python3: Fix CVE-2024-7592

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. References: https://nvd.nist.gov/vuln/detail/CVE-2024-7592 Upstream-Patch: https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 (From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-09-03 12:50:34 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-09-09 06:08:10 -0700
commit: 9541ad965035b28697b8df400d7b9bddc4d2519a (patch)
tree: fc357bcda13bcc939c260c7ad7ed9f4c9c8a3655 /meta/recipes-devtools/python
parent: 67aa29393db111a67b64f3394a0c490c33946c02 (diff)
download: poky-9541ad965035b28697b8df400d7b9bddc4d2519a.tar.gz
2 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
new file mode 100644
index 0000000000..7a6d63005c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
@@ -0,0 +1,143 @@
+From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sun, 25 Aug 2024 00:37:11 +0200
+Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing  "-quoted
+ cookie values with backslashes (GH-123075) (#123104)
+gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
+This fixes CVE-2024-7592.
+(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+CVE: CVE-2024-7592
+Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ Lib/http/cookies.py                           | 34 ++++-------------
+ Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
+ ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
+ 3 files changed, 47 insertions(+), 26 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index 35ac2dc..2c1f021 100644
+--- a/Lib/http/cookies.py
+++ b/Lib/http/cookies.py
+@@ -184,8 +184,13 @@ def _quote(str):
+         return '"' + str.translate(_Translator) + '"'
+-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
+-_QuotePatt = re.compile(r"[\\].")
+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
+
+def _unquote_replace(m):
+    if m[1]:
+        return chr(int(m[1], 8))
+    else:
+        return m[2]
+ def _unquote(str):
+     # If there aren't any doublequotes,
+@@ -205,30 +210,7 @@ def _unquote(str):
+     #    \012 --> \n
+     #    \"   --> "
+     #
+-    i = 0
+-    n = len(str)
+-    res = []
+-    while 0 <= i < n:
+-        o_match = _OctalPatt.search(str, i)
+-        q_match = _QuotePatt.search(str, i)
+-        if not o_match and not q_match:              # Neither matched
+-            res.append(str[i:])
+-            break
+-        # else:
+-        j = k = -1
+-        if o_match:
+-            j = o_match.start(0)
+-        if q_match:
+-            k = q_match.start(0)
+-        if q_match and (not o_match or k < j):     # QuotePatt matched
+-            res.append(str[i:k])
+-            res.append(str[k+1])
+-            i = k + 2
+-        else:                                      # OctalPatt matched
+-            res.append(str[i:j])
+-            res.append(chr(int(str[j+1:j+4], 8)))
+-            i = j + 4
+-    return _nulljoin(res)
+    return _unquote_sub(_unquote_replace, str)
+ # The _getdate() routine is used to set the expiration time in the cookie's HTTP
+ # header.  By default, _getdate() returns the current time in the appropriate
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index 925c869..8879902 100644
+--- a/Lib/test/test_http_cookies.py
+++ b/Lib/test/test_http_cookies.py
+@@ -5,6 +5,7 @@ import unittest
+ import doctest
+ from http import cookies
+ import pickle
+from test import support
+ class CookieTests(unittest.TestCase):
+@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
+             for k, v in sorted(case['dict'].items()):
+                 self.assertEqual(C[k].value, v)
+    def test_unquote(self):
+        cases = [
+            (r'a="b=\""', 'b="'),
+            (r'a="b=\\"', 'b=\\'),
+            (r'a="b=\="', 'b=='),
+            (r'a="b=\n"', 'b=n'),
+            (r'a="b=\042"', 'b="'),
+            (r'a="b=\134"', 'b=\\'),
