diff options
| -rw-r--r-- | system/python3/APKBUILD | 8 | ||||
| -rw-r--r-- | system/python3/CVE-2015-20107.patch | 131 | ||||
| -rw-r--r-- | system/python3/fix-python-tests-expat-ge245.patch | 112 |
3 files changed, 135 insertions, 116 deletions
diff --git a/system/python3/APKBUILD b/system/python3/APKBUILD index 7c80d89a7..8d9ad55c4 100644 --- a/system/python3/APKBUILD +++ b/system/python3/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Sheila Aman <sheila@vulpine.house> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=python3 -pkgver=3.10.2 +pkgver=3.10.4 _basever="${pkgver%.*}" pkgrel=0 pkgdesc="A high-level scripting language" @@ -39,7 +39,7 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev xz-dev source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz musl-find_library.patch fix-xattrs-glibc.patch - fix-python-tests-expat-ge245.patch + CVE-2015-20107.patch " builddir="$srcdir/Python-$pkgver" @@ -186,7 +186,7 @@ tests() { "$subpkgdir"/usr/lib/python$_basever/ } -sha512sums="215a7159face84788fe547c1e2689b8d0ae510275157cf01636bef2902d0ff465f844eb0328c9f39fd1cd03a1d1736d4cf258992f2788e492a801a372032c08b Python-3.10.2.tar.xz +sha512sums="6c9aeecddc55c7896b2e8527fca131c7b2b6127d56ce1a001ccedfebf590334e0c0bb7c517ed3cf1da3c1910e002552b56aa7e03eeb672f42ff0bd8150799113 Python-3.10.4.tar.xz ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch 4b4696d139e53aad184b72461478821335aadedc4811ec9e96cdea9a4f7ef19ebf0aac8c6afae6345f33c79fbd3ae2c63021de36044a2803d0dc8894fa291cf5 fix-xattrs-glibc.patch -a98b1c2b2520d996ad3181513e20bc8f1705f0ed3ec262d67d7f1a7d6dc3a90e8ef68078124c2ba008945bf07494fc978a6eaeb62309a9d1d48450fccab62671 fix-python-tests-expat-ge245.patch" +a33454a727304360c2370153a695511a41fda6c526104ebffaadae01bbf1f433869e9f9f817b7cd1b8291062719ec35808ca1aa84398a8ace9901f5b16591359 CVE-2015-20107.patch" diff --git a/system/python3/CVE-2015-20107.patch b/system/python3/CVE-2015-20107.patch new file mode 100644 index 000000000..59cb4d7ed --- /dev/null +++ b/system/python3/CVE-2015-20107.patch @@ -0,0 +1,131 @@ +From c3e7f139b440d7424986204e9f3fc2275aea3377 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin <encukou@gmail.com> +Date: Wed, 27 Apr 2022 18:17:33 +0200 +Subject: [PATCH 1/2] gh-68966: Make mailcap refuse to match unsafe + filenames/types/params + +--- + Lib/mailcap.py | 26 ++++++++++++++++++++++++-- + Lib/test/test_mailcap.py | 8 ++++++-- + 2 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/Lib/mailcap.py b/Lib/mailcap.py +index 856b6a55475f3..cfb70edc61ecf 100644 +--- a/Lib/mailcap.py ++++ b/Lib/mailcap.py +@@ -2,6 +2,7 @@ + + import os + import warnings ++import re + + __all__ = ["getcaps","findmatch"] + +@@ -19,6 +20,11 @@ def lineno_sort_key(entry): + else: + return 1, 0 + ++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search ++ ++class UnsafeMailcapInput(Warning): ++ """Warning raised when refusing unsafe input""" ++ + + # Part 1: top-level interface. + +@@ -171,15 +177,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): + entry to use. + + """ ++ if _find_unsafe(filename): ++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None, None + entries = lookup(caps, MIMEtype, key) + # XXX This code should somehow check for the needsterminal flag. + for e in entries: + if 'test' in e: + test = subst(e['test'], filename, plist) ++ if test is None: ++ continue + if test and os.system(test) != 0: + continue + command = subst(e[key], MIMEtype, filename, plist) +- return command, e ++ if command is not None: ++ return command, e + return None, None + + def lookup(caps, MIMEtype, key=None): +@@ -212,6 +225,10 @@ def subst(field, MIMEtype, filename, plist=[]): + elif c == 's': + res = res + filename + elif c == 't': ++ if _find_unsafe(MIMEtype): ++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None + res = res + MIMEtype + elif c == '{': + start = i +@@ -219,7 +236,12 @@ def subst(field, MIMEtype, filename, plist=[]): + i = i+1 + name = field[start:i] + i = i+1 +- res = res + findparam(name, plist) ++ param = findparam(name, plist) ++ if _find_unsafe(param): ++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) ++ warnings.warn(msg, UnsafeMailcapInput) ++ return None ++ res = res + param + # XXX To do: + # %n == number of parts if type is multipart/* + # %F == list of alternating type and filename for parts +diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py +index 97a8fac6e074a..2ed367dba78b7 100644 +--- a/Lib/test/test_mailcap.py ++++ b/Lib/test/test_mailcap.py +@@ -128,7 +128,8 @@ def test_subst(self): + (["", "audio/*", "foo.txt"], ""), + (["echo foo", "audio/*", "foo.txt"], "echo foo"), + (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), +- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), ++ (["echo %t", "audio/*", "foo.txt"], None), ++ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), + (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), + (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), + (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") +@@ -212,7 +213,10 @@ def test_findmatch(self): + ('"An audio fragment"', audio_basic_entry)), + ([c, "audio/*"], + {"filename": fname}, +- ("/usr/local/bin/showaudio