python3: advance to version 3.10.8

Fixes CVE-2022-37460. Also add patch to fix CVE-2022-37454. (From OE-Core rev: b446dd69b79783ea232514e1c5212595ec28e553) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2022-12-07 14:55:03 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-13 15:23:34 +0000
commit: eea9ca003fdc971dc13b545c4b7949f06e1beae8 (patch)
tree: fb2b026d9ae56b18e7bfc8864075c97b8ae61536
parent: d513c3043bb0e71f563f06cbf98ac51e9e835391 (diff)
download: poky-eea9ca003fdc971dc13b545c4b7949f06e1beae8.tar.gz
2 files changed, 110 insertions, 2 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch
new file mode 100644
index 0000000000..c019151a64
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/cve-2022-37454.patch
@@ -0,0 +1,108 @@
+From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001
+From: Theo Buehler <botovq@users.noreply.github.com>
+Date: Fri, 21 Oct 2022 21:26:01 +0200
+Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519)
+This is a port of the applicable part of XKCP's fix [1] for
+CVE-2022-37454 and avoids the segmentation fault and the infinite
+loop in the test cases published in [2].
+[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
+[2]: https://mouha.be/sha-3-buffer-overflow/
+Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
+---
+Patch applied without modification.
+CVE: CVE-2022-37454
+Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ Lib/test/test_hashlib.py                          |  9 +++++++++
+ .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst |  1 +
+ Modules/_sha3/kcp/KeccakSponge.inc                | 15 ++++++++-------
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
+index ea31f8b..65330e1 100644
+--- a/Lib/test/test_hashlib.py
+++ b/Lib/test/test_hashlib.py
+@@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase):
+     def test_case_md5_uintmax(self, size):
+         self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+ 
+    @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
+    @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
+    def test_sha3_update_overflow(self, size):
+        """Regression test for gh-98517 CVE-2022-37454."""
+        h = hashlib.sha3_224()
+        h.update(b'\x01')
+        h.update(b'\x01'*0xffff_ffff)
+        self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
+
+     # use the three examples from Federal Information Processing Standards
+     # Publication 180-1, Secure Hash Standard,  1995 April 17
+     # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
+diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+new file mode 100644
+index 0000000..2d23a6a
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+@@ -0,0 +1 @@
+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
+diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
+index e10739d..cf92e4d 100644
+--- a/Modules/_sha3/kcp/KeccakSponge.inc
+++ b/Modules/_sha3/kcp/KeccakSponge.inc
+@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
+ #ifdef SnP_FastLoop_Absorb
+             /* processing full blocks first */
+ 
+@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+         }
+         else {
+             /* normal lane: using the message queue */
+-
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
+             #ifdef KeccakReference
+             displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+             #endif
+@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+     i = 0;
+     curData = data;
+     while(i < dataByteLen) {
+-        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+        if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
+             for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+                 SnP_Permute(instance->state);
+                 SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+                 SnP_Permute(instance->state);
+                 instance->byteIOIndex = 0;
+             }
+-            partialBlock = (unsigned int)(dataByteLen - i);
+-            if (partialBlock+instance->byteIOIndex > rateInBytes)
+            if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+                 partialBlock = rateInBytes-instance->byteIOIndex;
+            else
+                partialBlock = (unsigned int)(dataByteLen - i);
+             i += partialBlock;
+ 
+             SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+-- 
+2.32.0
diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.8.bb
index 2d230793ef..8963ce6dd2 100644
--- a/meta/recipes-devtools/python/python3_3.10.7.bb
+++ b/meta/recipes-devtools/python/python3_3.10.8.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly
 LICENSE = "PSF-2.0"
 SECTION = "devel/python"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8"
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://run-ptest \
@@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \
           file://12-distutils-prefix-is-inside-staging-area.patch \
           file://0001-Don-t-search-system-for-headers-libraries.patch \
           "
-SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48"
+SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3"
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
author	Joe Slater <joe.slater@windriver.com>	2022-12-07 14:55:03 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-13 15:23:34 +0000
commit	eea9ca003fdc971dc13b545c4b7949f06e1beae8 (patch)
tree	fb2b026d9ae56b18e7bfc8864075c97b8ae61536
parent	d513c3043bb0e71f563f06cbf98ac51e9e835391 (diff)
download	poky-eea9ca003fdc971dc13b545c4b7949f06e1beae8.tar.gz

diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch new file mode 100644 index 0000000000..c019151a64 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37454.patch
@@ -0,0 +1,108 @@
		1	From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001
		2	From: Theo Buehler <botovq@users.noreply.github.com>
		3	Date: Fri, 21 Oct 2022 21:26:01 +0200
		4	Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519)
		5
		6	This is a port of the applicable part of XKCP's fix [1] for
		7	CVE-2022-37454 and avoids the segmentation fault and the infinite
		8	loop in the test cases published in [2].
		9
		10	[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
		11	[2]: https://mouha.be/sha-3-buffer-overflow/
		12
		13	Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
		14	---
		15
		16	Patch applied without modification.
		17
		18	CVE: CVE-2022-37454
		19
		20	Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...]
		21
		22	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		23	---
		24	Lib/test/test_hashlib.py \| 9 +++++++++
		25	.../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst \| 1 +
		26	Modules/_sha3/kcp/KeccakSponge.inc \| 15 ++++++++-------
		27	3 files changed, 18 insertions(+), 7 deletions(-)
		28	create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
		29
		30	diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
		31	index ea31f8b..65330e1 100644
		32	--- a/Lib/test/test_hashlib.py
		33	+++ b/Lib/test/test_hashlib.py
		34	@@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase):
		35	def test_case_md5_uintmax(self, size):
		36	self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
		37
		38	+ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
		39	+ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
		40	+ def test_sha3_update_overflow(self, size):
		41	+ """Regression test for gh-98517 CVE-2022-37454."""
		42	+ h = hashlib.sha3_224()
		43	+ h.update(b'\x01')
		44	+ h.update(b'\x01'*0xffff_ffff)
		45	+ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
		46	+
		47	# use the three examples from Federal Information Processing Standards
		48	# Publication 180-1, Secure Hash Standard, 1995 April 17
		49	# http://www.itl.nist.gov/div897/pubs/fip180-1.htm
		50	diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
		51	new file mode 100644
		52	index 0000000..2d23a6a
		53	--- /dev/null
		54	+++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
		55	@@ -0,0 +1 @@
		56	+Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
		57	diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
		58	index e10739d..cf92e4d 100644
		59	--- a/Modules/_sha3/kcp/KeccakSponge.inc
		60	+++ b/Modules/_sha3/kcp/KeccakSponge.inc
		61	@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance instance, const unsigned char data, size_t dat
		62	i = 0;
		63	curData = data;
		64	while(i < dataByteLen) {
		65	- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
		66	+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
		67	#ifdef SnP_FastLoop_Absorb
		68	/* processing full blocks first */
		69
		70	@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance instance, const unsigned char data, size_t dat
		71	}
		72	else {
		73	/* normal lane: using the message queue */
		74	-
		75	- partialBlock = (unsigned int)(dataByteLen - i);
		76	- if (partialBlock+instance->byteIOIndex > rateInBytes)
		77	+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
		78	partialBlock = rateInBytes-instance->byteIOIndex;
		79	+ else
		80	+ partialBlock = (unsigned int)(dataByteLen - i);
		81	#ifdef KeccakReference
		82	displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
		83	#endif
		84	@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance instance, unsigned char data, size_t dataByte
		85	i = 0;
		86	curData = data;
		87	while(i < dataByteLen) {
		88	- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
		89	+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
		90	for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
		91	SnP_Permute(instance->state);
		92	SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
		93	@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance instance, unsigned char data, size_t dataByte
		94	SnP_Permute(instance->state);
		95	instance->byteIOIndex = 0;
		96	}
		97	- partialBlock = (unsigned int)(dataByteLen - i);
		98	- if (partialBlock+instance->byteIOIndex > rateInBytes)
		99	+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
		100	partialBlock = rateInBytes-instance->byteIOIndex;
		101	+ else
		102	+ partialBlock = (unsigned int)(dataByteLen - i);
		103	i += partialBlock;
		104
		105	SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
		106	--
		107	2.32.0
		108


diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.8.bb index 2d230793ef..8963ce6dd2 100644 --- a/meta/recipes-devtools/python/python3_3.10.7.bb +++ b/meta/recipes-devtools/python/python3_3.10.8.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly
4	LICENSE = "PSF-2.0"	4	LICENSE = "PSF-2.0"
5	SECTION = "devel/python"	5	SECTION = "devel/python"
6		6
7	LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766"	7	LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8"
8		8
9	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \	9	SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
10	file://run-ptest \	10	file://run-ptest \
@@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \
44	file://12-distutils-prefix-is-inside-staging-area.patch \	44	file://12-distutils-prefix-is-inside-staging-area.patch \
45	file://0001-Don-t-search-system-for-headers-libraries.patch \	45	file://0001-Don-t-search-system-for-headers-libraries.patch \
46	"	46	"
47	SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48"	47	SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3"
48		48
49	# exclude pre-releases for both python 2.x and 3.x	49	# exclude pre-releases for both python 2.x and 3.x
50	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"	50	UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"