+            (r'a="b=\377"', 'b=\xff'),
+            (r'a="b=\400"', 'b=400'),
+            (r'a="b=\42"', 'b=42'),
+            (r'a="b=\\042"', 'b=\\042'),
+            (r'a="b=\\134"', 'b=\\134'),
+            (r'a="b=\\\""', 'b=\\"'),
+            (r'a="b=\\\042"', 'b=\\"'),
+            (r'a="b=\134\""', 'b=\\"'),
+            (r'a="b=\134\042"', 'b=\\"'),
+        ]
+        for encoded, decoded in cases:
+            with self.subTest(encoded):
+                C = cookies.SimpleCookie()
+                C.load(encoded)
+                self.assertEqual(C['a'].value, decoded)
+
+    @support.requires_resource('cpu')
+    def test_unquote_large(self):
+        n = 10**6
+        for encoded in r'\\', r'\134':
+            with self.subTest(encoded):
+                data = 'a="b=' + encoded*n + ';"'
+                C = cookies.SimpleCookie()
+                C.load(data)
+                value = C['a'].value
+                self.assertEqual(value[:3], 'b=\\')
+                self.assertEqual(value[-2:], '\\;')
+                self.assertEqual(len(value), n + 3)
+
+     def test_load(self):
+         C = cookies.SimpleCookie()
+         C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
+diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+new file mode 100644
+index 0000000..6a23456
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+@@ -0,0 +1 @@
+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb
index e4c3fbb673..9199edce3d 100644
--- a/meta/recipes-devtools/python/python3_3.12.4.bb
+++ b/meta/recipes-devtools/python/python3_3.12.4.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
           file://0001-test_deadlock-skip-problematic-test.patch \
           file://0001-test_active_children-skip-problematic-test.patch \
+           file://CVE-2024-7592.patch \
           "
 SRC_URI:append:class-native = " \
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-09-03 12:50:34 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-09-09 06:08:10 -0700
commit	9541ad965035b28697b8df400d7b9bddc4d2519a (patch)
tree	fc357bcda13bcc939c260c7ad7ed9f4c9c8a3655 /meta/recipes-devtools/python
parent	67aa29393db111a67b64f3394a0c490c33946c02 (diff)
download	poky-9541ad965035b28697b8df400d7b9bddc4d2519a.tar.gz

diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch new file mode 100644 index 0000000000..7a6d63005c --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch
@@ -0,0 +1,143 @@
		1	From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001
		2	From: "Miss Islington (bot)"
		3	<31488909+miss-islington@users.noreply.github.com>
		4	Date: Sun, 25 Aug 2024 00:37:11 +0200
		5	Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted
		6	cookie values with backslashes (GH-123075) (#123104)
		7
		8	gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075)
		9
		10	This fixes CVE-2024-7592.
		11	(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef)
		12
		13	Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
		14
		15	CVE: CVE-2024-7592
		16
		17	Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1]
		18
		19	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		20	---
		21	Lib/http/cookies.py \| 34 ++++-------------
		22	Lib/test/test_http_cookies.py \| 38 +++++++++++++++++++
		23	...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst \| 1 +
		24	3 files changed, 47 insertions(+), 26 deletions(-)
		25	create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
		26
		27	diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
		28	index 35ac2dc..2c1f021 100644
		29	--- a/Lib/http/cookies.py
		30	+++ b/Lib/http/cookies.py
		31	@@ -184,8 +184,13 @@ def _quote(str):
		32	return '"' + str.translate(_Translator) + '"'
		33
		34
		35	-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
		36	-_QuotePatt = re.compile(r"[\\].")
