by churchyard. Opened 2 months ago by churchyard.
rpms/ churchyard/python36 f29-3.6.9  into  f29

@@ -1,5 +1,5 @@ 

  diff --git a/Lib/ssl.py b/Lib/ssl.py

- index 1f3a31a..b54a684 100644

+ index 58d3e93..0114387 100644

  --- a/Lib/ssl.py

  +++ b/Lib/ssl.py

  @@ -116,6 +116,7 @@ except ImportError:

@@ -79,18 +79,18 @@ 

       if cafile or capath or cadata:

           context.load_verify_locations(cafile, capath, cadata)

  diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

- index 9785a59..34a7ec2 100644

+ index 74adebc..510bb09 100644

  --- a/Lib/test/test_ssl.py

  +++ b/Lib/test/test_ssl.py

- @@ -18,6 +18,7 @@ import asyncore

-  import weakref

+ @@ -19,6 +19,7 @@ import weakref

   import platform

+  import re

   import functools

  +import sysconfig

   try:

       import ctypes

   except ImportError:

- @@ -36,7 +37,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)

+ @@ -37,7 +38,7 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)

   HOST = support.HOST

   IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')

   IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)

@@ -99,7 +99,7 @@ 

   

   def data_file(*name):

       return os.path.join(os.path.dirname(__file__), *name)

- @@ -889,6 +890,19 @@ class ContextTests(unittest.TestCase):

+ @@ -952,6 +953,19 @@ class ContextTests(unittest.TestCase):

           with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):

               ctx.set_ciphers("^$:,;?*'dorothyx")

   

@@ -120,10 +120,10 @@ 

       def test_get_ciphers(self):

           ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

  diff --git a/Modules/_ssl.c b/Modules/_ssl.c

- index 5e007da..130f006 100644

+ index 7365630..ec366f0 100644

  --- a/Modules/_ssl.c

  +++ b/Modules/_ssl.c

- @@ -237,6 +237,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)

+ @@ -238,6 +238,31 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)

   

   #endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */

   

@@ -155,7 +155,7 @@ 

   

   enum py_ssl_error {

       /* these mirror ssl.h */

- @@ -2803,7 +2828,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)

+ @@ -2861,7 +2886,12 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)

       /* A bare minimum cipher list without completely broken cipher suites.

        * It's far from perfect but gives users a better head start. */

       if (proto_version != PY_SSL_VERSION_SSL2) {

@@ -169,7 +169,7 @@ 

       } else {

           /* SSLv2 needs MD5 */

           result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");

- @@ -5343,6 +5373,9 @@ PyInit__ssl(void)

+ @@ -5457,6 +5487,9 @@ PyInit__ssl(void)

                                (PyObject *)&PySSLSession_Type) != 0)

           return NULL;

   

@@ -180,10 +180,10 @@ 

                               PY_SSL_ERROR_ZERO_RETURN);

       PyModule_AddIntConstant(m, "SSL_ERROR_WANT_READ",

  diff --git a/configure.ac b/configure.ac

- index 3703701..2eff514 100644

+ index f986875..c071ec3 100644

  --- a/configure.ac

  +++ b/configure.ac

- @@ -5598,6 +5598,42 @@ if test "$have_getrandom" = yes; then

+ @@ -5663,6 +5663,42 @@ if test "$have_getrandom" = yes; then

                 [Define to 1 if the getrandom() function is available])

   fi

   

file removed
-111

@@ -1,111 +0,0 @@ 

- From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001

- From: Christian Heimes <christian@python.org>

- Date: Tue, 15 Jan 2019 18:16:30 +0100

- Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser

- 

- CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did

- not handle CRL distribution points with empty DP or URI correctly. A

- malicious or buggy certificate can result into segfault.

