diff options
-rw-r--r-- | meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch | 248 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch | 8 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch | 2 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.8.3.bb (renamed from meta/recipes-devtools/python/python3_3.8.2.bb) | 5 |
5 files changed, 7 insertions, 258 deletions
diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null | |||
@@ -1,248 +0,0 @@ | |||
1 | From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Victor Stinner <vstinner@python.org> | ||
3 | Date: Thu, 2 Apr 2020 02:52:20 +0200 | ||
4 | Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler | ||
5 | (GH-18284) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | (https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4) | ||
9 | |||
10 | CVE: CVE-2020-8492 | ||
11 | |||
12 | The AbstractBasicAuthHandler class of the urllib.request module uses | ||
13 | an inefficient regular expression which can be exploited by an | ||
14 | attacker to cause a denial of service. Fix the regex to prevent the | ||
15 | catastrophic backtracking. Vulnerability reported by Ben Caller | ||
16 | and Matt Schwager. | ||
17 | |||
18 | AbstractBasicAuthHandler of urllib.request now parses all | ||
19 | WWW-Authenticate HTTP headers and accepts multiple challenges per | ||
20 | header: use the realm of the first Basic challenge. | ||
21 | |||
22 | Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> | ||
23 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
24 | --- | ||
25 | Lib/test/test_urllib2.py | 90 ++++++++++++------- | ||
26 | Lib/urllib/request.py | 69 ++++++++++---- | ||
27 | .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 + | ||
28 | .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++ | ||
29 | 4 files changed, 115 insertions(+), 52 deletions(-) | ||
30 | create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | ||
31 | create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | ||
32 | |||
33 | diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py | ||
34 | index 8abedaac98..e69ac3e213 100644 | ||
35 | --- a/Lib/test/test_urllib2.py | ||
36 | +++ b/Lib/test/test_urllib2.py | ||
37 | @@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase): | ||
38 | bypass = {'exclude_simple': True, 'exceptions': []} | ||
39 | self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass)) | ||
40 | |||
41 | - def test_basic_auth(self, quote_char='"'): | ||
42 | - opener = OpenerDirector() | ||
43 | - password_manager = MockPasswordManager() | ||
44 | - auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) | ||
45 | - realm = "ACME Widget Store" | ||
46 | - http_handler = MockHTTPHandler( | ||
47 | - 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' % | ||
48 | - (quote_char, realm, quote_char)) | ||
49 | - opener.add_handler(auth_handler) | ||
50 | - opener.add_handler(http_handler) | ||
51 | - self._test_basic_auth(opener, auth_handler, "Authorization", | ||
52 | - realm, http_handler, password_manager, | ||
53 | - "http://acme.example.com/protected", | ||
54 | - "http://acme.example.com/protected", | ||
55 | - ) | ||
56 | - | ||
57 | - def test_basic_auth_with_single_quoted_realm(self): | ||
58 | - self.test_basic_auth(quote_char="'") | ||
59 | - | ||
60 | - def test_basic_auth_with_unquoted_realm(self): | ||
61 | - opener = OpenerDirector() | ||
62 | - password_manager = MockPasswordManager() | ||
63 | - auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) | ||
64 | - realm = "ACME Widget Store" | ||
65 | - http_handler = MockHTTPHandler( | ||
66 | - 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm) | ||
67 | - opener.add_handler(auth_handler) | ||
68 | - opener.add_handler(http_handler) | ||
69 | - with self.assertWarns(UserWarning): | ||
70 | + def check_basic_auth(self, headers, realm): | ||
71 | + with self.subTest(realm=realm, headers=headers): | ||
72 | + opener = OpenerDirector() | ||
73 | + password_manager = MockPasswordManager() | ||
74 | + auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) | ||
75 | + body = '\r\n'.join(headers) + '\r\n\r\n' | ||
76 | + http_handler = MockHTTPHandler(401, body) | ||
77 | + opener.add_handler(auth_handler) | ||
78 | + opener.add_handler(http_handler) | ||
79 | self._test_basic_auth(opener, auth_handler, "Authorization", | ||
80 | - realm, http_handler, password_manager, | ||
81 | - "http://acme.example.com/protected", | ||
82 | - "http://acme.example.com/protected", | ||
83 | - ) | ||
84 | + realm, http_handler, password_manager, | ||
85 | + "http://acme.example.com/protected", | ||
86 | + "http://acme.example.com/protected") | ||
87 | + | ||
88 | + def test_basic_auth(self): | ||
89 | + realm = "realm2@example.com" | ||
90 | + realm2 = "realm2@example.com" | ||
91 | + basic = f'Basic realm="{realm}"' | ||
92 | + basic2 = f'Basic realm="{realm2}"' | ||
93 | + other_no_realm = 'Otherscheme xxx' | ||
94 | + digest = (f'Digest realm="{realm2}", ' | ||
95 | + f'qop="auth, auth-int", ' | ||
96 | + f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", ' | ||
97 | + f'opaque="5ccc069c403ebaf9f0171e9517f40e41"') | ||
98 | + for realm_str in ( | ||
99 | + # test "quote" and 'quote' | ||
100 | + f'Basic realm="{realm}"', | ||
101 | + f"Basic realm='{realm}'", | ||
102 | + | ||
103 | + # charset is ignored | ||
104 | + f'Basic realm="{realm}", charset="UTF-8"', | ||
105 | + | ||
106 | + # Multiple challenges per header | ||
107 | + f'{basic}, {basic2}', | ||
108 | + f'{basic}, {other_no_realm}', | ||
109 | + f'{other_no_realm}, {basic}', | ||
110 | + f'{basic}, {digest}', | ||
111 | + f'{digest}, {basic}', | ||
112 | + ): | ||
113 | + headers = [f'WWW-Authenticate: {realm_str}'] | ||
114 | + self.check_basic_auth(headers, realm) | ||
115 | + | ||
116 | + # no quote: expect a warning | ||
117 | + with support.check_warnings(("Basic Auth Realm was unquoted", | ||
118 | + UserWarning)): | ||
119 | + headers = [f'WWW-Authenticate: Basic realm={realm}'] | ||
120 | + self.check_basic_auth(headers, realm) | ||
121 | + | ||
122 | + # Multiple headers: one challenge per header. | ||
123 | + # Use the first Basic realm. | ||
124 | + for challenges in ( | ||
125 | + [basic, basic2], | ||
126 | + [basic, digest], | ||
127 | + [digest, basic], | ||
128 | + ): | ||
129 | + headers = [f'WWW-Authenticate: {challenge}' | ||
130 | + for challenge in challenges] | ||
131 | + self.check_basic_auth(headers, realm) | ||
132 | |||
133 | def test_proxy_basic_auth(self): | ||
134 | opener = OpenerDirector() | ||
135 | diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py | ||
136 | index 7fe50535da..2a3d71554f 100644 | ||
137 | --- a/Lib/urllib/request.py | ||
138 | +++ b/Lib/urllib/request.py | ||
139 | @@ -937,8 +937,15 @@ class AbstractBasicAuthHandler: | ||
140 | |||
141 | # allow for double- and single-quoted realm values | ||
142 | # (single quotes are a violation of the RFC, but appear in the wild) | ||
143 | - rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' | ||
144 | - 'realm=(["\']?)([^"\']*)\\2', re.I) | ||
145 | + rx = re.compile('(?:^|,)' # start of the string or ',' | ||
146 | + '[ \t]*' # optional whitespaces | ||
147 | + '([^ \t]+)' # scheme like "Basic" | ||
148 | + '[ \t]+' # mandatory whitespaces | ||
149 | + # realm=xxx | ||
150 | + # realm='xxx' | ||
151 | + # realm="xxx" | ||
152 | + 'realm=(["\']?)([^"\']*)\\2', | ||
153 | + re.I) | ||
154 | |||
155 | # XXX could pre-emptively send auth info already accepted (RFC 2617, | ||
156 | # end of section 2, and section 1.2 immediately after "credentials" | ||
157 | @@ -950,27 +957,51 @@ class AbstractBasicAuthHandler: | ||
158 | self.passwd = password_mgr | ||
159 | self.add_password = self.passwd.add_password | ||
160 | |||
161 | + def _parse_realm(self, header): | ||
162 | + # parse WWW-Authenticate header: accept multiple challenges per header | ||
163 | + found_challenge = False | ||
164 | + for mo in AbstractBasicAuthHandler.rx.finditer(header): | ||
165 | + scheme, quote, realm = mo.groups() | ||
166 | + if quote not in ['"', "'"]: | ||
167 | + warnings.warn("Basic Auth Realm was unquoted", | ||
168 | + UserWarning, 3) | ||
169 | + | ||
170 | + yield (scheme, realm) | ||
171 | + | ||
172 | + found_challenge = True | ||
173 | + | ||
