1 files changed, 161 insertions, 0 deletions
diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
new file mode 100644
index 0000000..6239503
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
+From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:44:16 +0200
+Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
+ (GH-5955)
+* Prevent low-grade poplib REDOS (CVE-2018-1060)
+The regex to test a mail server's timestamp is susceptible to
+catastrophic backtracking on long evil responses from the server.
+Happily, the maximum length of malicious inputs is 2K thanks
+to a limit introduced in the fix for CVE-2013-1752.
+A 2KB evil response from the mail server would result in small slowdowns
+(milliseconds vs. microseconds) accumulated over many apop calls.
+This is a potential DOS vector via accumulated slowdowns.
+Replace it with a similar non-vulnerable regex.
+The new regex is RFC compliant.
+The old regex was non-compliant in edge cases.
+* Prevent difflib REDOS (CVE-2018-1061)
+The default regex for IS_LINE_JUNK is susceptible to
+catastrophic backtracking.
+This is a potential DOS vector.
+Replace it with an equivalent non-vulnerable regex.
+Also introduce unit and REDOS tests for difflib.
+CVE: CVE-2018-1060
+CVE: CVE-2018-1061
+Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
+Co-authored-by: Tim Peters <tim.peters@gmail.com>
+Co-authored-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Lib/difflib.py                                     |  2 +-
+ Lib/poplib.py                                      |  2 +-
+ Lib/test/test_difflib.py                           | 22 +++++++++++++++++++++-
+ Lib/test/test_poplib.py                            | 10 ++++++++++
+ Misc/ACKS                                          |  1 +
+ .../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst       |  4 ++++
+ 6 files changed, 38 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdb..788a92d 100644
+--- a/Lib/difflib.py
+++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ class Differ:
+ 
+ import re
+ 
+-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
+def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
+     r"""
+     Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
+ 
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f7..a238510 100644
+--- a/Lib/poplib.py
+++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ class POP3:
+         return self._shortcmd('RPOP %s' % user)
+ 
+ 
+-    timestamp = re.compile(r'\+OK.*(<[^>]+>)')
+    timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+ 
+     def apop(self, user, secret):
+         """Authorisation
+diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
+index 35f2c36..d8277b7 100644
+--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
+@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
+         self.assertEqual(fmt(3,6), '4,6')
+         self.assertEqual(fmt(0,0), '0')
+ 
+class TestJunkAPIs(unittest.TestCase):
+    def test_is_line_junk_true(self):
+        for line in ['#', '  ', ' #', '# ', ' # ', '']:
+            self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
+
+    def test_is_line_junk_false(self):
+        for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
+            self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
+
+    def test_is_line_junk_REDOS(self):
+        evil_input = ('\t' * 1000000) + '##'
+        self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
+
+    def test_is_character_junk_true(self):
+        for char in [' ', '\t']:
+            self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
+
+    def test_is_character_junk_false(self):
+        for char in ['a', '#', '\n', '\f', '\r', '\v']:
+            self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
+ 
+ def test_main():
+     difflib.HtmlDiff._default_prefix = 0
+     Doctests = doctest.DocTestSuite(difflib)
+     run_unittest(
+         TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
+-        TestOutputFormat, Doctests)
+        TestOutputFormat, TestJunkAPIs)
+ 
+ if __name__ == '__main__':
+     test_main()
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index 23d6887..d214375 100644
+--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
+@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
+     def test_rpop(self):
+         self.assertOK(self.client.rpop('foo'))
+ 
+    def test_apop_REDOS(self):
+        # Replace welcome with very long evil welcome.
+        # NB The upper bound on welcome length is currently 2048.
+        # At this length, evil input makes each apop call take
+        # on the order of milliseconds instead of microseconds.
+        evil_welcome = b'+OK' + (b'<' * 1000000)
+        with test_support.swap_attr(self.client, 'welcome', evil_welcome):
+            # The evil welcome is invalid, so apop should throw.
+            self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
+
+     def test_top(self):
+         expected =  ('+OK 116 bytes',
+                      ['From: postmaster@python.org', 'Content-Type: text/plain',
+diff --git a/Misc/ACKS b/Misc/ACKS
+index 9cbc230..952d6dd 100644
+--- a/Misc/ACKS
+++ b/Misc/ACKS
+@@ -314,6 +314,7 @@ Kushal Das
+ Jonathan Dasteel
+ Pierre-Yves David
+ A. Jesse Jiryu Davis
+Jamie (James C.) Davis
+ Merlijn van Deen
+ John DeGood
+ Ned Deily
+diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+new file mode 100644
+index 0000000..9ebabb4
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+@@ -0,0 +1,4 @@
+Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
+These regexes formed potential DOS vectors (REDOS). They have been
+refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
+Patch by Jamie Davis.

diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch new file mode 100644 index 0000000..6239503 --- /dev/null +++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
	1	From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 13:44:16 +0200
	4	Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
	5	(GH-5955)
	6
	7	* Prevent low-grade poplib REDOS (CVE-2018-1060)
	8
	9	The regex to test a mail server's timestamp is susceptible to
	10	catastrophic backtracking on long evil responses from the server.
	11
	12	Happily, the maximum length of malicious inputs is 2K thanks
	13	to a limit introduced in the fix for CVE-2013-1752.
	14
	15	A 2KB evil response from the mail server would result in small slowdowns
	16	(milliseconds vs. microseconds) accumulated over many apop calls.