- 

- Signed-off-by: Christian Heimes <christian@python.org>

- ---

-  Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++

-  Lib/test/test_ssl.py                          | 22 +++++++++++++++++++

-  .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++

-  Modules/_ssl.c                                |  4 ++++

-  4 files changed, 51 insertions(+)

-  create mode 100644 Lib/test/talos-2019-0758.pem

-  create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- 

- diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem

- new file mode 100644

- index 000000000000..13b95a77fd8a

- --- /dev/null

- +++ b/Lib/test/talos-2019-0758.pem

- @@ -0,0 +1,22 @@

- +-----BEGIN CERTIFICATE-----

- +MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO

- +BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7

- +MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh

- +bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB

- +J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES

- +V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD

- +5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C

- +1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP

- +WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF

- +j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp

- +HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io

- +UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7

- +2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu

- +bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG

- +SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p

- +t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr

- +t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit

- +p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV

- +Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+

- +10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==

- +-----END CERTIFICATE-----

- diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py

- index 7f6b93148f45..1fc657f4d867 100644

- --- a/Lib/test/test_ssl.py

- +++ b/Lib/test/test_ssl.py

- @@ -115,6 +115,7 @@ def data_file(*name):

-  BADKEY = data_file("badkey.pem")

-  NOKIACERT = data_file("nokia.pem")

-  NULLBYTECERT = data_file("nullbytecert.pem")

- +TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")

-  

-  DHFILE = data_file("ffdh3072.pem")

-  BYTES_DHFILE = os.fsencode(DHFILE)

- @@ -348,6 +349,27 @@ def test_parse_cert(self):

-          self.assertEqual(p['crlDistributionPoints'],

-                           ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))

-  

- +    def test_parse_cert_CVE_2019_5010(self):

- +        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)

- +        if support.verbose:

- +            sys.stdout.write("\n" + pprint.pformat(p) + "\n")

- +        self.assertEqual(

- +            p,

- +            {

- +                'issuer': (

- +                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),

- +                'notAfter': 'Jun 14 18:00:58 2028 GMT',

- +                'notBefore': 'Jun 18 18:00:58 2018 GMT',

- +                'serialNumber': '02',

- +                'subject': ((('countryName', 'UK'),),

- +                            (('commonName',

- +                              'codenomicon-vm-2.test.lal.cisco.com'),)),

- +                'subjectAltName': (

- +                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),

- +                'version': 3

- +            }

- +        )

- +

-      def test_parse_cert_CVE_2013_4238(self):

-          p = ssl._ssl._test_decode_cert(NULLBYTECERT)

-          if support.verbose:

- diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- new file mode 100644

- index 000000000000..dffe347eec84

- --- /dev/null

- +++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

- @@ -0,0 +1,3 @@

- +[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did

- +not handle CRL distribution points with empty DP or URI correctly. A

- +malicious or buggy certificate can result into segfault.

- diff --git a/Modules/_ssl.c b/Modules/_ssl.c

- index 4e3352d9e661..0e720e268d93 100644

- --- a/Modules/_ssl.c

- +++ b/Modules/_ssl.c

- @@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {

-          STACK_OF(GENERAL_NAME) *gns;

-  

-          dp = sk_DIST_POINT_value(dps, i);

- +        if (dp->distpoint == NULL) {

- +            /* Ignore empty DP value, CVE-2019-5010 */

- +            continue;

- +        }

-          gns = dp->distpoint->name.fullname;

-  

-          for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {

file modified
+5 -8

@@ -13,8 +13,8 @@ 

  

  #  WARNING  When rebasing to a new Python version,

  #           remember to update the python3-docs package as well

- Version: %{pybasever}.8

- Release: 3%{?dist}

+ Version: %{pybasever}.9

+ Release: 1%{?dist}

  License: Python

  

  

@@ -351,11 +351,6 @@ 

  # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1489816

  Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch

  

- # 00317 #

- # Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser

- # Fixed upstream https://bugs.python.org/issue35746

- Patch317: 00317-CVE-2019-5010.patch

- 

  # (New patches go here ^^^)

  #

  # When adding new patches to "python" and "python3" in Fedora, EL, etc.,

@@ -681,7 +676,6 @@ 

  %patch274 -p1

  %patch292 -p1

  %patch294 -p1

- %patch317 -p1

  

  

  # Remove files that should be generated by the build

@@ -1563,6 +1557,9 @@ 

  # ======================================================

  

  %changelog

+ * Wed Jul 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.6.9-1

+ - Update to 3.6.9

+ 

  * Wed Jan 23 2019 Patrik Kopkan <pkopkan@redhat.com> - 3.6.8-3

  - fix for CVE-2019-5010 (#1666519, #1666520)

  

file modified
+1 -1

@@ -1,1 +1,1 @@ 

- SHA512 (Python-3.6.8.tar.xz) = b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a

+ SHA512 (Python-3.6.9.tar.xz) = 05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819