174 | + if not found_challenge: | ||
175 | + if header: | ||
176 | + scheme = header.split()[0] | ||
177 | + else: | ||
178 | + scheme = '' | ||
179 | + yield (scheme, None) | ||
180 | + | ||
181 | def http_error_auth_reqed(self, authreq, host, req, headers): | ||
182 | # host may be an authority (without userinfo) or a URL with an | ||
183 | # authority | ||
184 | - # XXX could be multiple headers | ||
185 | - authreq = headers.get(authreq, None) | ||
186 | + headers = headers.get_all(authreq) | ||
187 | + if not headers: | ||
188 | + # no header found | ||
189 | + return | ||
190 | |||
191 | - if authreq: | ||
192 | - scheme = authreq.split()[0] | ||
193 | - if scheme.lower() != 'basic': | ||
194 | - raise ValueError("AbstractBasicAuthHandler does not" | ||
195 | - " support the following scheme: '%s'" % | ||
196 | - scheme) | ||
197 | - else: | ||
198 | - mo = AbstractBasicAuthHandler.rx.search(authreq) | ||
199 | - if mo: | ||
200 | - scheme, quote, realm = mo.groups() | ||
201 | - if quote not in ['"',"'"]: | ||
202 | - warnings.warn("Basic Auth Realm was unquoted", | ||
203 | - UserWarning, 2) | ||
204 | - if scheme.lower() == 'basic': | ||
205 | - return self.retry_http_basic_auth(host, req, realm) | ||
206 | + unsupported = None | ||
207 | + for header in headers: | ||
208 | + for scheme, realm in self._parse_realm(header): | ||
209 | + if scheme.lower() != 'basic': | ||
210 | + unsupported = scheme | ||
211 | + continue | ||
212 | + | ||
213 | + if realm is not None: | ||
214 | + # Use the first matching Basic challenge. | ||
215 | + # Ignore following challenges even if they use the Basic | ||
216 | + # scheme. | ||
217 | + return self.retry_http_basic_auth(host, req, realm) | ||
218 | + | ||
219 | + if unsupported is not None: | ||
220 | + raise ValueError("AbstractBasicAuthHandler does not " | ||
221 | + "support the following scheme: %r" | ||
222 | + % (scheme,)) | ||
223 | |||
224 | def retry_http_basic_auth(self, host, req, realm): | ||
225 | user, pw = self.passwd.find_user_password(realm, host) | ||
226 | diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | ||
227 | new file mode 100644 | ||
228 | index 0000000000..be80ce79d9 | ||
229 | --- /dev/null | ||
230 | +++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | ||
231 | @@ -0,0 +1,3 @@ | ||
232 | +:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` | ||
233 | +now parses all WWW-Authenticate HTTP headers and accepts multiple challenges | ||
234 | +per header: use the realm of the first Basic challenge. | ||
235 | diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | ||
236 | new file mode 100644 | ||
237 | index 0000000000..9f2800581c | ||
238 | --- /dev/null | ||
239 | +++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | ||
240 | @@ -0,0 +1,5 @@ | ||
241 | +CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the | ||
242 | +:mod:`urllib.request` module uses an inefficient regular expression which can | ||
243 | +be exploited by an attacker to cause a denial of service. Fix the regex to | ||
244 | +prevent the catastrophic backtracking. Vulnerability reported by Ben Caller | ||
245 | +and Matt Schwager. | ||
246 | -- | ||
247 | 2.24.1 | ||
248 | |||
diff --git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch index acf8e1e9b5..3e471b9a49 100644 --- a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch +++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch | |||
@@ -1,16 +1,17 @@ | |||
1 | From 85e8f86ad2b7dec0848cd55b8e810a5e2722b20a Mon Sep 17 00:00:00 2001 | 1 | From b880e78bf4a1852e260188e6df3ec6034403d2fc Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Puhlman <jpuhlman@mvista.com> | 2 | From: Jeremy Puhlman <jpuhlman@mvista.com> |
3 | Date: Wed, 4 Mar 2020 00:06:42 +0000 | 3 | Date: Wed, 4 Mar 2020 00:06:42 +0000 |
4 | Subject: [PATCH] Don't search system for headers/libraries | 4 | Subject: [PATCH] Don't search system for headers/libraries |
5 | 5 | ||
6 | Upstream-Status: Inappropriate [oe-core specific] | 6 | Upstream-Status: Inappropriate [oe-core specific] |
7 | Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> | 7 | Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> |