	17	This is a potential DOS vector via accumulated slowdowns.
	18
	19	Replace it with a similar non-vulnerable regex.
	20
	21	The new regex is RFC compliant.
	22	The old regex was non-compliant in edge cases.
	23
	24	* Prevent difflib REDOS (CVE-2018-1061)
	25
	26	The default regex for IS_LINE_JUNK is susceptible to
	27	catastrophic backtracking.
	28	This is a potential DOS vector.
	29
	30	Replace it with an equivalent non-vulnerable regex.
	31
	32	Also introduce unit and REDOS tests for difflib.
	33
	34	CVE: CVE-2018-1060
	35	CVE: CVE-2018-1061
	36	Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
	37
	38	Co-authored-by: Tim Peters <tim.peters@gmail.com>
	39	Co-authored-by: Christian Heimes <christian@python.org>.
	40	(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
	41	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	42	---
	43	Lib/difflib.py \| 2 +-
	44	Lib/poplib.py \| 2 +-
	45	Lib/test/test_difflib.py \| 22 +++++++++++++++++++++-
	46	Lib/test/test_poplib.py \| 10 ++++++++++
	47	Misc/ACKS \| 1 +
	48	.../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst \| 4 ++++
	49	6 files changed, 38 insertions(+), 3 deletions(-)
	50	create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	51
	52	diff --git a/Lib/difflib.py b/Lib/difflib.py
	53	index 1c6fbdb..788a92d 100644
	54	--- a/Lib/difflib.py
	55	+++ b/Lib/difflib.py
	56	@@ -1103,7 +1103,7 @@ class Differ:
	57
	58	import re
	59
	60	-def IS_LINE_JUNK(line, pat=re.compile(r"\s#?\s$").match):
	61	+def IS_LINE_JUNK(line, pat=re.compile(r"\s(?:#\s)?$").match):
	62	r"""
	63	Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
	64
	65	diff --git a/Lib/poplib.py b/Lib/poplib.py
	66	index b91e5f7..a238510 100644
	67	--- a/Lib/poplib.py
	68	+++ b/Lib/poplib.py
	69	@@ -274,7 +274,7 @@ class POP3:
	70	return self._shortcmd('RPOP %s' % user)
	71
	72
	73	- timestamp = re.compile(r'\+OK.*(<[^>]+>)')
	74	+ timestamp = re.compile(br'\+OK.[^<](<.>)')
	75
	76	def apop(self, user, secret):
	77	"""Authorisation
	78	diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
	79	index 35f2c36..d8277b7 100644
	80	--- a/Lib/test/test_difflib.py
	81	+++ b/Lib/test/test_difflib.py
	82	@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
	83	self.assertEqual(fmt(3,6), '4,6')
	84	self.assertEqual(fmt(0,0), '0')
	85
	86	+class TestJunkAPIs(unittest.TestCase):
	87	+ def test_is_line_junk_true(self):
	88	+ for line in ['#', ' ', ' #', '# ', ' # ', '']:
	89	+ self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
	90	+
	91	+ def test_is_line_junk_false(self):
	92	+ for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
	93	+ self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
	94	+
	95	+ def test_is_line_junk_REDOS(self):
	96	+ evil_input = ('\t' * 1000000) + '##'
	97	+ self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
	98	+
	99	+ def test_is_character_junk_true(self):
	100	+ for char in [' ', '\t']:
	101	+ self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
	102	+
	103	+ def test_is_character_junk_false(self):
	104	+ for char in ['a', '#', '\n', '\f', '\r', '\v']:
	105	+ self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
	106
	107	def test_main():
	108	difflib.HtmlDiff._default_prefix = 0
	109	Doctests = doctest.DocTestSuite(difflib)
	110	run_unittest(
	111	TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
	112	- TestOutputFormat, Doctests)
	113	+ TestOutputFormat, TestJunkAPIs)
	114
	115	if __name__ == '__main__':
	116	test_main()
	117	diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
	118	index 23d6887..d214375 100644
	119	--- a/Lib/test/test_poplib.py
	120	+++ b/Lib/test/test_poplib.py
	121	@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
	122	def test_rpop(self):
	123	self.assertOK(self.client.rpop('foo'))
	124
	125	+ def test_apop_REDOS(self):
	126	+ # Replace welcome with very long evil welcome.
	127	+ # NB The upper bound on welcome length is currently 2048.
	128	+ # At this length, evil input makes each apop call take
	129	+ # on the order of milliseconds instead of microseconds.
	130	+ evil_welcome = b'+OK' + (b'<' * 1000000)
	131	+ with test_support.swap_attr(self.client, 'welcome', evil_welcome):
	132	+ # The evil welcome is invalid, so apop should throw.
	133	+ self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
	134	+
	135	def test_top(self):
	136	expected = ('+OK 116 bytes',
	137	['From: postmaster@python.org', 'Content-Type: text/plain',
	138	diff --git a/Misc/ACKS b/Misc/ACKS
	139	index 9cbc230..952d6dd 100644
	140	--- a/Misc/ACKS
	141	+++ b/Misc/ACKS
	142	@@ -314,6 +314,7 @@ Kushal Das
	143	Jonathan Dasteel
	144	Pierre-Yves David
	145	A. Jesse Jiryu Davis
	146	+Jamie (James C.) Davis
	147	Merlijn van Deen
	148	John DeGood
	149	Ned Deily
	150	diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	151	new file mode 100644
	152	index 0000000..9ebabb4
	153	--- /dev/null
	154	+++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	155	@@ -0,0 +1,4 @@
	156	+Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
	157	+These regexes formed potential DOS vectors (REDOS). They have been
	158	+refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
	159	+Patch by Jamie Davis.
	160
	161