diff options
author | Zach van Rijn <me@zv.io> | 2022-01-11 12:51:26 +0000 |
---|---|---|
committer | A. Wilcox <AWilcox@Wilcox-Tech.com> | 2022-05-01 17:05:43 -0500 |
commit | 5c5f97caca3c9a038732f2732f704d839665ef4e (patch) | |
tree | afefcec5b123fc9b7dacbc290938f3efe7bb0426 /system | |
parent | f17fb4e27d5014a3f582721cebd44bce6dbfa2ca (diff) | |
download | packages-5c5f97caca3c9a038732f2732f704d839665ef4e.tar.gz packages-5c5f97caca3c9a038732f2732f704d839665ef4e.tar.bz2 packages-5c5f97caca3c9a038732f2732f704d839665ef4e.tar.xz packages-5c5f97caca3c9a038732f2732f704d839665ef4e.zip |
system/python3: bump { 3.6.10 --> 3.10.1 }. fixes #232, 450.
Diffstat (limited to 'system')
-rw-r--r-- | system/python3/APKBUILD | 28 | ||||
-rw-r--r-- | system/python3/CVE-2019-18348.patch | 147 | ||||
-rw-r--r-- | system/python3/fix-xattrs-glibc.patch | 13 |
3 files changed, 15 insertions, 173 deletions
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD index a6d47495b..b3d971c8e 100644 --- a/system/python3/APKBUILD +++ b/system/python3/APKBUILD @@ -1,16 +1,15 @@ # Contributor: Sheila Aman <sheila@vulpine.house> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=python3 -pkgver=3.6.10 +pkgver=3.10.1 _basever="${pkgver%.*}" -pkgrel=2 +pkgrel=0 pkgdesc="A high-level scripting language" url="https://www.python.org" arch="all" license="Python-2.0" provides="py3-pip" -subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc $pkgname-tests::noarch - $pkgname-wininst" +subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc $pkgname-tests::noarch" # If Python 3 is installed during the build, you get: # # Installing collected packages: setuptools, pip @@ -40,7 +39,6 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch fix-xattrs-glibc.patch - CVE-2019-18348.patch " builddir="$srcdir/Python-$pkgver" @@ -70,7 +68,6 @@ prepare() { # force system libs rm -r Modules/expat \ - Modules/zlib \ Modules/_ctypes/darwin* \ Modules/_ctypes/libffi* } @@ -122,6 +119,7 @@ EOF # musl related fail="test__locale test_locale test_strptime test_re" # various musl locale deficiencies + fail="$fail test_c_locale_coercion" fail="$fail test_datetime" # hangs if 'tzdata' installed fail="$fail test_os" # fpathconf, ttyname errno values fail="$fail test_posix" # sched_[gs]etscheduler not impl @@ -168,9 +166,9 @@ dev() { default_dev # pyconfig.h is needed runtime so we move it back - mkdir -p "$pkgdir"/usr/include/python${_basever}m - mv "$subpkgdir"/usr/include/python${_basever}m/pyconfig.h \ - "$pkgdir"/usr/include/python${_basever}m/ + mkdir -p "$pkgdir"/usr/include/python${_basever} + mv "$subpkgdir"/usr/include/python${_basever}/pyconfig.h \ + "$pkgdir"/usr/include/python${_basever}/ } tests() { @@ -186,14 +184,6 @@ tests() { "$subpkgdir"/usr/lib/python$_basever/ } -wininst() { - pkgdesc="Python wininst files" - mkdir -p "$subpkgdir"/usr/lib/python$_basever/distutils/command - mv "$pkgdir"/usr/lib/python$_basever/distutils/command/*.exe \ - "$subpkgdir"/usr/lib/python$_basever/distutils/command -} - -sha512sums="26147099e1f1a0ffc85febad26e18e991f019599a150887ea0b925e34663fad8e03b3c2a941e2770c1a63960695e173ef32709572c9361e7f2cb862ccf75b28a Python-3.6.10.tar.xz +sha512sums="1c559e33f1252e51bafb941c380de16f142c0735858363c84cb8dbed6767843de3af126889c2826ffb94bd4777d7cdfc31040301c8c74de56af52b80b1aa9e76 Python-3.10.1.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch -37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad fix-xattrs-glibc.patch -7a15409165feb60358455b711f978b7b1c4dea9ad53aa7b5be07c1f70262988e592e7a630f83125f37051bbed14d14b66d2acd775234a163ff5b048621b9a59c CVE-2019-18348.patch" +4b4696d139e53aad184b72461478821335aadedc4811ec9e96cdea9a4f7ef19ebf0aac8c6afae6345f33c79fbd3ae2c63021de36044a2803d0dc8894fa291cf5 fix-xattrs-glibc.patch" diff --git a/system/python3/CVE-2019-18348.patch b/system/python3/CVE-2019-18348.patch deleted file mode 100644 index 9ebb963a8..000000000 --- a/system/python3/CVE-2019-18348.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 83fc70159b24f5b11a5ef87c9b05c2cf4c7faeba Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Sat, 14 Mar 2020 15:35:52 -0700 -Subject: [PATCH] bpo-38576: Disallow control characters in hostnames in - http.client (GH-18995) (GH-19002) - -Add host validation for control characters for more CVE-2019-18348 protection. -(cherry picked from commit 9165addc22d05e776a54319a8531ebd0b2fe01ef) - -Co-authored-by: Ashwin Ramaswami <aramaswamis@gmail.com> ---- - Lib/http/client.py | 10 ++++++ - Lib/test/test_httplib.py | 13 ++++++- - Lib/test/test_urllib.py | 36 +++++++++++++++++-- - .../2020-03-14-14-57-44.bpo-38576.OowwQn.rst | 1 + - 4 files changed, 57 insertions(+), 3 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst - -diff --git a/Lib/http/client.py b/Lib/http/client.py -index d4821f1a96e07..c0ac7db6f40a0 100644 ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -858,6 +858,8 @@ def __init__(self, host, port=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, - - (self.host, self.port) = self._get_hostport(host, port) - -+ self._validate_host(self.host) -+ - # This is stored as an instance variable to allow unit - # tests to replace it with a suitable mockup - self._create_connection = socket.create_connection -@@ -1215,6 +1217,14 @@ def _validate_path(self, url): - raise InvalidURL(f"URL can't contain control characters. {url!r} " - f"(found at least {match.group()!r})") - -+ def _validate_host(self, host): -+ """Validate a host so it doesn't contain control characters.""" -+ # Prevent CVE-2019-18348. -+ match = _contains_disallowed_url_pchar_re.search(host) -+ if match: -+ raise InvalidURL(f"URL can't contain control characters. {host!r} " -+ f"(found at least {match.group()!r})") -+ - def putheader(self, header, *values): - """Send a request header line to the server. - -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 14d42d483773c..fcd9231666ede 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -1132,7 +1132,7 @@ def run_server(): - thread.join() - self.assertEqual(result, b"proxied data\n") - -- def test_putrequest_override_validation(self): -+ def test_putrequest_override_domain_validation(self): - """ - It should be possible to override the default validation - behavior in putrequest (bpo-38216). -@@ -1145,6 +1145,17 @@ def _validate_path(self, url): - conn.sock = FakeSocket('') - conn.putrequest('GET', '/\x00') - -+ def test_putrequest_override_host_validation(self): -+ class UnsafeHTTPConnection(client.HTTPConnection): -+ def _validate_host(self, url): -+ pass -+ -+ conn = UnsafeHTTPConnection('example.com\r\n') -+ conn.sock = FakeSocket('') -+ # set skip_host so a ValueError is not raised upon adding the -+ # invalid URL as the value of the "Host:" header -+ conn.putrequest('GET', '/', skip_host=1) -+ - def test_putrequest_override_encoding(self): - """ - It should be possible to override the default encoding -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py -index 0061a5297cb35..ddf425fd8d4b5 100644 ---- a/Lib/test/test_urllib.py -+++ b/Lib/test/test_urllib.py -@@ -331,7 +331,7 @@ def test_willclose(self): - self.unfakehttp() - - @unittest.skipUnless(ssl, "ssl module required") -- def test_url_with_control_char_rejected(self): -+ def test_url_path_with_control_char_rejected(self): - for char_no in list(range(0, 0x21)) + [0x7f]: - char = chr(char_no) - schemeless_url = f"//localhost:7777/test{char}/" -@@ -358,7 +358,7 @@ def test_url_with_control_char_rejected(self): - self.unfakehttp() - - @unittest.skipUnless(ssl, "ssl module required") -- def test_url_with_newline_header_injection_rejected(self): -+ def test_url_path_with_newline_header_injection_rejected(self): - self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") - host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" - schemeless_url = "//" + host + ":8080/test/?test=a" -@@ -383,6 +383,38 @@ def test_url_with_newline_header_injection_rejected(self): - finally: - self.unfakehttp() - -+ @unittest.skipUnless(ssl, "ssl module required") -+ def test_url_host_with_control_char_rejected(self): -+ for char_no in list(range(0, 0x21)) + [0x7f]: -+ char = chr(char_no) -+ schemeless_url = f"//localhost{char}/test/" -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") -+ try: -+ escaped_char_repr = repr(char).replace('\\', r'\\') -+ InvalidURL = http.client.InvalidURL -+ with self.assertRaisesRegex( -+ InvalidURL, f"contain control.*{escaped_char_repr}"): -+ urlopen(f"http:{schemeless_url}") -+ with self.assertRaisesRegex(InvalidURL, f"contain control.*{escaped_char_repr}"): -+ urlopen(f"https:{schemeless_url}") -+ finally: -+ self.unfakehttp() -+ -+ @unittest.skipUnless(ssl, "ssl module required") -+ def test_url_host_with_newline_header_injection_rejected(self): -+ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") -+ host = "localhost\r\nX-injected: header\r\n" -+ schemeless_url = "//" + host + ":8080/test/?test=a" -+ try: -+ InvalidURL = http.client.InvalidURL -+ with self.assertRaisesRegex( -+ InvalidURL, r"contain control.*\\r"): -+ urlopen(f"http:{schemeless_url}") -+ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"): -+ urlopen(f"https:{schemeless_url}") -+ finally: -+ self.unfakehttp() -+ - def test_read_0_9(self): - # "0.9" response accepted (but not "simple responses" without - # a status line) -diff --git a/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst b/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst -new file mode 100644 -index 0000000000000..34b8af28988fa ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-03-14-14-57-44.bpo-38576.OowwQn.rst -@@ -0,0 +1 @@ -+Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. -\ No newline at end of file diff --git a/system/python3/fix-xattrs-glibc.patch b/system/python3/fix-xattrs-glibc.patch index 57a8fb73a..d78428108 100644 --- a/system/python3/fix-xattrs-glibc.patch +++ b/system/python3/fix-xattrs-glibc.patch @@ -1,14 +1,13 @@ -diff --git a/Modules/posixmodule.c b/Modules/posixmodule.c -index 8f8ba25..72b92da 100644 ---- a/Modules/posixmodule.c -+++ b/Modules/posixmodule.c -@@ -103,8 +103,9 @@ corresponding Unix manual entries for more information on calls."); - #undef HAVE_SCHED_SETAFFINITY +diff -ur a/Modules/posixmodule.c b/Modules/posixmodule.c +--- a/Modules/posixmodule.c 2022-01-11 11:45:55.120000000 +0000 ++++ b/Modules/posixmodule.c 2022-01-11 11:47:28.010000000 +0000 +@@ -247,8 +247,9 @@ + # undef HAVE_SCHED_SETAFFINITY #endif -#if defined(HAVE_SYS_XATTR_H) && defined(__GLIBC__) && !defined(__FreeBSD_kernel__) && !defined(__GNU__) +#if defined(HAVE_SYS_XATTR_H) && defined(__linux__) && !defined(__FreeBSD_kernel__) && !defined(__GNU__) - #define USE_XATTRS + # define USE_XATTRS +#include <linux/limits.h> #endif |