diff options
| author | Hongxu Jia <hongxu.jia@windriver.com> | 2024-11-28 15:46:44 +0800 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-09 07:54:03 -0800 |
| commit | af06cbf82b44e4944ecfff212686b97d67021171 (patch) | |
| tree | b684129bdacd2bed9faa9df0509356fe740d4179 /meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch | |
| parent | e8c505f7a4cd4765fba3450e9ac5a90427b19e9e (diff) | |
| download | poky-af06cbf82b44e4944ecfff212686b97d67021171.tar.gz | |
python3-zipp: fix CVE-2024-5569
According to [1] which provided the fix link [2], but upstream author
reworked it later [3][4][5]
Backport and rebase all the patches for tracing
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5569
[2] https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd
[3] https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876
[4] https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48
[5] https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09
(From OE-Core rev: 13bd99e17f0aca108839e81e9aa0b14351116fdf)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch')
| -rw-r--r-- | meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch new file mode 100644 index 0000000000..45a7dc5bb1 --- /dev/null +++ b/meta/recipes-devtools/python/python3-zipp/0003-Removed-SanitizedNames.patch | |||
| @@ -0,0 +1,95 @@ | |||
| 1 | From b52b8af403e64607ae8d5e4cd18d4099d63e7264 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Jason R. Coombs" <jaraco@jaraco.com> | ||
| 3 | Date: Wed, 27 Nov 2024 23:33:11 -0800 | ||
| 4 | Subject: [PATCH 3/5] Removed SanitizedNames. | ||
| 5 | |||
| 6 | Restores expectations around special characters in zipfiles, but also restores the infinite loop. | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876] | ||
| 9 | Remove test codes | ||
| 10 | Rebase to v3.7.0 | ||
| 11 | CVE: CVE-2024-5569 | ||
| 12 | |||
| 13 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
| 14 | --- | ||
| 15 | zipp.py | 64 +-------------------------------------------------------- | ||
| 16 | 1 file changed, 1 insertion(+), 63 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/zipp.py b/zipp.py | ||
| 19 | index 29d2572..26b723c 100644 | ||
| 20 | --- a/zipp.py | ||
| 21 | +++ b/zipp.py | ||
| 22 | @@ -68,69 +68,7 @@ def _difference(minuend, subtrahend): | ||
| 23 | return itertools.filterfalse(set(subtrahend).__contains__, minuend) | ||
| 24 | |||
| 25 | |||
| 26 | -class SanitizedNames: | ||
| 27 | - """ | ||
| 28 | - ZipFile mix-in to ensure names are sanitized. | ||
| 29 | - """ | ||
| 30 | - | ||
| 31 | - def namelist(self): | ||
| 32 | - return list(map(self._sanitize, super().namelist())) | ||
| 33 | - | ||
| 34 | - @staticmethod | ||
| 35 | - def _sanitize(name): | ||
| 36 | - r""" | ||
| 37 | - Ensure a relative path with posix separators and no dot names. | ||
| 38 | - | ||
| 39 | - Modeled after | ||
| 40 | - https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 | ||
| 41 | - but provides consistent cross-platform behavior. | ||
| 42 | - | ||
| 43 | - >>> san = SanitizedNames._sanitize | ||
| 44 | - >>> san('/foo/bar') | ||
| 45 | - 'foo/bar' | ||
| 46 | - >>> san('//foo.txt') | ||
| 47 | - 'foo.txt' | ||
| 48 | - >>> san('foo/.././bar.txt') | ||
| 49 | - 'foo/bar.txt' | ||
| 50 | - >>> san('foo../.bar.txt') | ||
| 51 | - 'foo../.bar.txt' | ||
| 52 | - >>> san('\\foo\\bar.txt') | ||
| 53 | - 'foo/bar.txt' | ||
| 54 | - >>> san('D:\\foo.txt') | ||
| 55 | - 'D/foo.txt' | ||
| 56 | - >>> san('\\\\server\\share\\file.txt') | ||
| 57 | - 'server/share/file.txt' | ||
| 58 | - >>> san('\\\\?\\GLOBALROOT\\Volume3') | ||
| 59 | - '?/GLOBALROOT/Volume3' | ||
| 60 | - >>> san('\\\\.\\PhysicalDrive1\\root') | ||
| 61 | - 'PhysicalDrive1/root' | ||
| 62 | - | ||
| 63 | - Retain any trailing slash. | ||
| 64 | - >>> san('abc/') | ||
| 65 | - 'abc/' | ||
| 66 | - | ||
| 67 | - Raises a ValueError if the result is empty. | ||
| 68 | - >>> san('../..') | ||
| 69 | - Traceback (most recent call last): | ||
| 70 | - ... | ||
| 71 | - ValueError: Empty filename | ||
| 72 | - """ | ||
| 73 | - | ||
| 74 | - def allowed(part): | ||
| 75 | - return part and part not in {'..', '.'} | ||
| 76 | - | ||
| 77 | - # Remove the drive letter. | ||
| 78 | - # Don't use ntpath.splitdrive, because that also strips UNC paths | ||
| 79 | - bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) | ||
| 80 | - clean = bare.replace('\\', '/') | ||
| 81 | - parts = clean.split('/') | ||
| 82 | - joined = '/'.join(filter(allowed, parts)) | ||
| 83 | - if not joined: | ||
| 84 | - raise ValueError("Empty filename") | ||
| 85 | - return joined + '/' * name.endswith('/') | ||
| 86 | - | ||
| 87 | - | ||
| 88 | -class CompleteDirs(SanitizedNames, zipfile.ZipFile): | ||
| 89 | +class CompleteDirs(zipfile.ZipFile): | ||
| 90 | """ | ||
| 91 | A ZipFile subclass that ensures that implied directories | ||
| 92 | are always included in the namelist. | ||
| 93 | -- | ||
| 94 | 2.25.1 | ||
| 95 | |||
