python: CVE-2019-16056

(From OE-Core rev: 49ff6c7ef1d366007c49083f4e5faaf5a9eb086f) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 27be9cf71a6fe906a23e81b56f1cc18a6fc9ef97) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chen Qi <Qi.Chen@windriver.com> 2019-10-29 10:47:26 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-30 13:47:54 +0000
commit: 0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d (patch)
tree: 3911a6db796112812e0af8089c87ede608e0ec95
parent: cd8a048b620b04dcaa7969d70684bcad243ccc58 (diff)
download: poky-0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d.tar.gz
2 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
new file mode 100644
index 0000000000..5415472a35
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
@@ -0,0 +1,90 @@
+From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
+Date: Sat, 14 Sep 2019 13:26:38 -0400
+Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
+ (GH-16006)
+This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
+(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
+Excludes changes to Lib/email/_header_value_parser.py, which did not
+exist in 2.7.
+Co-authored-by: jpic <jpic@users.noreply.github.com>
+https://bugs.python.org/issue34155
+Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
+CVE: CVE-2019-16056
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ Lib/email/_parseaddr.py                            | 11 ++++++++++-
+ Lib/email/test/test_email.py                       | 14 ++++++++++++++
+ .../2019-05-04-13-33-37.bpo-34155.MJll68.rst       |  1 +
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
+index 690db2c22d..dc49d2e45a 100644
+--- a/Lib/email/_parseaddr.py
+++ b/Lib/email/_parseaddr.py
+@@ -336,7 +336,12 @@ class AddrlistClass:
+         aslist.append('@')
+         self.pos += 1
+         self.gotonext()
+-        return EMPTYSTRING.join(aslist) + self.getdomain()
+        domain = self.getdomain()
+        if not domain:
+            # Invalid domain, return an empty address instead of returning a
+            # local part to denote failed parsing.
+            return EMPTYSTRING
+        return EMPTYSTRING.join(aslist) + domain
+ 
+     def getdomain(self):
+         """Get the complete domain name from an address."""
+@@ -351,6 +356,10 @@ class AddrlistClass:
+             elif self.field[self.pos] == '.':
+                 self.pos += 1
+                 sdlist.append('.')
+            elif self.field[self.pos] == '@':
+                # bpo-34155: Don't parse domains with two `@` like
+                # `a@malicious.org@important.com`.
+                return EMPTYSTRING
+             elif self.field[self.pos] in self.atomends:
+                 break
+             else:
+diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
+index 4b4dee3d34..2efe44ac5a 100644
+--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
+@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
+         self.assertEqual(Utils.parseaddr('<>'), ('', ''))
+         self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
+ 
+    def test_parseaddr_multiple_domains(self):
+        self.assertEqual(
+            Utils.parseaddr('a@b@c'),
+            ('', '')
+        )
+        self.assertEqual(
+            Utils.parseaddr('a@b.c@c'),
+            ('', '')
+        )
+        self.assertEqual(
+            Utils.parseaddr('a@172.17.0.1@c'),
+            ('', '')
+        )
+
+     def test_noquote_dump(self):
+         self.assertEqual(
+             Utils.formataddr(('A Silly Person', 'person@dom.ain')),
+diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+new file mode 100644
+index 0000000000..50292e29ed
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
+@@ -0,0 +1 @@
+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index ec724c3918..b263e7214c 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -30,6 +30,7 @@ SRC_URI += " \
           file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
           file://float-endian.patch \
           file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
+           file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Chen Qi <Qi.Chen@windriver.com>	2019-10-29 10:47:26 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-30 13:47:54 +0000
commit	0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d (patch)
tree	3911a6db796112812e0af8089c87ede608e0ec95
parent	cd8a048b620b04dcaa7969d70684bcad243ccc58 (diff)
download	poky-0e55cd3815cd47d5f3d7de51dfccc14cbeb1250d.tar.gz

diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch new file mode 100644 index 0000000000..5415472a35 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
@@ -0,0 +1,90 @@
		1	From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
		3	Date: Sat, 14 Sep 2019 13:26:38 -0400
		4	Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
		5	(GH-16006)
		6
		7	This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
		8
		9	(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
		10
		11	Excludes changes to Lib/email/_header_value_parser.py, which did not
		12	exist in 2.7.
		13
		14	Co-authored-by: jpic <jpic@users.noreply.github.com>
		15
		16	https://bugs.python.org/issue34155
		17
		18	Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
		19
		20	CVE: CVE-2019-16056
		21
		22	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		23	---
		24	Lib/email/_parseaddr.py \| 11 ++++++++++-
		25	Lib/email/test/test_email.py \| 14 ++++++++++++++
		26	.../2019-05-04-13-33-37.bpo-34155.MJll68.rst \| 1 +
		27	3 files changed, 25 insertions(+), 1 deletion(-)
		28	create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
		29
		30	diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
		31	index 690db2c22d..dc49d2e45a 100644
		32	--- a/Lib/email/_parseaddr.py
		33	+++ b/Lib/email/_parseaddr.py
		34	@@ -336,7 +336,12 @@ class AddrlistClass:
		35	aslist.append('@')
		36	self.pos += 1
		37	self.gotonext()
		38	- return EMPTYSTRING.join(aslist) + self.getdomain()
		39	+ domain = self.getdomain()
		40	+ if not domain:
		41	+ # Invalid domain, return an empty address instead of returning a
		42	+ # local part to denote failed parsing.
		43	+ return EMPTYSTRING
		44	+ return EMPTYSTRING.join(aslist) + domain
		45
		46	def getdomain(self):
		47	"""Get the complete domain name from an address."""
		48	@@ -351,6 +356,10 @@ class AddrlistClass:
		49	elif self.field[self.pos] == '.':
		50	self.pos += 1
		51	sdlist.append('.')
		52	+ elif self.field[self.pos] == '@':
		53	+ # bpo-34155: Don't parse domains with two `@` like
		54	+ # `a@malicious.org@important.com`.
		55	+ return EMPTYSTRING
		56	elif self.field[self.pos] in self.atomends:
		57	break
		58	else:
		59	diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
		60	index 4b4dee3d34..2efe44ac5a 100644
		61	--- a/Lib/email/test/test_email.py
		62	+++ b/Lib/email/test/test_email.py
		63	@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
		64	self.assertEqual(Utils.parseaddr('<>'), ('', ''))
		65	self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
		66
		67	+ def test_parseaddr_multiple_domains(self):
		68	+ self.assertEqual(
		69	+ Utils.parseaddr('a@b@c'),
		70	+ ('', '')
		71	+ )
		72	+ self.assertEqual(
		73	+ Utils.parseaddr('a@b.c@c'),
		74	+ ('', '')
		75	+ )
		76	+ self.assertEqual(
		77	+ Utils.parseaddr('a@172.17.0.1@c'),
		78	+ ('', '')
		79	+ )
		80	+
		81	def test_noquote_dump(self):
		82	self.assertEqual(
		83	Utils.formataddr(('A Silly Person', 'person@dom.ain')),
		84	diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
		85	new file mode 100644
		86	index 0000000000..50292e29ed
		87	--- /dev/null
		88	+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
		89	@@ -0,0 +1 @@
		90	+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.


diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index ec724c3918..b263e7214c 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -30,6 +30,7 @@ SRC_URI += " \
30	file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \	30	file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
31	file://float-endian.patch \	31	file://float-endian.patch \
32	file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \	32	file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
		33	file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
33	"	34	"
34		35
35	S = "${WORKDIR}/Python-${PV}"	36	S = "${WORKDIR}/Python-${PV}"