		37	+_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])\|(.))').sub
		38	+
		39	+def _unquote_replace(m):
		40	+ if m[1]:
		41	+ return chr(int(m[1], 8))
		42	+ else:
		43	+ return m[2]
		44
		45	def _unquote(str):
		46	# If there aren't any doublequotes,
		47	@@ -205,30 +210,7 @@ def _unquote(str):
		48	# \012 --> \n
		49	# \" --> "
		50	#
		51	- i = 0
		52	- n = len(str)
		53	- res = []
		54	- while 0 <= i < n:
		55	- o_match = _OctalPatt.search(str, i)
		56	- q_match = _QuotePatt.search(str, i)
		57	- if not o_match and not q_match: # Neither matched
		58	- res.append(str[i:])
		59	- break
		60	- # else:
		61	- j = k = -1
		62	- if o_match:
		63	- j = o_match.start(0)
		64	- if q_match:
		65	- k = q_match.start(0)
		66	- if q_match and (not o_match or k < j): # QuotePatt matched
		67	- res.append(str[i:k])
		68	- res.append(str[k+1])
		69	- i = k + 2
		70	- else: # OctalPatt matched
		71	- res.append(str[i:j])
		72	- res.append(chr(int(str[j+1:j+4], 8)))
		73	- i = j + 4
		74	- return _nulljoin(res)
		75	+ return _unquote_sub(_unquote_replace, str)
		76
		77	# The _getdate() routine is used to set the expiration time in the cookie's HTTP
		78	# header. By default, _getdate() returns the current time in the appropriate
		79	diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
		80	index 925c869..8879902 100644
		81	--- a/Lib/test/test_http_cookies.py
		82	+++ b/Lib/test/test_http_cookies.py
		83	@@ -5,6 +5,7 @@ import unittest
		84	import doctest
		85	from http import cookies
		86	import pickle
		87	+from test import support
		88
		89
		90	class CookieTests(unittest.TestCase):
		91	@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase):
		92	for k, v in sorted(case['dict'].items()):
		93	self.assertEqual(C[k].value, v)
		94
		95	+ def test_unquote(self):
		96	+ cases = [
		97	+ (r'a="b=\""', 'b="'),
		98	+ (r'a="b=\\"', 'b=\\'),
		99	+ (r'a="b=\="', 'b=='),
		100	+ (r'a="b=\n"', 'b=n'),
		101	+ (r'a="b=\042"', 'b="'),
		102	+ (r'a="b=\134"', 'b=\\'),
		103	+ (r'a="b=\377"', 'b=\xff'),
		104	+ (r'a="b=\400"', 'b=400'),
		105	+ (r'a="b=\42"', 'b=42'),
		106	+ (r'a="b=\\042"', 'b=\\042'),
		107	+ (r'a="b=\\134"', 'b=\\134'),
		108	+ (r'a="b=\\\""', 'b=\\"'),
		109	+ (r'a="b=\\\042"', 'b=\\"'),
		110	+ (r'a="b=\134\""', 'b=\\"'),
		111	+ (r'a="b=\134\042"', 'b=\\"'),
		112	+ ]
		113	+ for encoded, decoded in cases:
		114	+ with self.subTest(encoded):
		115	+ C = cookies.SimpleCookie()
		116	+ C.load(encoded)
		117	+ self.assertEqual(C['a'].value, decoded)
		118	+
		119	+ @support.requires_resource('cpu')
		120	+ def test_unquote_large(self):
		121	+ n = 10**6
		122	+ for encoded in r'\\', r'\134':
		123	+ with self.subTest(encoded):
		124	+ data = 'a="b=' + encoded*n + ';"'
		125	+ C = cookies.SimpleCookie()
		126	+ C.load(data)
		127	+ value = C['a'].value
		128	+ self.assertEqual(value[:3], 'b=\\')
		129	+ self.assertEqual(value[-2:], '\\;')
		130	+ self.assertEqual(len(value), n + 3)
		131	+
		132	def test_load(self):
		133	C = cookies.SimpleCookie()
		134	C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme')
		135	diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
		136	new file mode 100644
		137	index 0000000..6a23456
		138	--- /dev/null
		139	+++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
		140	@@ -0,0 +1 @@
		141	+Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`.
		142	--
		143	2.40.0


diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb index e4c3fbb673..9199edce3d 100644 --- a/meta/recipes-devtools/python/python3_3.12.4.bb +++ b/meta/recipes-devtools/python/python3_3.12.4.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
34	file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \	34	file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \
35	file://0001-test_deadlock-skip-problematic-test.patch \	35	file://0001-test_deadlock-skip-problematic-test.patch \
36	file://0001-test_active_children-skip-problematic-test.patch \	36	file://0001-test_active_children-skip-problematic-test.patch \
		37	file://CVE-2024-7592.patch \
37	"	38	"
38		39
39	SRC_URI:append:class-native = " \	40	SRC_URI:append:class-native = " \