python3: Fix CVE-2022-37460

Apply patch created after the release of 3.11.0. (From OE-Core rev: 1a8836ed324f3f9abb2eabe357ffe2e05124857e) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <joe.slater@windriver.com> 2022-11-18 09:35:26 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-22 12:26:45 +0000
commit: 2f92cccb74bdb1dff46195c0a7ddf5cd67934395 (patch)
tree: 4de7643cc622c837ab119b8c067489f216365f0b /meta/recipes-devtools
parent: 1be02b42d939d77fae460667088277660a77188a (diff)
download: poky-2f92cccb74bdb1dff46195c0a7ddf5cd67934395.tar.gz
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch
new file mode 100644
index 0000000000..12177684fd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/cve-2022-37460.patch
@@ -0,0 +1,95 @@
+From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 28 Sep 2022 16:46:11 -0700
+Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py
+ (GH-97613)
+Fix a shell code injection vulnerability in the
+get-remote-certificate.py example script. The script no longer uses a
+shell to run "openssl" commands. Issue reported and initial fix by
+Caleb Shortt.
+Remove the Windows code path to send "quit" on stdin to the "openssl
+s_client" command: use DEVNULL on all platforms instead.
+Co-authored-by: Caleb Shortt <caleb@rgauge.com>
+(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+CVE: CVE-2022-37460
+Upstream-Status: Backport [https://github.com/python/cpython.git]
+                          [commit 94582bb643... unmodified]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ ...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst |  3 +++
+ Tools/scripts/get-remote-certificate.py       | 25 ++++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
+diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
+new file mode 100644
+index 0000000000..2f113492d4
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
+@@ -0,0 +1,3 @@
+Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
+example script. The script no longer uses a shell to run ``openssl`` commands.
+Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.
+diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
+index 38901286e1..68272fca83 100755
+--- a/Tools/scripts/get-remote-certificate.py
+++ b/Tools/scripts/get-remote-certificate.py
+@@ -15,8 +15,8 @@
+ def fetch_server_certificate (host, port):
+ 
+     def subproc(cmd):
+-        from subprocess import Popen, PIPE, STDOUT
+-        proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
+        from subprocess import Popen, PIPE, STDOUT, DEVNULL
+        proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
+         status = proc.wait()
+         output = proc.stdout.read()
+         return status, output
+@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
+                 fp.write(m.group(1) + b"\n")
+             try:
+                 tn2 = (outfile or tempfile.mktemp())
+-                status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
+-                                         (tn, tn2))
+                cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
+                status, output = subproc(cmd)
+                 if status != 0:
+                     raise RuntimeError('OpenSSL x509 failed with status %s and '
+                                        'output: %r' % (status, output))
+@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
+             finally:
+                 os.unlink(tn)
+ 
+-    if sys.platform.startswith("win"):
+-        tfile = tempfile.mktemp()
+-        with open(tfile, "w") as fp:
+-            fp.write("quit\n")
+-        try:
+-            status, output = subproc(
+-                'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
+-                (host, port, tfile))
+-        finally:
+-            os.unlink(tfile)
+-    else:
+-        status, output = subproc(
+-            'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
+-            (host, port))
+    cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
+    status, output = subproc(cmd)
+
+     if status != 0:
+         raise RuntimeError('OpenSSL connect failed with status %s and '
+                            'output: %r' % (status, output))
+-- 
+2.38.1
diff --git a/meta/recipes-devtools/python/python3_3.11.0.bb b/meta/recipes-devtools/python/python3_3.11.0.bb
index 92a1f69320..93628c76ff 100644
--- a/meta/recipes-devtools/python/python3_3.11.0.bb
+++ b/meta/recipes-devtools/python/python3_3.11.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
           file://deterministic_imports.patch \
           file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
+           file://cve-2022-37460.patch \
           "
 SRC_URI:append:class-native = " \
author	Joe Slater <joe.slater@windriver.com>	2022-11-18 09:35:26 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-22 12:26:45 +0000
commit	2f92cccb74bdb1dff46195c0a7ddf5cd67934395 (patch)
tree	4de7643cc622c837ab119b8c067489f216365f0b /meta/recipes-devtools
parent	1be02b42d939d77fae460667088277660a77188a (diff)
download	poky-2f92cccb74bdb1dff46195c0a7ddf5cd67934395.tar.gz

diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch new file mode 100644 index 0000000000..12177684fd --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37460.patch
@@ -0,0 +1,95 @@
		1	From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001
		2	From: "Miss Islington (bot)"
		3	<31488909+miss-islington@users.noreply.github.com>
		4	Date: Wed, 28 Sep 2022 16:46:11 -0700
		5	Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py
		6	(GH-97613)
		7
		8	Fix a shell code injection vulnerability in the
		9	get-remote-certificate.py example script. The script no longer uses a
		10	shell to run "openssl" commands. Issue reported and initial fix by
		11	Caleb Shortt.
		12
		13	Remove the Windows code path to send "quit" on stdin to the "openssl
		14	s_client" command: use DEVNULL on all platforms instead.
		15
		16	Co-authored-by: Caleb Shortt <caleb@rgauge.com>
		17	(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341)
		18
		19	Co-authored-by: Victor Stinner <vstinner@python.org>
		20	---
		21	CVE: CVE-2022-37460
		22
		23	Upstream-Status: Backport [https://github.com/python/cpython.git]
		24	[commit 94582bb643... unmodified]
		25
		26	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		27
		28	---
		29	...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst \| 3 +++
		30	Tools/scripts/get-remote-certificate.py \| 25 ++++++-------------
		31	2 files changed, 10 insertions(+), 18 deletions(-)
		32	create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
		33
		34	diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
		35	new file mode 100644
		36	index 0000000000..2f113492d4
		37	--- /dev/null
		38	+++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst
		39	@@ -0,0 +1,3 @@
		40	+Fix a shell code injection vulnerability in the ``get-remote-certificate.py``
		41	+example script. The script no longer uses a shell to run ``openssl`` commands.
		42	+Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.
		43	diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py
		44	index 38901286e1..68272fca83 100755
		45	--- a/Tools/scripts/get-remote-certificate.py
		46	+++ b/Tools/scripts/get-remote-certificate.py
		47	@@ -15,8 +15,8 @@
		48	def fetch_server_certificate (host, port):
		49
		50	def subproc(cmd):
		51	- from subprocess import Popen, PIPE, STDOUT
		52	- proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
		53	+ from subprocess import Popen, PIPE, STDOUT, DEVNULL
		54	+ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL)
		55	status = proc.wait()
		56	output = proc.stdout.read()
		57	return status, output
		58	@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
		59	fp.write(m.group(1) + b"\n")
		60	try:
		61	tn2 = (outfile or tempfile.mktemp())
		62	- status, output = subproc(r'openssl x509 -in "%s" -out "%s"' %
		63	- (tn, tn2))
		64	+ cmd = ['openssl', 'x509', '-in', tn, '-out', tn2]
		65	+ status, output = subproc(cmd)
		66	if status != 0:
		67	raise RuntimeError('OpenSSL x509 failed with status %s and '
		68	'output: %r' % (status, output))
		69	@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None):
		70	finally:
		71	os.unlink(tn)
		72
		73	- if sys.platform.startswith("win"):
		74	- tfile = tempfile.mktemp()
		75	- with open(tfile, "w") as fp:
		76	- fp.write("quit\n")
		77	- try:
		78	- status, output = subproc(
		79	- 'openssl s_client -connect "%s:%s" -showcerts < "%s"' %
		80	- (host, port, tfile))
		81	- finally:
		82	- os.unlink(tfile)
		83	- else:
		84	- status, output = subproc(
		85	- 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' %
		86	- (host, port))
		87	+ cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts']
		88	+ status, output = subproc(cmd)
		89	+
		90	if status != 0:
		91	raise RuntimeError('OpenSSL connect failed with status %s and '
		92	'output: %r' % (status, output))
		93	--
		94	2.38.1
		95


diff --git a/meta/recipes-devtools/python/python3_3.11.0.bb b/meta/recipes-devtools/python/python3_3.11.0.bb index 92a1f69320..93628c76ff 100644 --- a/meta/recipes-devtools/python/python3_3.11.0.bb +++ b/meta/recipes-devtools/python/python3_3.11.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
34	file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \	34	file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
35	file://deterministic_imports.patch \	35	file://deterministic_imports.patch \
36	file://0001-Avoid-shebang-overflow-on-python-config.py.patch \	36	file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
		37	file://cve-2022-37460.patch \
37	"	38	"
38		39
39	SRC_URI:append:class-native = " \	40	SRC_URI:append:class-native = " \