summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2019-10-09 16:36:40 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-29 09:08:17 +0000
commit93a2a3c64aa3619506025cacfbaa7279ff233982 (patch)
tree9cebf0a9460bd44748f5f591a7d5c3a258c6cf23 /meta/recipes-devtools
parent6da99970569710bbb38aa63fb961af1549678e8d (diff)
downloadpoky-93a2a3c64aa3619506025cacfbaa7279ff233982.tar.gz
python: CVE-2019-16056
(From OE-Core rev: 27be9cf71a6fe906a23e81b56f1cc18a6fc9ef97) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch90
-rw-r--r--meta/recipes-devtools/python/python_2.7.16.bb1
2 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
new file mode 100644
index 0000000000..5415472a35
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
@@ -0,0 +1,90 @@
1From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
3Date: Sat, 14 Sep 2019 13:26:38 -0400
4Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079)
5 (GH-16006)
6
7This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address.
8
9(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
10
11Excludes changes to Lib/email/_header_value_parser.py, which did not
12exist in 2.7.
13
14Co-authored-by: jpic <jpic@users.noreply.github.com>
15
16https://bugs.python.org/issue34155
17
18Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9]
19
20CVE: CVE-2019-16056
21
22Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
23---
24 Lib/email/_parseaddr.py | 11 ++++++++++-
25 Lib/email/test/test_email.py | 14 ++++++++++++++
26 .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
27 3 files changed, 25 insertions(+), 1 deletion(-)
28 create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
29
30diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
31index 690db2c22d..dc49d2e45a 100644
32--- a/Lib/email/_parseaddr.py
33+++ b/Lib/email/_parseaddr.py
34@@ -336,7 +336,12 @@ class AddrlistClass:
35 aslist.append('@')
36 self.pos += 1
37 self.gotonext()
38- return EMPTYSTRING.join(aslist) + self.getdomain()
39+ domain = self.getdomain()
40+ if not domain:
41+ # Invalid domain, return an empty address instead of returning a
42+ # local part to denote failed parsing.
43+ return EMPTYSTRING
44+ return EMPTYSTRING.join(aslist) + domain
45
46 def getdomain(self):
47 """Get the complete domain name from an address."""
48@@ -351,6 +356,10 @@ class AddrlistClass:
49 elif self.field[self.pos] == '.':
50 self.pos += 1
51 sdlist.append('.')
52+ elif self.field[self.pos] == '@':
53+ # bpo-34155: Don't parse domains with two `@` like
54+ # `a@malicious.org@important.com`.
55+ return EMPTYSTRING
56 elif self.field[self.pos] in self.atomends:
57 break
58 else:
59diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py
60index 4b4dee3d34..2efe44ac5a 100644
61--- a/Lib/email/test/test_email.py
62+++ b/Lib/email/test/test_email.py
63@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase):
64 self.assertEqual(Utils.parseaddr('<>'), ('', ''))
65 self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '')
66
67+ def test_parseaddr_multiple_domains(self):
68+ self.assertEqual(
69+ Utils.parseaddr('a@b@c'),
70+ ('', '')
71+ )
72+ self.assertEqual(
73+ Utils.parseaddr('a@b.c@c'),
74+ ('', '')
75+ )
76+ self.assertEqual(
77+ Utils.parseaddr('a@172.17.0.1@c'),
78+ ('', '')
79+ )
80+
81 def test_noquote_dump(self):
82 self.assertEqual(
83 Utils.formataddr(('A Silly Person', 'person@dom.ain')),
84diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
85new file mode 100644
86index 0000000000..50292e29ed
87--- /dev/null
88+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
89@@ -0,0 +1 @@
90+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index 5b856a5097..aec877825e 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -30,6 +30,7 @@ SRC_URI += " \
30 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ 30 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
31 file://float-endian.patch \ 31 file://float-endian.patch \
32 file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ 32 file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \
33 file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \
33" 34"
34 35
35S = "${WORKDIR}/Python-${PV}" 36S = "${WORKDIR}/Python-${PV}"