8 | |||
8 | --- | 9 | --- |
9 | setup.py | 4 ++-- | 10 | setup.py | 4 ++-- |
10 | 1 file changed, 2 insertions(+), 2 deletions(-) | 11 | 1 file changed, 2 insertions(+), 2 deletions(-) |
11 | 12 | ||
12 | diff --git a/setup.py b/setup.py | 13 | diff --git a/setup.py b/setup.py |
13 | index 9da1b3a..59782c0 100644 | 14 | index 7208cd0..c0bd0ad 100644 |
14 | --- a/setup.py | 15 | --- a/setup.py |
15 | +++ b/setup.py | 16 | +++ b/setup.py |
16 | @@ -674,8 +674,8 @@ class PyBuildExt(build_ext): | 17 | @@ -674,8 +674,8 @@ class PyBuildExt(build_ext): |
@@ -24,6 +25,3 @@ index 9da1b3a..59782c0 100644 | |||
24 | # lib_dirs and inc_dirs are used to search for files; | 25 | # lib_dirs and inc_dirs are used to search for files; |
25 | # if a file is found in one of those directories, it can | 26 | # if a file is found in one of those directories, it can |
26 | # be assumed that no additional -I,-L directives are needed. | 27 | # be assumed that no additional -I,-L directives are needed. |
27 | -- | ||
28 | 2.24.1 | ||
29 | |||
diff --git a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch index e7af3c6f5c..2b68c0acc2 100644 --- a/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch +++ b/meta/recipes-devtools/python/python3/0001-distutils-sysconfig-append-STAGING_LIBDIR-python-sys.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7ada9c749f6beb51c13a3debc850755e911548a6 Mon Sep 17 00:00:00 2001 | 1 | From bc59d49efff41051034d7fbf5d0c8505e4c3134b Mon Sep 17 00:00:00 2001 |
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | 2 | From: Alexander Kanavin <alex.kanavin@gmail.com> |
3 | Date: Thu, 31 Jan 2019 16:46:30 +0100 | 3 | Date: Thu, 31 Jan 2019 16:46:30 +0100 |
4 | Subject: [PATCH] distutils/sysconfig: append | 4 | Subject: [PATCH] distutils/sysconfig: append |
diff --git a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch index 61ac3e71dc..820fb98ed8 100644 --- a/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch +++ b/meta/recipes-devtools/python/python3/12-distutils-prefix-is-inside-staging-area.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 251347fc970a397a9cd63ed3f87c5e6c52e15187 Mon Sep 17 00:00:00 2001 | 1 | From 064187668fcbefdd39a8cde372bf651124c3e578 Mon Sep 17 00:00:00 2001 |
2 | From: Khem Raj <raj.khem@gmail.com> | 2 | From: Khem Raj <raj.khem@gmail.com> |
3 | Date: Tue, 14 May 2013 15:00:26 -0700 | 3 | Date: Tue, 14 May 2013 15:00:26 -0700 |
4 | Subject: [PATCH] python3: Add target and native recipes | 4 | Subject: [PATCH] python3: Add target and native recipes |
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.3.bb index 0474f07214..4367923b55 100644 --- a/meta/recipes-devtools/python/python3_3.8.2.bb +++ b/meta/recipes-devtools/python/python3_3.8.3.bb | |||
@@ -32,7 +32,6 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
32 | file://0001-configure.ac-fix-LIBPL.patch \ | 32 | file://0001-configure.ac-fix-LIBPL.patch \ |
33 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ | 33 | file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ |
34 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ | 34 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ |
35 | file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \ | ||
36 | " | 35 | " |
37 | 36 | ||
38 | SRC_URI_append_class-native = " \ | 37 | SRC_URI_append_class-native = " \ |
@@ -41,8 +40,8 @@ SRC_URI_append_class-native = " \ | |||
41 | file://0001-Don-t-search-system-for-headers-libraries.patch \ | 40 | file://0001-Don-t-search-system-for-headers-libraries.patch \ |
42 | " | 41 | " |
43 | 42 | ||
44 | SRC_URI[md5sum] = "e9d6ebc92183a177b8e8a58cad5b8d67" | 43 | SRC_URI[md5sum] = "3000cf50aaa413052aef82fd2122ca78" |
45 | SRC_URI[sha256sum] = "2646e7dc233362f59714c6193017bb2d6f7b38d6ab4a0cb5fbac5c36c4d845df" | 44 | SRC_URI[sha256sum] = "dfab5ec723c218082fe3d5d7ae17ecbdebffa9a1aea4d64aa3a2ecdd2e795864" |
46 | 45 | ||
47 | # exclude pre-releases for both python 2.x and 3.x | 46 | # exclude pre-releases for both python 2.x and 3.x |
48 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 47 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |