summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2022-11-24 07:02:27 +0000
committerZach van Rijn <me@zv.io>2022-11-25 20:02:28 -0600
commite0b07d96a83b9b6bdb1746ecb301c347c4f92fae (patch)
tree06eafa0d316b38aa9ed48871cfa618b74e56a8ea
parentf324d2a5c24c66fff7f15ecc14e828859c9b04e8 (diff)
downloadpackages-e0b07d96a83b9b6bdb1746ecb301c347c4f92fae.tar.gz
packages-e0b07d96a83b9b6bdb1746ecb301c347c4f92fae.tar.bz2
packages-e0b07d96a83b9b6bdb1746ecb301c347c4f92fae.tar.xz
packages-e0b07d96a83b9b6bdb1746ecb301c347c4f92fae.zip
system/python3: [CVE] Update to 3.11.0
Includes one yet-unreleased CVE fix from Git. Removes an unrecognized configure option.
-rw-r--r--system/python3/APKBUILD18
-rw-r--r--system/python3/CVE-2015-20107.patch131
-rw-r--r--system/python3/CVE-2022-45061.patch95
-rw-r--r--system/python3/musl-has-login_tty.patch11
4 files changed, 118 insertions, 137 deletions
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD
index 8d9ad55c4..a9cdba51d 100644
--- a/system/python3/APKBUILD
+++ b/system/python3/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sheila Aman <sheila@vulpine.house>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=python3
-pkgver=3.10.4
+pkgver=3.11.0
_basever="${pkgver%.*}"
pkgrel=0
pkgdesc="A high-level scripting language"
@@ -38,8 +38,9 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
sqlite-dev libffi-dev tcl-dev linux-headers !python3"
source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
musl-find_library.patch
+ musl-has-login_tty.patch
fix-xattrs-glibc.patch
- CVE-2015-20107.patch
+ CVE-2022-45061.patch
"
builddir="$srcdir/Python-$pkgver"
@@ -63,6 +64,11 @@ builddir="$srcdir/Python-$pkgver"
# - CVE-2019-16935
# 3.6.10-r0:
# - CVE-2019-18348
+# 3.11.0-r0:
+# - CVE-2020-10735
+# - CVE-2022-37454
+# - CVE-2022-42919
+# - CVE-2022-45061
prepare() {
default_prepare
@@ -91,8 +97,7 @@ build() {
--with-computed-gotos \
--with-dbmliborder=ndbm \
--with-system-expat \
- --with-system-ffi \
- --with-threads
+ --with-system-ffi
# set thread stack size to 1MB so we don't segfault before we hit
# sys.getrecursionlimit()
@@ -186,7 +191,8 @@ tests() {
"$subpkgdir"/usr/lib/python$_basever/
}
-sha512sums="6c9aeecddc55c7896b2e8527fca131c7b2b6127d56ce1a001ccedfebf590334e0c0bb7c517ed3cf1da3c1910e002552b56aa7e03eeb672f42ff0bd8150799113 Python-3.10.4.tar.xz
+sha512sums="314eef88ae0d68760f34d7a32f238fd2ecb27c50963baa7357c42ad8159026ec50229a0b31d83c39710a472904a06422afc082f9658a90a1dc83ccb74c08039d Python-3.11.0.tar.xz
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
+75c60afecba2e57f11d58c20aadc611ebbb5c68e05b14415c5cf2f7aa75e103986764ca22f76e6a58b2c08e2ff3acffdbf6d85d2c8c4589743a0b949a4c90687 musl-has-login_tty.patch
4b4696d139e53aad184b72461478821335aadedc4811ec9e96cdea9a4f7ef19ebf0aac8c6afae6345f33c79fbd3ae2c63021de36044a2803d0dc8894fa291cf5 fix-xattrs-glibc.patch
-a33454a727304360c2370153a695511a41fda6c526104ebffaadae01bbf1f433869e9f9f817b7cd1b8291062719ec35808ca1aa84398a8ace9901f5b16591359 CVE-2015-20107.patch"
+039982b5f35d5aa412596dba81b0666fdf979e6c120aefa3ae29333fbaa56f6f6ad69db513dcd93e06a66522405058be2e39e56350816abcb9febd8f5778036f CVE-2022-45061.patch"
diff --git a/system/python3/CVE-2015-20107.patch b/system/python3/CVE-2015-20107.patch
deleted file mode 100644
index 59cb4d7ed..000000000
--- a/system/python3/CVE-2015-20107.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 27 Apr 2022 18:17:33 +0200
-Subject: [PATCH 1/2] gh-68966: Make mailcap refuse to match unsafe
- filenames/types/params
-
----
- Lib/mailcap.py | 26 ++++++++++++++++++++++++--
- Lib/test/test_mailcap.py | 8 ++++++--
- 2 files changed, 30 insertions(+), 4 deletions(-)
-
-diff --git a/Lib/mailcap.py b/Lib/mailcap.py
-index 856b6a55475f3..cfb70edc61ecf 100644
---- a/Lib/mailcap.py
-+++ b/Lib/mailcap.py
-@@ -2,6 +2,7 @@
-
- import os
- import warnings
-+import re
-
- __all__ = ["getcaps","findmatch"]
-
-@@ -19,6 +20,11 @@ def lineno_sort_key(entry):
- else:
- return 1, 0
-
-+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
-+
-+class UnsafeMailcapInput(Warning):
-+ """Warning raised when refusing unsafe input"""
-+
-
- # Part 1: top-level interface.
-
-@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
- entry to use.
-
- """
-+ if _find_unsafe(filename):
-+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
-+ warnings.warn(msg, UnsafeMailcapInput)
-+ return None, None
- entries = lookup(caps, MIMEtype, key)
- # XXX This code should somehow check for the needsterminal flag.
- for e in entries:
- if 'test' in e:
- test = subst(e['test'], filename, plist)
-+ if test is None:
-+ continue
- if test and os.system(test) != 0:
- continue
- command = subst(e[key], MIMEtype, filename, plist)
-- return command, e
-+ if command is not None:
-+ return command, e
- return None, None
-
- def lookup(caps, MIMEtype, key=None):
-@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]):
- elif c == 's':
- res = res + filename
- elif c == 't':
-+ if _find_unsafe(MIMEtype):
-+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
-+ warnings.warn(msg, UnsafeMailcapInput)
-+ return None
- res = res + MIMEtype
- elif c == '{':
- start = i
-@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]):
- i = i+1
- name = field[start:i]
- i = i+1
-- res = res + findparam(name, plist)
-+ param = findparam(name, plist)
-+ if _find_unsafe(param):
-+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
-+ warnings.warn(msg, UnsafeMailcapInput)
-+ return None
-+ res = res + param
- # XXX To do:
- # %n == number of parts if type is multipart/*
- # %F == list of alternating type and filename for parts
-diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
-index 97a8fac6e074a..2ed367dba78b7 100644
---- a/Lib/test/test_mailcap.py
-+++ b/Lib/test/test_mailcap.py
-@@ -128,7 +128,8 @@ def test_subst(self):
- (["", "audio/*", "foo.txt"], ""),
- (["echo foo", "audio/*", "foo.txt"], "echo foo"),
- (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
-- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
-+ (["echo %t", "audio/*", "foo.txt"], None),
-+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
- (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
- (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
- (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
-@@ -212,7 +213,10 @@ def test_findmatch(self):
- ('"An audio fragment"', audio_basic_entry)),
- ([c, "audio/*"],
- {"filename": fname},
-- ("/usr/local/bin/showaudio audio/*", audio_entry)),
-+ (None, None)),
-+ ([c, "audio/wav"],
-+ {"filename": fname},
-+ ("/usr/local/bin/showaudio audio/wav", audio_entry)),
- ([c, "message/external-body"],
- {"plist": plist},
- ("showexternal /dev/null default john python.org /tmp foo bar", message_entry))
-
-From 3904f682b6dde32b4f51e7b8c3867e27d13333e0 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 27 Apr 2022 18:29:35 +0200
-Subject: [PATCH 2/2] Add blurb
-
----
- .../Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 ++++
- 1 file changed, 4 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
-
-diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
-new file mode 100644
-index 0000000000000..da81a1f6993db
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
-@@ -0,0 +1,4 @@
-+The deprecated mailcap module now refuses to inject unsafe text (filenames,
-+MIME types, parameters) into shell commands. Instead of using such text, it
-+will warn and act as if a match was not found (or for test commands, as if
-+the test failed).
diff --git a/system/python3/CVE-2022-45061.patch b/system/python3/CVE-2022-45061.patch
new file mode 100644
index 000000000..0b6faa7cb
--- /dev/null
+++ b/system/python3/CVE-2022-45061.patch
@@ -0,0 +1,95 @@
+From b8f89940de09a51fdbd8fe4705d3d1d7f1bb0c6a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 7 Nov 2022 18:57:10 -0800
+Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
+ (GH-99222)
+
+There was an unnecessary quadratic loop in idna decoding. This restores
+the behavior to linear.
+
+(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
+
+(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
+
+Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/encodings/idna.py | 32 +++++++++----------
+ Lib/test/test_codecs.py | 6 ++++
+ ...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++
+ 3 files changed, 27 insertions(+), 17 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+
+diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py
+index ea4058512fe3..bf98f513366b 100644
+--- a/Lib/encodings/idna.py
++++ b/Lib/encodings/idna.py
+@@ -39,23 +39,21 @@ def nameprep(label):
+
+ # Check bidi
+ RandAL = [stringprep.in_table_d1(x) for x in label]
+- for c in RandAL:
+- if c:
+- # There is a RandAL char in the string. Must perform further
+- # tests:
+- # 1) The characters in section 5.8 MUST be prohibited.
+- # This is table C.8, which was already checked
+- # 2) If a string contains any RandALCat character, the string
+- # MUST NOT contain any LCat character.
+- if any(stringprep.in_table_d2(x) for x in label):
+- raise UnicodeError("Violation of BIDI requirement 2")
+-
+- # 3) If a string contains any RandALCat character, a
+- # RandALCat character MUST be the first character of the
+- # string, and a RandALCat character MUST be the last
+- # character of the string.
+- if not RandAL[0] or not RandAL[-1]:
+- raise UnicodeError("Violation of BIDI requirement 3")
++ if any(RandAL):
++ # There is a RandAL char in the string. Must perform further
++ # tests:
++ # 1) The characters in section 5.8 MUST be prohibited.
++ # This is table C.8, which was already checked
++ # 2) If a string contains any RandALCat character, the string
++ # MUST NOT contain any LCat character.
++ if any(stringprep.in_table_d2(x) for x in label):
++ raise UnicodeError("Violation of BIDI requirement 2")
++ # 3) If a string contains any RandALCat character, a
++ # RandALCat character MUST be the first character of the
++ # string, and a RandALCat character MUST be the last
++ # character of the string.
++ if not RandAL[0] or not RandAL[-1]:
++ raise UnicodeError("Violation of BIDI requirement 3")
+
+ return label
+
+diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py
+index 8edd5ac0633e..240756726133 100644
+--- a/Lib/test/test_codecs.py
++++ b/Lib/test/test_codecs.py
+@@ -1535,6 +1535,12 @@ def test_builtin_encode(self):
+ self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
+ self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
+
++ def test_builtin_decode_length_limit(self):
++ with self.assertRaisesRegex(UnicodeError, "too long"):
++ (b"xn--016c"+b"a"*1100).decode("idna")
++ with self.assertRaisesRegex(UnicodeError, "too long"):
++ (b"xn--016c"+b"a"*70).decode("idna")
++
+ def test_stream(self):
+ r = codecs.getreader("idna")(io.BytesIO(b"abc"))
+ r.read(3)
+diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+new file mode 100644
+index 000000000000..5185fac2e29d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+@@ -0,0 +1,6 @@
++The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
++related name resolution functions no longer involves a quadratic algorithm.
++This prevents a potential CPU denial of service if an out-of-spec excessive
++length hostname involving bidirectional characters were decoded. Some protocols
++such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
++to supply such a name.
diff --git a/system/python3/musl-has-login_tty.patch b/system/python3/musl-has-login_tty.patch
new file mode 100644
index 000000000..2ed566ee1
--- /dev/null
+++ b/system/python3/musl-has-login_tty.patch
@@ -0,0 +1,11 @@
+--- a/Modules/posixmodule.h
++++ b/Modules/posixmodule.h
+@@ -10,6 +10,8 @@
+ #include <sys/types.h>
+ #endif
+
++int login_tty(int); /* musl 4b2cb37770e56835b261660535cea77474154ba0 */
++
+ #ifndef Py_LIMITED_API
+ #ifndef MS_WINDOWS
+ PyAPI_FUNC(PyObject *) _PyLong_FromUid(uid_t);