Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2022-02-09 20:38:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Wed Feb 9 20:38:40 2022 rev:164 rq:953032 version:2.7.18 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2021-11-06 18:13:13.612734531 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.1898/python-base.changes 2022-02-09 20:39:21.410398474 +0100 @@ -1,0 +2,13 @@ +Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl <[email protected]> + +- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, + bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib + not trust the PASV response. + +------------------------------------------------------------------- +Mon Dec 6 13:48:27 UTC 2021 - Dirk M??ller <[email protected]> + +- build against openssl 1.1.x (incompatible with openssl 3.0x) + for now. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python-doc.changes 2021-10-25 15:16:53.437655270 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.1898/python-doc.changes 2022-02-09 20:39:21.446398560 +0100 @@ -1,0 +2,19 @@ +Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl <[email protected]> + +- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, + bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib + not trust the PASV response. + +------------------------------------------------------------------- +Mon Dec 6 13:48:27 UTC 2021 - Dirk M??ller <[email protected]> + +- build against openssl 1.1.x (incompatible with openssl 3.0x) + for now. + +------------------------------------------------------------------- +Tue Nov 2 08:09:03 UTC 2021 - Marcus Meissner <[email protected]> + +- on sle12, python2 modules will still be called python-xxxx until EOL, + for newer SLE versions they will be python2-xxxx + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python.changes 2021-12-08 22:09:10.334868673 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.1898/python.changes 2022-02-09 20:39:21.514398722 +0100 @@ -1,0 +2,7 @@ +Sun Feb 6 07:43:11 UTC 2022 - Matej Cepl <[email protected]> + +- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146, + bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib + not trust the PASV response. + +------------------------------------------------------------------- @@ -4 +11,8 @@ -- build against openssl 1.1.x (incompatible with openssl 3.0x) for now +- build against openssl 1.1.x (incompatible with openssl 3.0x) + for now. + +------------------------------------------------------------------- +Tue Nov 2 08:09:03 UTC 2021 - Marcus Meissner <[email protected]> + +- on sle12, python2 modules will still be called python-xxxx until EOL, + for newer SLE versions they will be python2-xxxx New: ---- CVE-2021-4189-ftplib-trust-PASV-resp.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.ifgtYU/_old 2022-02-09 20:39:23.026402339 +0100 +++ /var/tmp/diff_new_pack.ifgtYU/_new 2022-02-09 20:39:23.034402358 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-base # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -122,6 +122,9 @@ # Fixes httplib to disallow control characters in method to avoid header # injection Patch67: CVE-2020-26116-httplib-header-injection.patch +# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 [email protected] +# Make ftplib not trust the PASV response. (gh#python/cpython#24838) +Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -256,6 +259,7 @@ %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.ifgtYU/_old 2022-02-09 20:39:23.058402416 +0100 +++ /var/tmp/diff_new_pack.ifgtYU/_new 2022-02-09 20:39:23.074402454 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-doc # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -121,6 +121,9 @@ # Fixes httplib to disallow control characters in method to avoid header # injection Patch67: CVE-2020-26116-httplib-header-injection.patch +# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 [email protected] +# Make ftplib not trust the PASV response. (gh#python/cpython#24838) +Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # COMMON-PATCH-END Provides: pyth_doc = %{version} Provides: pyth_ps = %{version} @@ -195,6 +198,7 @@ %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.ifgtYU/_old 2022-02-09 20:39:23.114402550 +0100 +++ /var/tmp/diff_new_pack.ifgtYU/_new 2022-02-09 20:39:23.122402568 +0100 @@ -1,7 +1,7 @@ # # spec file for package python # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -121,6 +121,9 @@ # Fixes httplib to disallow control characters in method to avoid header # injection Patch67: CVE-2020-26116-httplib-header-injection.patch +# PATCH-FIX-UPSTREAM CVE-2021-4189-ftplib-trust-PASV-resp.patch bsc#1194146 [email protected] +# Make ftplib not trust the PASV response. (gh#python/cpython#24838) +Patch68: CVE-2021-4189-ftplib-trust-PASV-resp.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -309,6 +312,7 @@ %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p1 # For patch 66 cp -v %{SOURCE66} Lib/test/recursion.tar ++++++ CVE-2021-4189-ftplib-trust-PASV-resp.patch ++++++ commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e Author: Gregory P. Smith <[email protected]> Date: Mon Mar 15 11:39:31 2021 -0700 bpo-43285 Make ftplib not trust the PASV response. (GH-24838) bpo-43285: Make ftplib not trust the PASV response. The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True. --- Doc/whatsnew/2.7.rst | 10 +++ Lib/ftplib.py | 11 +++- Lib/test/test_ftplib.py | 27 +++++++++- Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst | 8 ++ 4 files changed, 53 insertions(+), 3 deletions(-) --- a/Doc/whatsnew/2.7.rst +++ b/Doc/whatsnew/2.7.rst @@ -166,6 +166,16 @@ The ``unittest`` module also automatical when running tests. +Post-EOS fixes +============== + +A security fix alters the :class:`ftplib.FTP` behavior to not trust the +IPv4 address sent from the remote server when setting up a passive data +channel. We reuse the ftp server IP address instead. For unusual code +requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` +attribute on your FTP instance to ``True``. (See :issue:`43285`) + + Python 3.1 Features ======================= --- a/Lib/ftplib.py +++ b/Lib/ftplib.py @@ -107,7 +107,9 @@ class FTP: sock = None file = None welcome = None - passiveserver = 1 + passiveserver = True + # Disables https://bugs.python.org/issue43285 security if set to True. + trust_server_pasv_ipv4_address = False # Initialization method (called by class instantiation). # Initialize host to localhost, port to standard ftp port @@ -310,8 +312,13 @@ class FTP: return sock def makepasv(self): + """Internal: Does the PASV or EPSV handshake -> (address, port)""" if self.af == socket.AF_INET: - host, port = parse227(self.sendcmd('PASV')) + untrusted_host, port = parse227(self.sendcmd('PASV')) + if self.trust_server_pasv_ipv4_address: + host = untrusted_host + else: + host = self.sock.getpeername()[0] else: host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) return host, port --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py @@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_cha self.rest = None self.next_retr_data = RETR_DATA self.push('220 welcome') + # We use this as the string IPv4 address to direct the client + # to in response to a PASV command. To test security behavior. + # https://bugs.python.org/issue43285/. + self.fake_pasv_server_ip = '252.253.254.255' def collect_incoming_data(self, data): self.in_buffer.append(data) @@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_cha sock.bind((self.socket.getsockname()[0], 0)) sock.listen(5) sock.settimeout(10) - ip, port = sock.getsockname()[:2] + port = sock.getsockname()[1] + ip = self.fake_pasv_server_ip ip = ip.replace('.', ',') p1, p2 = divmod(port, 256) self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) @@ -577,6 +582,26 @@ class TestFTPClass(TestCase): # IPv4 is in use, just make sure send_epsv has not been used self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') + def test_makepasv_issue43285_security_disabled(self): + """Test the opt-in to the old vulnerable behavior.""" + self.client.trust_server_pasv_ipv4_address = True + bad_host, port = self.client.makepasv() + self.assertEqual( + bad_host, self.server.handler_instance.fake_pasv_server_ip) + # Opening and closing a connection keeps the dummy server happy + # instead of timing out on accept. + socket.create_connection((self.client.sock.getpeername()[0], port), + timeout=TIMEOUT).close() + + def test_makepasv_issue43285_security_enabled_default(self): + self.assertFalse(self.client.trust_server_pasv_ipv4_address) + trusted_host, port = self.client.makepasv() + self.assertNotEqual( + trusted_host, self.server.handler_instance.fake_pasv_server_ip) + # Opening and closing a connection keeps the dummy server happy + # instead of timing out on accept. + socket.create_connection((trusted_host, port), timeout=TIMEOUT).close() + def test_line_too_long(self): self.assertRaises(ftplib.Error, self.client.sendcmd, 'x' * self.client.maxline * 2) --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst @@ -0,0 +1,8 @@ +:mod:`ftplib` no longer trusts the IP address value returned from the server +in response to the PASV command by default. This prevents a malicious FTP +server from using the response to probe IPv4 address and port combinations +on the client network. + +Code that requires the former vulnerable behavior may set a +``trust_server_pasv_ipv4_address`` attribute on their +:class:`ftplib.FTP` instances to ``True`` to re-enable it.
