diff options
-rw-r--r-- | system/python3/APKBUILD | 18 | ||||
-rw-r--r-- | system/python3/CVE-2015-20107.patch | 131 | ||||
-rw-r--r-- | system/python3/CVE-2022-45061.patch | 95 | ||||
-rw-r--r-- | system/python3/musl-has-login_tty.patch | 11 |
4 files changed, 118 insertions, 137 deletions
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD index 8d9ad55c4..a9cdba51d 100644 --- a/system/python3/APKBUILD +++ b/system/python3/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sheila Aman <sheila@vulpine.house> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=python3 -pkgver=3.10.4 +pkgver=3.11.0 _basever="${pkgver%.*}" pkgrel=0 pkgdesc="A high-level scripting language" @@ -38,8 +38,9 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev sqlite-dev libffi-dev tcl-dev linux-headers !python3" source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch + musl-has-login_tty.patch fix-xattrs-glibc.patch - CVE-2015-20107.patch + CVE-2022-45061.patch " builddir="$srcdir/Python-$pkgver" @@ -63,6 +64,11 @@ builddir="$srcdir/Python-$pkgver" # - CVE-2019-16935 # 3.6.10-r0: # - CVE-2019-18348 +# 3.11.0-r0: +# - CVE-2020-10735 +# - CVE-2022-37454 +# - CVE-2022-42919 +# - CVE-2022-45061 prepare() { default_prepare @@ -91,8 +97,7 @@ build() { --with-computed-gotos \ --with-dbmliborder=ndbm \ --with-system-expat \ - --with-system-ffi \ - --with-threads + --with-system-ffi # set thread stack size to 1MB so we don't segfault before we hit # sys.getrecursionlimit() @@ -186,7 +191,8 @@ tests() { "$subpkgdir"/usr/lib/python$_basever/ } -sha512sums="6c9aeecddc55c7896b2e8527fca131c7b2b6127d56ce1a001ccedfebf590334e0c0bb7c517ed3cf1da3c1910e002552b56aa7e03eeb672f42ff0bd8150799113 Python-3.10.4.tar.xz +sha512sums="314eef88ae0d68760f34d7a32f238fd2ecb27c50963baa7357c42ad8159026ec50229a0b31d83c39710a472904a06422afc082f9658a90a1dc83ccb74c08039d Python-3.11.0.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch +75c60afecba2e57f11d58c20aadc611ebbb5c68e05b14415c5cf2f7aa75e103986764ca22f76e6a58b2c08e2ff3acffdbf6d85d2c8c4589743a0b949a4c90687 musl-has-login_tty.patch 4b4696d139e53aad184b72461478821335aadedc4811ec9e96cdea9a4f7ef19ebf0aac8c6afae6345f33c79fbd3ae2c63021de36044a2803d0dc8894fa291cf5 fix-xattrs-glibc.patch -a33454a727304360c2370153a695511a41fda6c526104ebffaadae01bbf1f433869e9f9f817b7cd1b8291062719ec35808ca1aa84398a8ace9901f5b16591359 CVE-2015-20107.patch" +039982b5f35d5aa412596dba81b0666fdf979e6c120aefa3ae29333fbaa56f6f6ad69db513dcd93e06a66522405058be2e39e56350816abcb9febd8f5778036f CVE-2022-45061.patch" diff --git a/system/python3/CVE-2015-20107.patch b/system/python3/CVE-2015-20107.patch deleted file mode 100644 index 59cb4d7ed..000000000 --- a/system/python3/CVE-2015-20107.patch +++ /dev/null @@ -1,131 +0,0 @@ -From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin <encukou@gmail.com> -Date: Wed, 27 Apr 2022 18:17:33 +0200 -Subject: [PATCH 1/2] gh-68966: Make mailcap refuse to match unsafe - filenames/types/params - ---- - Lib/mailcap.py | 26 ++++++++++++++++++++++++-- - Lib/test/test_mailcap.py | 8 ++++++-- - 2 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/Lib/mailcap.py b/Lib/mailcap.py -index 856b6a55475f3..cfb70edc61ecf 100644 ---- a/Lib/mailcap.py -+++ b/Lib/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -19,6 +20,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - -@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]): - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]): - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts -diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py -index 97a8fac6e074a..2ed367dba78b7 100644 ---- a/Lib/test/test_mailcap.py -+++ b/Lib/test/test_mailcap.py -@@ -128,7 +128,8 @@ def test_subst(self): - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -212,7 +213,10 @@ def test_findmatch(self): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) - -From 3904f682b6dde32b4f51e7b8c3867e27d13333e0 Mon Sep 17 00:00:00 2001 -From: Petr Viktorin <encukou@gmail.com> -Date: Wed, 27 Apr 2022 18:29:35 +0200 -Subject: [PATCH 2/2] Add blurb - ---- - .../Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 ++++ - 1 file changed, 4 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst - -diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -new file mode 100644 -index 0000000000000..da81a1f6993db ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst -@@ -0,0 +1,4 @@ -+The deprecated mailcap module now refuses to inject unsafe text (filenames, -+MIME types, parameters) into shell commands. Instead of using such text, it -+will warn and act as if a match was not found (or for test commands, as if -+the test failed). diff --git a/system/python3/CVE-2022-45061.patch b/system/python3/CVE-2022-45061.patch new file mode 100644 index 000000000..0b6faa7cb --- /dev/null +++ b/system/python3/CVE-2022-45061.patch @@ -0,0 +1,95 @@ +From b8f89940de09a51fdbd8fe4705d3d1d7f1bb0c6a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 7 Nov 2022 18:57:10 -0800 +Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) + (GH-99222) + +There was an unnecessary quadratic loop in idna decoding. This restores +the behavior to linear. + +(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) + +(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) + +Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> +Co-authored-by: Gregory P. Smith <greg@krypto.org> +--- + Lib/encodings/idna.py | 32 +++++++++---------- + Lib/test/test_codecs.py | 6 ++++ + ...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++ + 3 files changed, 27 insertions(+), 17 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst + +diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py +index ea4058512fe3..bf98f513366b 100644 +--- a/Lib/encodings/idna.py ++++ b/Lib/encodings/idna.py +@@ -39,23 +39,21 @@ def nameprep(label): + + # Check bidi + RandAL = [stringprep.in_table_d1(x) for x in label] +- for c in RandAL: +- if c: +- # There is a RandAL char in the string. Must perform further +- # tests: +- # 1) The characters in section 5.8 MUST be prohibited. +- # This is table C.8, which was already checked +- # 2) If a string contains any RandALCat character, the string +- # MUST NOT contain any LCat character. +- if any(stringprep.in_table_d2(x) for x in label): +- raise UnicodeError("Violation of BIDI requirement 2") +- +- # 3) If a string contains any RandALCat character, a +- # RandALCat character MUST be the first character of the +- # string, and a RandALCat character MUST be the last +- # character of the string. +- if not RandAL[0] or not RandAL[-1]: +- raise UnicodeError("Violation of BIDI requirement 3") ++ if any(RandAL): ++ # There is a RandAL char in the string. Must perform further ++ # tests: ++ # 1) The characters in section 5.8 MUST be prohibited. ++ # This is table C.8, which was already checked ++ # 2) If a string contains any RandALCat character, the string ++ # MUST NOT contain any LCat character. ++ if any(stringprep.in_table_d2(x) for x in label): ++ raise UnicodeError("Violation of BIDI requirement 2") ++ # 3) If a string contains any RandALCat character, a ++ # RandALCat character MUST be the first character of the ++ # string, and a RandALCat character MUST be the last ++ # character of the string. ++ if not RandAL[0] or not RandAL[-1]: ++ raise UnicodeError("Violation of BIDI requirement 3") + + return label + +diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py +index 8edd5ac0633e..240756726133 100644 +--- a/Lib/test/test_codecs.py ++++ b/Lib/test/test_codecs.py +@@ -1535,6 +1535,12 @@ def test_builtin_encode(self): + self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org") + self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.") + ++ def test_builtin_decode_length_limit(self): ++ with self.assertRaisesRegex(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*1100).decode("idna") ++ with self.assertRaisesRegex(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*70).decode("idna") ++ + def test_stream(self): + r = codecs.getreader("idna")(io.BytesIO(b"abc")) + r.read(3) +diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +new file mode 100644 +index 000000000000..5185fac2e29d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +@@ -0,0 +1,6 @@ ++The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` ++related name resolution functions no longer involves a quadratic algorithm. ++This prevents a potential CPU denial of service if an out-of-spec excessive ++length hostname involving bidirectional characters were decoded. Some protocols ++such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker ++to supply such a name. diff --git a/system/python3/musl-has-login_tty.patch b/system/python3/musl-has-login_tty.patch new file mode 100644 index 000000000..2ed566ee1 --- /dev/null +++ b/system/python3/musl-has-login_tty.patch @@ -0,0 +1,11 @@ +--- a/Modules/posixmodule.h ++++ b/Modules/posixmodule.h +@@ -10,6 +10,8 @@ + #include <sys/types.h> + #endif + ++int login_tty(int); /* musl 4b2cb37770e56835b261660535cea77474154ba0 */ ++ + #ifndef Py_LIMITED_API + #ifndef MS_WINDOWS + PyAPI_FUNC(PyObject *) _PyLong_FromUid(uid_t); |