From 3f702c57189aae9eba8dbb0ab4d044eec6e8c449 Mon Sep 17 00:00:00 2001 From: Henry Beberman Date: Tue, 30 Aug 2022 18:09:54 -0700 Subject: [PATCH] `python3`: fix CVE-2015-20107 --- SPECS/python3/CVE-2015-20107.patch | 110 ++++++++++++++++++ SPECS/python3/python3.spec | 7 +- .../manifests/package/pkggen_core_aarch64.txt | 8 +- .../manifests/package/pkggen_core_x86_64.txt | 8 +- .../manifests/package/toolchain_aarch64.txt | 18 +-- .../manifests/package/toolchain_x86_64.txt | 18 +-- 6 files changed, 142 insertions(+), 27 deletions(-) create mode 100644 SPECS/python3/CVE-2015-20107.patch diff --git a/SPECS/python3/CVE-2015-20107.patch b/SPECS/python3/CVE-2015-20107.patch new file mode 100644 index 00000000000..df72b1579df --- /dev/null +++ b/SPECS/python3/CVE-2015-20107.patch @@ -0,0 +1,110 @@ +From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Wed, 27 Apr 2022 18:17:33 +0200 +Subject: [PATCH] gh-68966: Make mailcap refuse to match unsafe + filenames/types/params + +--- + Lib/mailcap.py | 26 ++++++++++++++++++++++++-- + Lib/test/test_mailcap.py | 8 ++++++-- + 2 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/Lib/mailcap.py b/Lib/mailcap.py +index 856b6a55475f..cfb70edc61ec 100644 +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -2,6 +2,7 @@ + + import os + import warnings ++import re + + __all__ = ["getcaps","findmatch"] + +@@ -19,6 +20,11 @@ def lineno_sort_key(entry): + else: + return 1, 0 + ++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ + + # Part 1: top-level interface. + +@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): + entry to use. + + """ ++ if _find_unsafe(filename): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + entries = lookup(caps, MIMEtype, key) + # XXX This code should somehow check for the needsterminal flag. + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]): + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]): + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts +diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py +index 97a8fac6e074..2ed367dba78b 100644 +--- a/Lib/test/test_mailcap.py ++++ b/Lib/test/test_mailcap.py +@@ -128,7 +128,8 @@ def test_subst(self): + (["", "audio/*", "foo.txt"], ""), + (["echo foo", "audio/*", "foo.txt"], "echo foo"), + (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), +- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), ++ (["echo %t", "audio/*", "foo.txt"], None), ++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), + (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), + (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), + (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") +@@ -212,7 +213,10 @@ def test_findmatch(self): + ('"An audio fragment"', audio_basic_entry)), + ([c, "audio/*"], + {"filename": fname}, +- ("/usr/local/bin/showaudio audio/*", audio_entry)), ++ (None, None)), ++ ([c, "audio/wav"], ++ {"filename": fname}, ++ ("/usr/local/bin/showaudio audio/wav", audio_entry)), + ([c, "message/external-body"], + {"plist": plist}, + ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 93763630086..6f5ca92fd8f 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -12,7 +12,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.9.13 -Release: 3%{?dist} +Release: 4%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -20,6 +20,8 @@ Group: System Environment/Programming URL: https://www.python.org/ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.tar.xz Patch0: cgi3.patch +Patch1: CVE-2015-20107.patch + BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 BuildRequires: libffi-devel >= 3.0.13 @@ -298,6 +300,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Tue Aug 30 2022 Henry Beberman - 3.9.13-4 +- Add CVE-2015-20107 patch from upstream + * Tue Jul 12 2022 Olivia Crain - 3.9.13-3 - Update cgi3 patch to use versioned python shebang diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9005c349a19..48cb8e7120c 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -233,10 +233,10 @@ ca-certificates-base-2.0.0-7.cm2.noarch.rpm ca-certificates-2.0.0-7.cm2.noarch.rpm dwz-0.14-1.cm2.aarch64.rpm unzip-6.0-19.cm2.aarch64.rpm -python3-3.9.13-3.cm2.aarch64.rpm -python3-devel-3.9.13-3.cm2.aarch64.rpm -python3-libs-3.9.13-3.cm2.aarch64.rpm -python3-setuptools-3.9.13-3.cm2.noarch.rpm +python3-3.9.13-4.cm2.aarch64.rpm +python3-devel-3.9.13-4.cm2.aarch64.rpm +python3-libs-3.9.13-4.cm2.aarch64.rpm +python3-setuptools-3.9.13-4.cm2.noarch.rpm which-2.21-8.cm2.aarch64.rpm libselinux-3.2-1.cm2.aarch64.rpm slang-2.3.2-4.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index fa4da3e15ad..1cbbfed06d5 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -233,10 +233,10 @@ ca-certificates-base-2.0.0-7.cm2.noarch.rpm ca-certificates-2.0.0-7.cm2.noarch.rpm dwz-0.14-1.cm2.x86_64.rpm unzip-6.0-19.cm2.x86_64.rpm -python3-3.9.13-3.cm2.x86_64.rpm -python3-devel-3.9.13-3.cm2.x86_64.rpm -python3-libs-3.9.13-3.cm2.x86_64.rpm -python3-setuptools-3.9.13-3.cm2.noarch.rpm +python3-3.9.13-4.cm2.x86_64.rpm +python3-devel-3.9.13-4.cm2.x86_64.rpm +python3-libs-3.9.13-4.cm2.x86_64.rpm +python3-setuptools-3.9.13-4.cm2.noarch.rpm which-2.21-8.cm2.x86_64.rpm libselinux-3.2-1.cm2.x86_64.rpm slang-2.3.2-4.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7704eac36d5..0bb9af040b0 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -499,28 +499,28 @@ procps-ng-devel-3.3.17-1.cm2.aarch64.rpm procps-ng-lang-3.3.17-1.cm2.aarch64.rpm pyproject-rpm-macros-1.0.0~rc1-3.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm -python3-3.9.13-3.cm2.aarch64.rpm +python3-3.9.13-4.cm2.aarch64.rpm python3-audit-3.0.6-7.cm2.aarch64.rpm python3-cracklib-2.9.7-5.cm2.aarch64.rpm -python3-curses-3.9.13-3.cm2.aarch64.rpm +python3-curses-3.9.13-4.cm2.aarch64.rpm python3-Cython-0.29.26-1.cm2.aarch64.rpm -python3-debuginfo-3.9.13-3.cm2.aarch64.rpm -python3-devel-3.9.13-3.cm2.aarch64.rpm +python3-debuginfo-3.9.13-4.cm2.aarch64.rpm +python3-devel-3.9.13-4.cm2.aarch64.rpm python3-gpg-1.16.0-1.cm2.aarch64.rpm python3-jinja2-3.0.3-2.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm -python3-libs-3.9.13-3.cm2.aarch64.rpm +python3-libs-3.9.13-4.cm2.aarch64.rpm python3-libxml2-2.10.0-1.cm2.aarch64.rpm python3-lxml-4.9.1-1.cm2.aarch64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.aarch64.rpm python3-newt-0.52.21-4.cm2.aarch64.rpm -python3-pip-3.9.13-3.cm2.noarch.rpm +python3-pip-3.9.13-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.17.0-9.cm2.aarch64.rpm -python3-setuptools-3.9.13-3.cm2.noarch.rpm -python3-test-3.9.13-3.cm2.aarch64.rpm -python3-tools-3.9.13-3.cm2.aarch64.rpm +python3-setuptools-3.9.13-4.cm2.noarch.rpm +python3-test-3.9.13-4.cm2.aarch64.rpm +python3-tools-3.9.13-4.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-debuginfo-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 2b2da43fad0..54d21a31312 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -499,28 +499,28 @@ procps-ng-devel-3.3.17-1.cm2.x86_64.rpm procps-ng-lang-3.3.17-1.cm2.x86_64.rpm pyproject-rpm-macros-1.0.0~rc1-3.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm -python3-3.9.13-3.cm2.x86_64.rpm +python3-3.9.13-4.cm2.x86_64.rpm python3-audit-3.0.6-7.cm2.x86_64.rpm python3-cracklib-2.9.7-5.cm2.x86_64.rpm -python3-curses-3.9.13-3.cm2.x86_64.rpm +python3-curses-3.9.13-4.cm2.x86_64.rpm python3-Cython-0.29.26-1.cm2.x86_64.rpm -python3-debuginfo-3.9.13-3.cm2.x86_64.rpm -python3-devel-3.9.13-3.cm2.x86_64.rpm +python3-debuginfo-3.9.13-4.cm2.x86_64.rpm +python3-devel-3.9.13-4.cm2.x86_64.rpm python3-gpg-1.16.0-1.cm2.x86_64.rpm python3-jinja2-3.0.3-2.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm -python3-libs-3.9.13-3.cm2.x86_64.rpm +python3-libs-3.9.13-4.cm2.x86_64.rpm python3-libxml2-2.10.0-1.cm2.x86_64.rpm python3-lxml-4.9.1-1.cm2.x86_64.rpm python3-magic-5.40-2.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.x86_64.rpm python3-newt-0.52.21-4.cm2.x86_64.rpm -python3-pip-3.9.13-3.cm2.noarch.rpm +python3-pip-3.9.13-4.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.17.0-9.cm2.x86_64.rpm -python3-setuptools-3.9.13-3.cm2.noarch.rpm -python3-test-3.9.13-3.cm2.x86_64.rpm -python3-tools-3.9.13-3.cm2.x86_64.rpm +python3-setuptools-3.9.13-4.cm2.noarch.rpm +python3-test-3.9.13-4.cm2.x86_64.rpm +python3-tools-3.9.13-4.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-debuginfo-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm