microsoft · hbeberman · Aug 31, 2022 · Aug 31, 2022
@@ -0,0 +1,110 @@
+From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <[email protected]>
+Date: Wed, 27 Apr 2022 18:17:33 +0200
+Subject: [PATCH] gh-68966: Make mailcap refuse to match unsafe
+ filenames/types/params
+
+---
+ Lib/mailcap.py           | 26 ++++++++++++++++++++++++--
+ Lib/test/test_mailcap.py |  8 ++++++--
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index 856b6a55475f..cfb70edc61ec 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+
+ import os
+ import warnings
++import re
+
+ __all__ = ["getcaps","findmatch"]
+
+@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+
+ # Part 1: top-level interface.
+
+@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+
+ def lookup(caps, MIMEtype, key=None):
+@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index 97a8fac6e074..2ed367dba78b 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -128,7 +128,8 @@ def test_subst(self):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -212,7 +213,10 @@ def test_findmatch(self):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
@@ -12,14 +12,16 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.13
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Programming
 URL:            https://www.python.org/
 Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.tar.xz
 Patch0:         cgi3.patch
+Patch1:         CVE-2015-20107.patch
+
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
 BuildRequires:  libffi-devel >= 3.0.13
@@ -298,6 +300,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Tue Aug 30 2022 Henry Beberman <[email protected]> - 3.9.13-4
+- Add CVE-2015-20107 patch from upstream
+
 * Tue Jul 12 2022 Olivia Crain <oliviacrain> - 3.9.13-3
 - Update cgi3 patch to use versioned python shebang 
 

@@ -233,10 +233,10 @@ ca-certificates-base-2.0.0-7.cm2.noarch.rpm
 ca-certificates-2.0.0-7.cm2.noarch.rpm
 dwz-0.14-1.cm2.aarch64.rpm
 unzip-6.0-19.cm2.aarch64.rpm
-python3-3.9.13-3.cm2.aarch64.rpm
-python3-devel-3.9.13-3.cm2.aarch64.rpm
-python3-libs-3.9.13-3.cm2.aarch64.rpm
-python3-setuptools-3.9.13-3.cm2.noarch.rpm
+python3-3.9.13-4.cm2.aarch64.rpm
+python3-devel-3.9.13-4.cm2.aarch64.rpm
+python3-libs-3.9.13-4.cm2.aarch64.rpm
+python3-setuptools-3.9.13-4.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
 slang-2.3.2-4.cm2.aarch64.rpm

@@ -233,10 +233,10 @@ ca-certificates-base-2.0.0-7.cm2.noarch.rpm
 ca-certificates-2.0.0-7.cm2.noarch.rpm
 dwz-0.14-1.cm2.x86_64.rpm
 unzip-6.0-19.cm2.x86_64.rpm
-python3-3.9.13-3.cm2.x86_64.rpm
-python3-devel-3.9.13-3.cm2.x86_64.rpm
-python3-libs-3.9.13-3.cm2.x86_64.rpm
-python3-setuptools-3.9.13-3.cm2.noarch.rpm
+python3-3.9.13-4.cm2.x86_64.rpm
+python3-devel-3.9.13-4.cm2.x86_64.rpm
+python3-libs-3.9.13-4.cm2.x86_64.rpm
+python3-setuptools-3.9.13-4.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
 slang-2.3.2-4.cm2.x86_64.rpm

@@ -499,28 +499,28 @@ procps-ng-devel-3.3.17-1.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-1.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-3.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.13-3.cm2.aarch64.rpm
+python3-3.9.13-4.cm2.aarch64.rpm
 python3-audit-3.0.6-7.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.13-3.cm2.aarch64.rpm
+python3-curses-3.9.13-4.cm2.aarch64.rpm
 python3-Cython-0.29.26-1.cm2.aarch64.rpm
-python3-debuginfo-3.9.13-3.cm2.aarch64.rpm
-python3-devel-3.9.13-3.cm2.aarch64.rpm
+python3-debuginfo-3.9.13-4.cm2.aarch64.rpm
+python3-devel-3.9.13-4.cm2.aarch64.rpm
 python3-gpg-1.16.0-1.cm2.aarch64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.13-3.cm2.aarch64.rpm
+python3-libs-3.9.13-4.cm2.aarch64.rpm
 python3-libxml2-2.10.0-1.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-4.cm2.aarch64.rpm
-python3-pip-3.9.13-3.cm2.noarch.rpm
+python3-pip-3.9.13-4.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.17.0-9.cm2.aarch64.rpm
-python3-setuptools-3.9.13-3.cm2.noarch.rpm
-python3-test-3.9.13-3.cm2.aarch64.rpm
-python3-tools-3.9.13-3.cm2.aarch64.rpm
+python3-setuptools-3.9.13-4.cm2.noarch.rpm
+python3-test-3.9.13-4.cm2.aarch64.rpm
+python3-tools-3.9.13-4.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm

@@ -499,28 +499,28 @@ procps-ng-devel-3.3.17-1.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-1.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-3.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.13-3.cm2.x86_64.rpm
+python3-3.9.13-4.cm2.x86_64.rpm
 python3-audit-3.0.6-7.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.13-3.cm2.x86_64.rpm
+python3-curses-3.9.13-4.cm2.x86_64.rpm
 python3-Cython-0.29.26-1.cm2.x86_64.rpm
-python3-debuginfo-3.9.13-3.cm2.x86_64.rpm
-python3-devel-3.9.13-3.cm2.x86_64.rpm
+python3-debuginfo-3.9.13-4.cm2.x86_64.rpm
+python3-devel-3.9.13-4.cm2.x86_64.rpm
 python3-gpg-1.16.0-1.cm2.x86_64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.13-3.cm2.x86_64.rpm
+python3-libs-3.9.13-4.cm2.x86_64.rpm
 python3-libxml2-2.10.0-1.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-4.cm2.x86_64.rpm
-python3-pip-3.9.13-3.cm2.noarch.rpm
+python3-pip-3.9.13-4.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.17.0-9.cm2.x86_64.rpm
-python3-setuptools-3.9.13-3.cm2.noarch.rpm
-python3-test-3.9.13-3.cm2.x86_64.rpm
-python3-tools-3.9.13-3.cm2.x86_64.rpm
+python3-setuptools-3.9.13-4.cm2.noarch.rpm
+python3-test-3.9.13-4.cm2.x86_64.rpm
+python3-tools-3.9.13-4.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm