python3-zipp: fix CVE-2024-5569

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp. References: https://nvd.nist.gov/vuln/detail/CVE-2024-5569 Upstream patches: https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547 https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0 https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806 https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7 (From OE-Core rev: ec77cfe12f0790c7e3cf2d9bf00e47b4c653997c) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Jiaying Song <jiaying.song.cn@windriver.com> 2024-11-22 17:21:49 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-12-06 05:50:24 -0800
commit: 6653eb6e900e9a2934b6c934f26555fe28c1a8d9 (patch)
tree: 18f59ba9792213b179f2cde58be6ae63f3dd4b06
parent: 1876097252d066a523ed8a3031322129f8f38498 (diff)
download: poky-6653eb6e900e9a2934b6c934f26555fe28c1a8d9.tar.gz
2 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch b/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch
new file mode 100644
index 0000000000..1cc43243bf
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch
@@ -0,0 +1,138 @@
+From b1804347ec2db16452a7bff2b469d2c66776b904 Mon Sep 17 00:00:00 2001
+From: "Jason R. Coombs" <jaraco@jaraco.com>
+Date: Fri, 31 May 2024 11:20:57 -0400
+Subject: [PATCH] fix CVE-2024-5569
+The patch includes the following changes:
+c18417e Add news fragment.
+58115d2 Employ SanitizedNames in CompleteDirs. Fixes broken test.
+564fcc1 Add SanitizedNames mixin.
+79a309f Add some assertions about malformed paths.
+Upstream-Status: Backport
+[https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547]
+[https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0]
+[https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806]
+[https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7]
+CVE: CVE-2024-5569
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ newsfragments/119.bugfix.rst |  1 +
+ tests/test_path.py           | 17 ++++++++++
+ zipp/__init__.py             | 64 +++++++++++++++++++++++++++++++++++-
+ 3 files changed, 81 insertions(+), 1 deletion(-)
+ create mode 100644 newsfragments/119.bugfix.rst
+diff --git a/newsfragments/119.bugfix.rst b/newsfragments/119.bugfix.rst
+new file mode 100644
+index 0000000..6c72e2d
+--- /dev/null
+++ b/newsfragments/119.bugfix.rst
+@@ -0,0 +1 @@
+Improved handling of malformed zip files.
+\ No newline at end of file
+diff --git a/tests/test_path.py b/tests/test_path.py
+index a77a5de..3752243 100644
+--- a/tests/test_path.py
+++ b/tests/test_path.py
+@@ -575,3 +575,20 @@ class TestPath(unittest.TestCase):
+         zipp.Path(alpharep)
+         with self.assertRaises(KeyError):
+             alpharep.getinfo('does-not-exist')
+    
+    def test_malformed_paths(self):
+        """
+        Path should handle malformed paths.
+        """
+        data = io.BytesIO()
+        zf = zipfile.ZipFile(data, "w")
+        zf.writestr("/one-slash.txt", b"content")
+        zf.writestr("//two-slash.txt", b"content")
+        zf.writestr("../parent.txt", b"content")
+        zf.filename = ''
+        root = zipfile.Path(zf)
+        assert list(map(str, root.iterdir())) == [
+            'one-slash.txt',
+            'two-slash.txt',
+            'parent.txt',
+        ]
+diff --git a/zipp/__init__.py b/zipp/__init__.py
+index becd010..e980e9b 100644
+--- a/zipp/__init__.py
+++ b/zipp/__init__.py
+@@ -84,7 +84,69 @@ class InitializedState:
+         super().__init__(*args, **kwargs)
+ 
+ 
+-class CompleteDirs(InitializedState, zipfile.ZipFile):
+class SanitizedNames:
+    """
+    ZipFile mix-in to ensure names are sanitized.
+    """
+
+    def namelist(self):
+        return list(map(self._sanitize, super().namelist()))
+
+    @staticmethod
+    def _sanitize(name):
+        r"""
+        Ensure a relative path with posix separators and no dot names.
+
+        Modeled after
+        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
+        but provides consistent cross-platform behavior.
+
+        >>> san = SanitizedNames._sanitize
+        >>> san('/foo/bar')
+        'foo/bar'
+        >>> san('//foo.txt')
+        'foo.txt'
+        >>> san('foo/.././bar.txt')
+        'foo/bar.txt'
+        >>> san('foo../.bar.txt')
+        'foo../.bar.txt'
+        >>> san('\\foo\\bar.txt')
+        'foo/bar.txt'
+        >>> san('D:\\foo.txt')
+        'D/foo.txt'
+        >>> san('\\\\server\\share\\file.txt')
+        'server/share/file.txt'
+        >>> san('\\\\?\\GLOBALROOT\\Volume3')
+        '?/GLOBALROOT/Volume3'
+        >>> san('\\\\.\\PhysicalDrive1\\root')
+        'PhysicalDrive1/root'
+
+        Retain any trailing slash.
+        >>> san('abc/')
+        'abc/'
+
+        Raises a ValueError if the result is empty.
+        >>> san('../..')
+        Traceback (most recent call last):
+        ...
+        ValueError: Empty filename
+        """
+
+        def allowed(part):
+            return part and part not in {'..', '.'}
+
+        # Remove the drive letter.
+        # Don't use ntpath.splitdrive, because that also strips UNC paths
+        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
+        clean = bare.replace('\\', '/')
+        parts = clean.split('/')
+        joined = '/'.join(filter(allowed, parts))
+        if not joined:
+            raise ValueError("Empty filename")
+        return joined + '/' * name.endswith('/')
+
+
+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
+     """
+     A ZipFile subclass that ensures that implied directories
+     are always included in the namelist.
+-- 
+2.25.1
diff --git a/meta/recipes-devtools/python/python3-zipp_3.17.0.bb b/meta/recipes-devtools/python/python3-zipp_3.17.0.bb
index e9e220e315..9f756887b5 100644
--- a/meta/recipes-devtools/python/python3-zipp_3.17.0.bb
+++ b/meta/recipes-devtools/python/python3-zipp_3.17.0.bb
@@ -3,6 +3,7 @@ HOMEPAGE = "https://github.com/jaraco/zipp"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=141643e11c48898150daa83802dbc65f"
+SRC_URI += "file://CVE-2024-5569.patch"
 SRC_URI[sha256sum] = "84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"
 DEPENDS += "python3-setuptools-scm-native"
author	Jiaying Song <jiaying.song.cn@windriver.com>	2024-11-22 17:21:49 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-12-06 05:50:24 -0800
commit	6653eb6e900e9a2934b6c934f26555fe28c1a8d9 (patch)
tree	18f59ba9792213b179f2cde58be6ae63f3dd4b06
parent	1876097252d066a523ed8a3031322129f8f38498 (diff)
download	poky-6653eb6e900e9a2934b6c934f26555fe28c1a8d9.tar.gz

diff --git a/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch b/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch new file mode 100644 index 0000000000..1cc43243bf --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/CVE-2024-5569.patch
@@ -0,0 +1,138 @@
		1	From b1804347ec2db16452a7bff2b469d2c66776b904 Mon Sep 17 00:00:00 2001
		2	From: "Jason R. Coombs" <jaraco@jaraco.com>
		3	Date: Fri, 31 May 2024 11:20:57 -0400
		4	Subject: [PATCH] fix CVE-2024-5569
		5
		6	The patch includes the following changes:
		7	c18417e Add news fragment.
		8	58115d2 Employ SanitizedNames in CompleteDirs. Fixes broken test.
		9	564fcc1 Add SanitizedNames mixin.
		10	79a309f Add some assertions about malformed paths.
		11
		12	Upstream-Status: Backport
		13	[https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547]
		14	[https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0]
		15	[https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806]
		16	[https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7]
		17
		18	CVE: CVE-2024-5569
		19
		20	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		21	---
		22	newsfragments/119.bugfix.rst \| 1 +
		23	tests/test_path.py \| 17 ++++++++++
		24	zipp/__init__.py \| 64 +++++++++++++++++++++++++++++++++++-
		25	3 files changed, 81 insertions(+), 1 deletion(-)
		26	create mode 100644 newsfragments/119.bugfix.rst
		27
		28	diff --git a/newsfragments/119.bugfix.rst b/newsfragments/119.bugfix.rst
		29	new file mode 100644
		30	index 0000000..6c72e2d
		31	--- /dev/null
		32	+++ b/newsfragments/119.bugfix.rst
		33	@@ -0,0 +1 @@
		34	+Improved handling of malformed zip files.
		35	\ No newline at end of file
		36	diff --git a/tests/test_path.py b/tests/test_path.py
		37	index a77a5de..3752243 100644
		38	--- a/tests/test_path.py
		39	+++ b/tests/test_path.py
		40	@@ -575,3 +575,20 @@ class TestPath(unittest.TestCase):
		41	zipp.Path(alpharep)
		42	with self.assertRaises(KeyError):
		43	alpharep.getinfo('does-not-exist')
		44	+
		45	+ def test_malformed_paths(self):
		46	+ """
		47	+ Path should handle malformed paths.
		48	+ """
		49	+ data = io.BytesIO()
		50	+ zf = zipfile.ZipFile(data, "w")
		51	+ zf.writestr("/one-slash.txt", b"content")
		52	+ zf.writestr("//two-slash.txt", b"content")
		53	+ zf.writestr("../parent.txt", b"content")
		54	+ zf.filename = ''
		55	+ root = zipfile.Path(zf)
		56	+ assert list(map(str, root.iterdir())) == [
		57	+ 'one-slash.txt',
		58	+ 'two-slash.txt',
		59	+ 'parent.txt',
		60	+ ]
		61	diff --git a/zipp/__init__.py b/zipp/__init__.py
		62	index becd010..e980e9b 100644
		63	--- a/zipp/__init__.py
		64	+++ b/zipp/__init__.py
		65	@@ -84,7 +84,69 @@ class InitializedState:
		66	super().__init__(args, *kwargs)
		67
		68
		69	-class CompleteDirs(InitializedState, zipfile.ZipFile):
		70	+class SanitizedNames:
		71	+ """
		72	+ ZipFile mix-in to ensure names are sanitized.
		73	+ """
		74	+
		75	+ def namelist(self):
		76	+ return list(map(self._sanitize, super().namelist()))
		77	+
		78	+ @staticmethod
		79	+ def _sanitize(name):
		80	+ r"""
		81	+ Ensure a relative path with posix separators and no dot names.
		82	+
		83	+ Modeled after
		84	+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
		85	+ but provides consistent cross-platform behavior.
		86	+
		87	+ >>> san = SanitizedNames._sanitize
		88	+ >>> san('/foo/bar')
		89	+ 'foo/bar'
		90	+ >>> san('//foo.txt')
		91	+ 'foo.txt'
		92	+ >>> san('foo/.././bar.txt')
		93	+ 'foo/bar.txt'
		94	+ >>> san('foo../.bar.txt')
		95	+ 'foo../.bar.txt'
		96	+ >>> san('\\foo\\bar.txt')
		97	+ 'foo/bar.txt'
		98	+ >>> san('D:\\foo.txt')
		99	+ 'D/foo.txt'
		100	+ >>> san('\\\\server\\share\\file.txt')
		101	+ 'server/share/file.txt'
		102	+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
		103	+ '?/GLOBALROOT/Volume3'
		104	+ >>> san('\\\\.\\PhysicalDrive1\\root')
		105	+ 'PhysicalDrive1/root'
		106	+
		107	+ Retain any trailing slash.
		108	+ >>> san('abc/')
		109	+ 'abc/'
		110	+
		111	+ Raises a ValueError if the result is empty.
		112	+ >>> san('../..')
		113	+ Traceback (most recent call last):
		114	+ ...
		115	+ ValueError: Empty filename
		116	+ """
		117	+
		118	+ def allowed(part):
		119	+ return part and part not in {'..', '.'}
		120	+
		121	+ # Remove the drive letter.
		122	+ # Don't use ntpath.splitdrive, because that also strips UNC paths
		123	+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
		124	+ clean = bare.replace('\\', '/')
		125	+ parts = clean.split('/')
		126	+ joined = '/'.join(filter(allowed, parts))
		127	+ if not joined:
		128	+ raise ValueError("Empty filename")
		129	+ return joined + '/' * name.endswith('/')
		130	+
		131	+
		132	+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
		133	"""
		134	A ZipFile subclass that ensures that implied directories
		135	are always included in the namelist.
		136	--
		137	2.25.1
		138


diff --git a/meta/recipes-devtools/python/python3-zipp_3.17.0.bb b/meta/recipes-devtools/python/python3-zipp_3.17.0.bb index e9e220e315..9f756887b5 100644 --- a/meta/recipes-devtools/python/python3-zipp_3.17.0.bb +++ b/meta/recipes-devtools/python/python3-zipp_3.17.0.bb
@@ -3,6 +3,7 @@ HOMEPAGE = "https://github.com/jaraco/zipp"
3	LICENSE = "MIT"	3	LICENSE = "MIT"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=141643e11c48898150daa83802dbc65f"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=141643e11c48898150daa83802dbc65f"
5		5
		6	SRC_URI += "file://CVE-2024-5569.patch"
6	SRC_URI[sha256sum] = "84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"	7	SRC_URI[sha256sum] = "84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"
7		8
8	DEPENDS += "python3-setuptools-scm-native"	9	DEPENDS += "python3-setuptools-scm-native"