diff options
author | Martin Jansa <martin.jansa@gmail.com> | 2019-05-17 20:16:17 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-07 13:57:48 +0100 |
commit | 511de9dc4788001f62e225c07f6bc859836ddf0f (patch) | |
tree | 16f326325a74324932f2de21a89ef1df237e0feb /meta/recipes-devtools/python | |
parent | 2268bf548a2f7e06da9071b11b4c7a487859778d (diff) | |
download | poky-511de9dc4788001f62e225c07f6bc859836ddf0f.tar.gz |
python: add a fix for CVE-2019-9948 and CVE-2019-9636
(From OE-Core rev: 6c8994a6ae8860c4b27d8ec990344c6b099cc685)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
5 files changed, 254 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch new file mode 100644 index 0000000000..b267237018 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 | ||
2 | From: Sihoon Lee <push0ebp@gmail.com> | ||
3 | Date: Fri, 17 May 2019 02:41:06 +0900 | ||
4 | Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into | ||
5 | assertRasies in DummyURLopener test, and simplify mitigation | ||
6 | |||
7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 | ||
8 | |||
9 | CVE: CVE-2019-9948 | ||
10 | |||
11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
12 | --- | ||
13 | Lib/test/test_urllib.py | 11 +++-------- | ||
14 | Lib/urllib.py | 4 ++-- | ||
15 | 2 files changed, 5 insertions(+), 10 deletions(-) | ||
16 | |||
17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py | ||
18 | index e5f210e62a18..1e23dfb0bb16 100644 | ||
19 | --- a/Lib/test/test_urllib.py | ||
20 | +++ b/Lib/test/test_urllib.py | ||
21 | @@ -1027,14 +1027,9 @@ def test_local_file_open(self): | ||
22 | class DummyURLopener(urllib.URLopener): | ||
23 | def open_local_file(self, url): | ||
24 | return url | ||
25 | - self.assertEqual(DummyURLopener().open( | ||
26 | - 'local-file://example'), '//example') | ||
27 | - self.assertEqual(DummyURLopener().open( | ||
28 | - 'local_file://example'), '//example') | ||
29 | - self.assertRaises(IOError, urllib.urlopen, | ||
30 | - 'local-file://example') | ||
31 | - self.assertRaises(IOError, urllib.urlopen, | ||
32 | - 'local_file://example') | ||
33 | + for url in ('local_file://example', 'local-file://example'): | ||
34 | + self.assertRaises(IOError, DummyURLopener().open, url) | ||
35 | + self.assertRaises(IOError, urllib.urlopen, url) | ||
36 | |||
37 | # Just commented them out. | ||
38 | # Can't really tell why keep failing in windows and sparc. | ||
39 | diff --git a/Lib/urllib.py b/Lib/urllib.py | ||
40 | index a24e9a5c68fb..39b834054e9e 100644 | ||
41 | --- a/Lib/urllib.py | ||
42 | +++ b/Lib/urllib.py | ||
43 | @@ -203,10 +203,10 @@ def open(self, fullurl, data=None): | ||
44 | name = 'open_' + urltype | ||
45 | self.type = urltype | ||
46 | name = name.replace('-', '_') | ||
47 | - | ||
48 | + | ||
49 | # bpo-35907: # disallow the file reading with the type not allowed | ||
50 | if not hasattr(self, name) or \ | ||
51 | - (self == _urlopener and name == 'open_local_file'): | ||
52 | + getattr(self, name) == self.open_local_file: | ||
53 | if proxy: | ||
54 | return self.open_unknown_proxy(proxy, fullurl, data) | ||
55 | else: | ||
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch new file mode 100644 index 0000000000..f4c225d2fc --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 | ||
2 | From: push0ebp <push0ebp@shl-MacBook-Pro.local> | ||
3 | Date: Thu, 14 Feb 2019 02:05:46 +0900 | ||
4 | Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary | ||
5 | URL scheme in urllib | ||
6 | |||
7 | Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 | ||
8 | |||
9 | CVE: CVE-2019-9948 | ||
10 | |||
11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
12 | --- | ||
13 | Lib/test/test_urllib.py | 12 ++++++++++++ | ||
14 | Lib/urllib.py | 5 ++++- | ||
15 | 2 files changed, 16 insertions(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py | ||
18 | index 1ce9201c0693..e5f210e62a18 100644 | ||
19 | --- a/Lib/test/test_urllib.py | ||
20 | +++ b/Lib/test/test_urllib.py | ||
21 | @@ -1023,6 +1023,18 @@ def open_spam(self, url): | ||
22 | "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), | ||
23 | "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") | ||
24 | |||
25 | + def test_local_file_open(self): | ||
26 | + class DummyURLopener(urllib.URLopener): | ||
27 | + def open_local_file(self, url): | ||
28 | + return url | ||
29 | + self.assertEqual(DummyURLopener().open( | ||
30 | + 'local-file://example'), '//example') | ||
31 | + self.assertEqual(DummyURLopener().open( | ||
32 | + 'local_file://example'), '//example') | ||
33 | + self.assertRaises(IOError, urllib.urlopen, | ||
34 | + 'local-file://example') | ||
35 | + self.assertRaises(IOError, urllib.urlopen, | ||
36 | + 'local_file://example') | ||
37 | |||
38 | # Just commented them out. | ||
39 | # Can't really tell why keep failing in windows and sparc. | ||
40 | diff --git a/Lib/urllib.py b/Lib/urllib.py | ||
41 | index d85504a5cb7e..a24e9a5c68fb 100644 | ||
42 | --- a/Lib/urllib.py | ||
43 | +++ b/Lib/urllib.py | ||
44 | @@ -203,7 +203,10 @@ def open(self, fullurl, data=None): | ||
45 | name = 'open_' + urltype | ||
46 | self.type = urltype | ||
47 | name = name.replace('-', '_') | ||
48 | - if not hasattr(self, name): | ||
49 | + | ||
50 | + # bpo-35907: # disallow the file reading with the type not allowed | ||
51 | + if not hasattr(self, name) or \ | ||
52 | + (self == _urlopener and name == 'open_local_file'): | ||
53 | if proxy: | ||
54 | return self.open_unknown_proxy(proxy, fullurl, data) | ||
55 | else: | ||
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch new file mode 100644 index 0000000000..2ce4d2cde7 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From 06b5ee585d6e76bdbb4002f642d864d860cbbd2b Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dower <steve.dower@python.org> | ||
3 | Date: Tue, 12 Mar 2019 08:23:33 -0700 | ||
4 | Subject: [PATCH] bpo-36216: Only print test messages when verbose | ||
5 | |||
6 | CVE: CVE-2019-9636 | ||
7 | |||
8 | Upstream-Status: Backport https://github.com/python/cpython/pull/12291/commits/06b5ee585d6e76bdbb4002f642d864d860cbbd2b | ||
9 | |||
10 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
11 | --- | ||
12 | Lib/test/test_urlparse.py | 3 ++- | ||
13 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
16 | index 73b0228ea8e3..1830d0b28688 100644 | ||
17 | --- a/Lib/test/test_urlparse.py | ||
18 | +++ b/Lib/test/test_urlparse.py | ||
19 | @@ -644,7 +644,8 @@ def test_urlsplit_normalization(self): | ||
20 | for scheme in [u"http", u"https", u"ftp"]: | ||
21 | for c in denorm_chars: | ||
22 | url = u"{}://netloc{}false.netloc/path".format(scheme, c) | ||
23 | - print "Checking %r" % url | ||
24 | + if test_support.verbose: | ||
25 | + print "Checking %r" % url | ||
26 | with self.assertRaises(ValueError): | ||
27 | urlparse.urlsplit(url) | ||
28 | |||
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch new file mode 100644 index 0000000000..352b13ba9b --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch | |||
@@ -0,0 +1,111 @@ | |||
1 | From 3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dower <steve.dower@python.org> | ||
3 | Date: Thu, 7 Mar 2019 08:25:22 -0800 | ||
4 | Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize | ||
5 | to separators (GH-12201) | ||
6 | |||
7 | CVE: CVE-2019-9636 | ||
8 | |||
9 | Upstream-Status: Backport https://github.com/python/cpython/pull/12216/commits/3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e | ||
10 | |||
11 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
12 | --- | ||
13 | Doc/library/urlparse.rst | 20 ++++++++++++++++ | ||
14 | Lib/test/test_urlparse.py | 24 +++++++++++++++++++ | ||
15 | Lib/urlparse.py | 17 +++++++++++++ | ||
16 | .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++ | ||
17 | 4 files changed, 64 insertions(+) | ||
18 | create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
19 | |||
20 | diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py | ||
21 | index 4e1ded73c266..73b0228ea8e3 100644 | ||
22 | --- a/Lib/test/test_urlparse.py | ||
23 | +++ b/Lib/test/test_urlparse.py | ||
24 | @@ -1,4 +1,6 @@ | ||
25 | from test import test_support | ||
26 | +import sys | ||
27 | +import unicodedata | ||
28 | import unittest | ||
29 | import urlparse | ||
30 | |||
31 | @@ -624,6 +626,28 @@ def test_portseparator(self): | ||
32 | self.assertEqual(urlparse.urlparse("http://www.python.org:80"), | ||
33 | ('http','www.python.org:80','','','','')) | ||
34 | |||
35 | + def test_urlsplit_normalization(self): | ||
36 | + # Certain characters should never occur in the netloc, | ||
37 | + # including under normalization. | ||
38 | + # Ensure that ALL of them are detected and cause an error | ||
39 | + illegal_chars = u'/:#?@' | ||
40 | + hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars} | ||
41 | + denorm_chars = [ | ||
42 | + c for c in map(unichr, range(128, sys.maxunicode)) | ||
43 | + if (hex_chars & set(unicodedata.decomposition(c).split())) | ||
44 | + and c not in illegal_chars | ||
45 | + ] | ||
46 | + # Sanity check that we found at least one such character | ||
47 | + self.assertIn(u'\u2100', denorm_chars) | ||
48 | + self.assertIn(u'\uFF03', denorm_chars) | ||
49 | + | ||
50 | + for scheme in [u"http", u"https", u"ftp"]: | ||
51 | + for c in denorm_chars: | ||
52 | + url = u"{}://netloc{}false.netloc/path".format(scheme, c) | ||
53 | + print "Checking %r" % url | ||
54 | + with self.assertRaises(ValueError): | ||
55 | + urlparse.urlsplit(url) | ||
56 | + | ||
57 | def test_main(): | ||
58 | test_support.run_unittest(UrlParseTestCase) | ||
59 | |||
60 | diff --git a/Lib/urlparse.py b/Lib/urlparse.py | ||
61 | index f7c2b032b097..54eda08651ab 100644 | ||
62 | --- a/Lib/urlparse.py | ||
63 | +++ b/Lib/urlparse.py | ||
64 | @@ -165,6 +165,21 @@ def _splitnetloc(url, start=0): | ||
65 | delim = min(delim, wdelim) # use earliest delim position | ||
66 | return url[start:delim], url[delim:] # return (domain, rest) | ||
67 | |||
68 | +def _checknetloc(netloc): | ||
69 | + if not netloc or not isinstance(netloc, unicode): | ||
70 | + return | ||
71 | + # looking for characters like \u2100 that expand to 'a/c' | ||
72 | + # IDNA uses NFKC equivalence, so normalize for this check | ||
73 | + import unicodedata | ||
74 | + netloc2 = unicodedata.normalize('NFKC', netloc) | ||
75 | + if netloc == netloc2: | ||
76 | + return | ||
77 | + _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay | ||
78 | + for c in '/?#@:': | ||
79 | + if c in netloc2: | ||
80 | + raise ValueError("netloc '" + netloc2 + "' contains invalid " + | ||
81 | + "characters under NFKC normalization") | ||
82 | + | ||
83 | def urlsplit(url, scheme='', allow_fragments=True): | ||
84 | """Parse a URL into 5 components: | ||
85 | <scheme>://<netloc>/<path>?<query>#<fragment> | ||
86 | @@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
87 | url, fragment = url.split('#', 1) | ||
88 | if '?' in url: | ||
89 | url, query = url.split('?', 1) | ||
90 | + _checknetloc(netloc) | ||
91 | v = SplitResult(scheme, netloc, url, query, fragment) | ||
92 | _parse_cache[key] = v | ||
93 | return v | ||
94 | @@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True): | ||
95 | url, fragment = url.split('#', 1) | ||
96 | if '?' in url: | ||
97 | url, query = url.split('?', 1) | ||
98 | + _checknetloc(netloc) | ||
99 | v = SplitResult(scheme, netloc, url, query, fragment) | ||
100 | _parse_cache[key] = v | ||
101 | return v | ||
102 | diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
103 | new file mode 100644 | ||
104 | index 000000000000..1e1ad92c6feb | ||
105 | --- /dev/null | ||
106 | +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | ||
107 | @@ -0,0 +1,3 @@ | ||
108 | +Changes urlsplit() to raise ValueError when the URL contains characters that | ||
109 | +decompose under IDNA encoding (NFKC-normalization) into characters that | ||
110 | +affect how the URL is parsed. | ||
111 | \ No newline at end of file | ||
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index 0e7dd2b3fb..d70342fe3a 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb | |||
@@ -30,7 +30,11 @@ SRC_URI += " \ | |||
30 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ | 30 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ |
31 | file://float-endian.patch \ | 31 | file://float-endian.patch \ |
32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ | 32 | file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ |
33 | " | 33 | file://bpo-35907-cve-2019-9948.patch \ |
34 | file://bpo-35907-cve-2019-9948-fix.patch \ | ||
35 | file://bpo-36216-cve-2019-9636.patch \ | ||
36 | file://bpo-36216-cve-2019-9636-fix.patch \ | ||
37 | " | ||
34 | 38 | ||
35 | S = "${WORKDIR}/Python-${PV}" | 39 | S = "${WORKDIR}/Python-${PV}" |
36 | 40 | ||