audio/*", audio_entry)), ++ (None, None)), ++ ([c, "audio/wav"], ++ {"filename": fname}, ++ ("/usr/local/bin/showaudio audio/wav", audio_entry)), + ([c, "message/external-body"], + {"plist": plist}, + ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) + +From 3904f682b6dde32b4f51e7b8c3867e27d13333e0 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin <encukou@gmail.com> +Date: Wed, 27 Apr 2022 18:29:35 +0200 +Subject: [PATCH 2/2] Add blurb + +--- + .../Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst + +diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +new file mode 100644 +index 0000000000000..da81a1f6993db +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst +@@ -0,0 +1,4 @@ ++The deprecated mailcap module now refuses to inject unsafe text (filenames, ++MIME types, parameters) into shell commands. Instead of using such text, it ++will warn and act as if a match was not found (or for test commands, as if ++the test failed). diff --git a/system/python3/fix-python-tests-expat-ge245.patch b/system/python3/fix-python-tests-expat-ge245.patch deleted file mode 100644 index f95b648a1..000000000 --- a/system/python3/fix-python-tests-expat-ge245.patch +++ /dev/null @@ -1,112 +0,0 @@ -From dd7da01325ca32796e139507a38da08886f8f972 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Sun, 20 Feb 2022 20:39:07 +0100 -Subject: [PATCH 1/3] test_xml_etree.py: Drop mistaken test_issue3151 - -Curly brackets were never allowed in namespace URIs -according to RFC 3986, and so-called namespace-validating -XML parsers have the right to reject them a invalid URIs. - -libexpat >=2.4.5 has become strcter in that regard due to -related security issues; with ET.XML instantiating a -namespace-aware parser under the hood, this test has no -future in CPython. - -References: -- https://datatracker.ietf.org/doc/html/rfc3968 -- https://www.w3.org/TR/xml-names/ ---- - Lib/test/test_xml_etree.py | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py -index a25f536134c7b..c5292b5e9ef68 100644 ---- a/Lib/test/test_xml_etree.py -+++ b/Lib/test/test_xml_etree.py -@@ -2192,12 +2192,6 @@ def test_issue6233(self): - b"<?xml version='1.0' encoding='ascii'?>\n" - b'<body>tãg</body>') - -- def test_issue3151(self): -- e = ET.XML('<prefix:localname xmlns:prefix="${stuff}"/>') -- self.assertEqual(e.tag, '{${stuff}}localname') -- t = ET.ElementTree(e) -- self.assertEqual(ET.tostring(e), b'<ns0:localname xmlns:ns0="${stuff}" />') -- - def test_issue6565(self): - elem = ET.XML("<body><tag/></body>") - self.assertEqual(summarize_list(elem), ['tag']) - -From aa7523fef6e3759d02a02fa484acfebf9d0bd852 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Sun, 20 Feb 2022 20:56:38 +0100 -Subject: [PATCH 2/3] test_minidom.py: Support Expat >=2.4.5 - ---- - Lib/test/test_minidom.py | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/Lib/test/test_minidom.py b/Lib/test/test_minidom.py -index 1663b1f1143dd..97620258d82f6 100644 ---- a/Lib/test/test_minidom.py -+++ b/Lib/test/test_minidom.py -@@ -6,10 +6,12 @@ - from test import support - import unittest - -+import pyexpat - import xml.dom.minidom - - from xml.dom.minidom import parse, Node, Document, parseString - from xml.dom.minidom import getDOMImplementation -+from xml.parsers.expat import ExpatError - - - tstfile = support.findfile("test.xml", subdir="xmltestdata") -@@ -1147,7 +1149,13 @@ def testEncodings(self): - - # Verify that character decoding errors raise exceptions instead - # of crashing -- self.assertRaises(UnicodeDecodeError, parseString, -+ if pyexpat.version_info >= (2, 4, 5): -+ self.assertRaises(ExpatError, parseString, -+ b'<fran\xe7ais></fran\xe7ais>') -+ self.assertRaises(ExpatError, parseString, -+ b'<franais>Comment \xe7a va ? Tr\xe8s bien ?</franais>') -+ else: -+ self.assertRaises(UnicodeDecodeError, parseString, - b'<fran\xe7ais>Comment \xe7a va ? Tr\xe8s bien ?</fran\xe7ais>') - - doc.unlink() -@@ -1609,7 +1617,12 @@ def testEmptyXMLNSValue(self): - self.confirm(doc2.namespaceURI == xml.dom.EMPTY_NAMESPACE) - - def testExceptionOnSpacesInXMLNSValue(self): -- with self.assertRaisesRegex(ValueError, 'Unsupported syntax'): -+ if pyexpat.version_info >= (2, 4, 5): -+ context = self.assertRaisesRegex(ExpatError, 'syntax error') -+ else: -+ context = self.assertRaisesRegex(ValueError, 'Unsupported syntax') -+ -+ with context: - parseString('<element xmlns:abc="http:abc.com/de f g/hi/j k"><abc:foo /></element>') - - def testDocRemoveChild(self): - -From 2dcb3051b243fff2f031c14eea50a649e8b7c7ea Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Sun, 20 Feb 2022 21:03:40 +0100 -Subject: [PATCH 3/3] Add blurp file for bpo-46811 to section "Library" - ---- - .../NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst | 1 + - 1 file changed, 1 insertion(+) - create mode 100644 Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst - -diff --git a/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst -new file mode 100644 -index 0000000000000..6969bd1898f65 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2022-02-20-21-03-31.bpo-46811.8BxgdQ.rst -@@ -0,0 +1 @@ -+Make test suite support Expat >=2.4.5 |