python-2.7: Security fix CVE-2016-0772

Affects python < 2.7.12 (From OE-Core rev: dd1a22f4beeb4100388efdc072e7cff2025535a7) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-11-06 10:27:08 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-12-06 22:46:44 +0000
commit: 867babeb6fcad2ac5497b4e36d622ff33c11908c (patch)
tree: d94c691aa273e6506140c756d39f21da813b0fb5
parent: 96c1644d0d474bc451fdf3c4efea70eef49b8e57 (diff)
download: poky-867babeb6fcad2ac5497b4e36d622ff33c11908c.tar.gz
2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/CVE-2016-0772.patch b/meta/recipes-devtools/python/python/CVE-2016-0772.patch
new file mode 100644
index 0000000000..0580507954
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2016-0772.patch
@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1465676202 25200
+# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
+# Parent  3017e41b0c99d24e88faf1de447f230e2f64d122
+raise an error when STARTTLS fails
+Upstream-status: Backport
+CVE: CVE-2016-0772
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: Python-2.7.9/Lib/smtplib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/smtplib.py
+++ Python-2.7.9/Lib/smtplib.py
+@@ -656,6 +656,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
+++ Python-2.7.9/Misc/NEWS
+@@ -5136,6 +5136,9 @@ Library
+ 
+ - Issue #8140: Extend compileall to compile single files.  Add -i option.
+ 
+- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772.  Reported by Team
+  Oststrom
+
+ - Issue #7356: ctypes.util: Make parsing of ldconfig output independent of the
+   locale.
+ 
diff --git a/meta/recipes-devtools/python/python_2.7.9.bb b/meta/recipes-devtools/python/python_2.7.9.bb
index f7e2f272f4..53ec99181f 100644
--- a/meta/recipes-devtools/python/python_2.7.9.bb
+++ b/meta/recipes-devtools/python/python_2.7.9.bb
@@ -26,6 +26,7 @@ SRC_URI += "\
  file://parallel-makeinst-create-bindir.patch \
  file://use_sysroot_ncurses_instead_of_host.patch \
  file://avoid_parallel_make_races_on_pgen.patch \
+  file://CVE-2016-0772.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Armin Kuster <akuster@mvista.com>	2016-11-06 10:27:08 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-12-06 22:46:44 +0000
commit	867babeb6fcad2ac5497b4e36d622ff33c11908c (patch)
tree	d94c691aa273e6506140c756d39f21da813b0fb5
parent	96c1644d0d474bc451fdf3c4efea70eef49b8e57 (diff)
download	poky-867babeb6fcad2ac5497b4e36d622ff33c11908c.tar.gz

diff --git a/meta/recipes-devtools/python/python/CVE-2016-0772.patch b/meta/recipes-devtools/python/python/CVE-2016-0772.patch new file mode 100644 index 0000000000..0580507954 --- /dev/null +++ b/meta/recipes-devtools/python/python/CVE-2016-0772.patch
@@ -0,0 +1,42 @@
		1
		2	# HG changeset patch
		3	# User Benjamin Peterson <benjamin@python.org>
		4	# Date 1465676202 25200
		5	# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
		6	# Parent 3017e41b0c99d24e88faf1de447f230e2f64d122
		7	raise an error when STARTTLS fails
		8
		9	Upstream-status: Backport
		10	CVE: CVE-2016-0772
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	Index: Python-2.7.9/Lib/smtplib.py
		14	===================================================================
		15	--- Python-2.7.9.orig/Lib/smtplib.py
		16	+++ Python-2.7.9/Lib/smtplib.py
		17	@@ -656,6 +656,11 @@ class SMTP:
		18	self.ehlo_resp = None
		19	self.esmtp_features = {}
		20	self.does_esmtp = 0
		21	+ else:
		22	+ # RFC 3207:
		23	+ # 501 Syntax error (no parameters allowed)
		24	+ # 454 TLS not available due to temporary reason
		25	+ raise SMTPResponseException(resp, reply)
		26	return (resp, reply)
		27
		28	def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
		29	Index: Python-2.7.9/Misc/NEWS
		30	===================================================================
		31	--- Python-2.7.9.orig/Misc/NEWS
		32	+++ Python-2.7.9/Misc/NEWS
		33	@@ -5136,6 +5136,9 @@ Library
		34
		35	- Issue #8140: Extend compileall to compile single files. Add -i option.
		36
		37	+- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
		38	+ Oststrom
		39	+
		40	- Issue #7356: ctypes.util: Make parsing of ldconfig output independent of the
		41	locale.
		42


diff --git a/meta/recipes-devtools/python/python_2.7.9.bb b/meta/recipes-devtools/python/python_2.7.9.bb index f7e2f272f4..53ec99181f 100644 --- a/meta/recipes-devtools/python/python_2.7.9.bb +++ b/meta/recipes-devtools/python/python_2.7.9.bb
@@ -26,6 +26,7 @@ SRC_URI += "\
26	file://parallel-makeinst-create-bindir.patch \	26	file://parallel-makeinst-create-bindir.patch \
27	file://use_sysroot_ncurses_instead_of_host.patch \	27	file://use_sysroot_ncurses_instead_of_host.patch \
28	file://avoid_parallel_make_races_on_pgen.patch \	28	file://avoid_parallel_make_races_on_pgen.patch \
		29	file://CVE-2016-0772.patch \
29	"	30	"
30		31
31	S = "${WORKDIR}/Python-${PV}"	32	S = "${WORKDIR}/Python-${PV}"