diff options
author | Tim Orling <timothy.t.orling@intel.com> | 2021-06-15 19:34:38 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-07-02 07:44:59 +0100 |
commit | 8a0459c8bd507e3cf18abcf8c55b473609524e42 (patch) | |
tree | 70952471b2e04f538a009e7fbda4ec41a7e03ed6 /meta/recipes-devtools | |
parent | 2b16173faf6653bf9dadb1896dbef70f154c71bc (diff) | |
download | poky-8a0459c8bd507e3cf18abcf8c55b473609524e42.tar.gz |
python3: upgrade 3.8.4 -> 3.8.5
Release Date: July 20, 2020
Note: The release you're looking at is Python 3.8.5, a bugfix release for the
legacy 3.8 series. Python 3.9 is now the latest feature release series of
Python 3.
Drop patches fixed in 3.8.5:
- CVE-2019-20907
- CVE-2019-26116
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-20907
https://nvd.nist.gov/vuln/detail/CVE-2020-26116
https://www.python.org/downloads/release/python-385/
https://docs.python.org/release/3.8.5/whatsnew/changelog.html#changelog
(From OE-Core rev: c68cc11071cfa49d9d986bf7a9e6e1dfff514a39)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2019-20907.patch | 44 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2020-26116.patch | 104 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.8.5.bb (renamed from meta/recipes-devtools/python/python3_3.8.4.bb) | 6 |
3 files changed, 2 insertions, 152 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch deleted file mode 100644 index a2e72372dd..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001 | ||
2 | From: Rishi <rishi_devan@mail.com> | ||
3 | Date: Wed, 15 Jul 2020 13:51:00 +0200 | ||
4 | Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module | ||
5 | (GH-21454) | ||
6 | |||
7 | Avoid infinite loop when reading specially crafted TAR files using the tarfile module | ||
8 | (CVE-2019-20907). | ||
9 | (cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) | ||
10 | |||
11 | Co-authored-by: Rishi <rishi_devan@mail.com> | ||
12 | |||
13 | Removed testing 'recursion.tar' tar file due to binary data | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559] | ||
16 | CVE: CVE-2019-20907 | ||
17 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
18 | --- | ||
19 | Lib/tarfile.py | 2 ++ | ||
20 | .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + | ||
21 | 4 files changed, 10 insertions(+) | ||
22 | create mode 100644 Lib/test/recursion.tar | ||
23 | create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | ||
24 | |||
25 | diff --git a/Lib/tarfile.py b/Lib/tarfile.py | ||
26 | index d31b9cbb51d65..7a69e1b1aa544 100755 | ||
27 | --- a/Lib/tarfile.py | ||
28 | +++ b/Lib/tarfile.py | ||
29 | @@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile): | ||
30 | |||
31 | length, keyword = match.groups() | ||
32 | length = int(length) | ||
33 | + if length == 0: | ||
34 | + raise InvalidHeaderError("invalid header") | ||
35 | value = buf[match.end(2) + 1:match.start(1) + length - 1] | ||
36 | |||
37 | # Normally, we could just use "utf-8" as the encoding and "strict" | ||
38 | diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | ||
39 | new file mode 100644 | ||
40 | index 0000000000000..ad26676f8b856 | ||
41 | --- /dev/null | ||
42 | +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | ||
43 | @@ -0,0 +1 @@ | ||
44 | +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). | ||
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch deleted file mode 100644 index c019db2a76..0000000000 --- a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch +++ /dev/null | |||
@@ -1,104 +0,0 @@ | |||
1 | From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Sat, 18 Jul 2020 13:39:12 -0700 | ||
5 | Subject: [PATCH] bpo-39603: Prevent header injection in http methods | ||
6 | (GH-18485) | ||
7 | |||
8 | reject control chars in http method in http.client.putrequest to prevent http header injection | ||
9 | (cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) | ||
10 | |||
11 | Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf] | ||
14 | CVE: CVE-2020-26116 | ||
15 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
16 | |||
17 | --- | ||
18 | Lib/http/client.py | 15 +++++++++++++ | ||
19 | Lib/test/test_httplib.py | 22 +++++++++++++++++++ | ||
20 | .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++ | ||
21 | 3 files changed, 39 insertions(+) | ||
22 | create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | ||
23 | |||
24 | diff --git a/Lib/http/client.py b/Lib/http/client.py | ||
25 | index 019380a720318..c2ad0471bfee5 100644 | ||
26 | --- a/Lib/http/client.py | ||
27 | +++ b/Lib/http/client.py | ||
28 | @@ -147,6 +147,10 @@ | ||
29 | # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") | ||
30 | # We are more lenient for assumed real world compatibility purposes. | ||
31 | |||
32 | +# These characters are not allowed within HTTP method names | ||
33 | +# to prevent http header injection. | ||
34 | +_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') | ||
35 | + | ||
36 | # We always set the Content-Length header for these methods because some | ||
37 | # servers will otherwise respond with a 411 | ||
38 | _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} | ||
39 | @@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, | ||
40 | else: | ||
41 | raise CannotSendRequest(self.__state) | ||
42 | |||
43 | + self._validate_method(method) | ||
44 | + | ||
45 | # Save the method for use later in the response phase | ||
46 | self._method = method | ||
47 | |||
48 | @@ -1177,6 +1183,15 @@ def _encode_request(self, request): | ||
49 | # ASCII also helps prevent CVE-2019-9740. | ||
50 | return request.encode('ascii') | ||
51 | |||
52 | + def _validate_method(self, method): | ||
53 | + """Validate a method name for putrequest.""" | ||
54 | + # prevent http header injection | ||
55 | + match = _contains_disallowed_method_pchar_re.search(method) | ||
56 | + if match: | ||
57 | + raise ValueError( | ||
58 | + f"method can't contain control characters. {method!r} " | ||
59 | + f"(found at least {match.group()!r})") | ||
60 | + | ||
61 | def _validate_path(self, url): | ||
62 | """Validate a url for putrequest.""" | ||
63 | # Prevent CVE-2019-9740. | ||
64 | diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py | ||
65 | index 8f0e27a1fb836..5a5fcecbc9c15 100644 | ||
66 | --- a/Lib/test/test_httplib.py | ||
67 | +++ b/Lib/test/test_httplib.py | ||
68 | @@ -364,6 +364,28 @@ def test_headers_debuglevel(self): | ||
69 | self.assertEqual(lines[3], "header: Second: val2") | ||
70 | |||
71 | |||
72 | +class HttpMethodTests(TestCase): | ||
73 | + def test_invalid_method_names(self): | ||
74 | + methods = ( | ||
75 | + 'GET\r', | ||
76 | + 'POST\n', | ||
77 | + 'PUT\n\r', | ||
78 | + 'POST\nValue', | ||
79 | + 'POST\nHOST:abc', | ||
80 | + 'GET\nrHost:abc\n', | ||
81 | + 'POST\rRemainder:\r', | ||
82 | + 'GET\rHOST:\n', | ||
83 | + '\nPUT' | ||
84 | + ) | ||
85 | + | ||
86 | + for method in methods: | ||
87 | + with self.assertRaisesRegex( | ||
88 | + ValueError, "method can't contain control characters"): | ||
89 | + conn = client.HTTPConnection('example.com') | ||
90 | + conn.sock = FakeSocket(None) | ||
91 | + conn.request(method=method, url="/") | ||
92 | + | ||
93 | + | ||
94 | class TransferEncodingTest(TestCase): | ||
95 | expected_body = b"It's just a flesh wound" | ||
96 | |||
97 | diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | ||
98 | new file mode 100644 | ||
99 | index 0000000000000..990affc3edd9d | ||
100 | --- /dev/null | ||
101 | +++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | ||
102 | @@ -0,0 +1,2 @@ | ||
103 | +Prevent http header injection by rejecting control characters in | ||
104 | +http.client.putrequest(...). | ||
diff --git a/meta/recipes-devtools/python/python3_3.8.4.bb b/meta/recipes-devtools/python/python3_3.8.5.bb index 438b3e5504..21b6be58f7 100644 --- a/meta/recipes-devtools/python/python3_3.8.4.bb +++ b/meta/recipes-devtools/python/python3_3.8.5.bb | |||
@@ -33,8 +33,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
33 | file://0001-configure.ac-fix-LIBPL.patch \ | 33 | file://0001-configure.ac-fix-LIBPL.patch \ |
34 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ | 34 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ |
35 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ | 35 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ |
36 | file://CVE-2019-20907.patch \ | ||
37 | file://CVE-2020-26116.patch \ | ||
38 | file://CVE-2020-27619.patch \ | 36 | file://CVE-2020-27619.patch \ |
39 | file://CVE-2021-3177.patch \ | 37 | file://CVE-2021-3177.patch \ |
40 | " | 38 | " |
@@ -45,8 +43,8 @@ SRC_URI_append_class-native = " \ | |||
45 | file://0001-Don-t-search-system-for-headers-libraries.patch \ | 43 | file://0001-Don-t-search-system-for-headers-libraries.patch \ |
46 | " | 44 | " |
47 | 45 | ||
48 | SRC_URI[md5sum] = "e16df33cd7b58702e57e137f8f5d13e7" | 46 | SRC_URI[md5sum] = "35b5a3d0254c1c59be9736373d429db7" |
49 | SRC_URI[sha256sum] = "5f41968a95afe9bc12192d7e6861aab31e80a46c46fa59d3d837def6a4cd4d37" | 47 | SRC_URI[sha256sum] = "e3003ed57db17e617acb382b0cade29a248c6026b1bd8aad1f976e9af66a83b0" |
50 | 48 | ||
51 | # exclude pre-releases for both python 2.x and 3.x | 49 | # exclude pre-releases for both python 2.x and 3.x |
52 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 50 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |