Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python36 for openSUSE:Factory
checked in at 2021-05-02 18:35:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python36 (Old)
and /work/SRC/openSUSE:Factory/.python36.new.1947 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python36"
Sun May 2 18:35:28 2021 rev:14 rq:889097 version:3.6.13
Changes:
--------
--- /work/SRC/openSUSE:Factory/python36/python36.changes 2021-03-02
15:30:32.313976426 +0100
+++ /work/SRC/openSUSE:Factory/.python36.new.1947/python36.changes
2021-05-02 18:35:56.748991329 +0200
@@ -1,0 +2,8 @@
+Tue Apr 27 16:56:41 UTC 2021 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2021-3426-inf-disclosure-pydoc-getfile.patch to remove
+ getfile feature from pydoc, which is a security nightmare
+ (among other things, CVE-2021-3426, allows disclosure of any
+ file on the system; bsc#1183374, bpo#42988).
+
+-------------------------------------------------------------------
Old:
----
pre_checkin.sh
New:
----
CVE-2021-3426-inf-disclosure-pydoc-getfile.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python36.spec ++++++
--- /var/tmp/diff_new_pack.pAujrz/_old 2021-05-02 18:35:57.564987852 +0200
+++ /var/tmp/diff_new_pack.pAujrz/_new 2021-05-02 18:35:57.568987835 +0200
@@ -168,6 +168,9 @@
Patch39: ignore_pip_deprec_warn.patch
# PATCH-FIX-UPSTREAM stop calling removed Sphinx function
gh#python/cpython#13236
Patch40: sphinx-update-removed-function.patch
+# PATCH-FIX-UPSTREAM CVE-2021-3426-inf-disclosure-pydoc-getfile.patch
bsc#1183374 mc...@suse.com
+# Remove the pydoc getfile feature
+Patch41: CVE-2021-3426-inf-disclosure-pydoc-getfile.patch
BuildRequires: automake
BuildRequires: fdupes
BuildRequires: gmp-devel
@@ -432,6 +435,7 @@
%patch38 -p1
%patch39 -p1
%patch40 -p1
+%patch41 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ CVE-2021-3426-inf-disclosure-pydoc-getfile.patch ++++++
>From 5b1e50256b6532667b6d31debc350f6c7d3f30aa Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
<31488909+miss-isling...@users.noreply.github.com>
Date: Mon, 29 Mar 2021 08:40:53 -0700
Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
(GH-25067)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schw??rer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstin...@python.org>
---
Lib/pydoc.py | 18
----------
Lib/test/test_pydoc.py | 6 ---
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++
3 files changed, 4 insertions(+), 24 deletions(-)
create mode 100644
Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
@@ -2311,9 +2311,6 @@ def _url_handler(url, content_type="text
%s</head><body bgcolor="#f0f0f8">%s<div
style="clear:both;padding-top:.5em;">%s</div>
</body></html>''' % (title, css_link, html_navbar(), contents)
- def filelink(self, url, path):
- return '<a href="getfile?key=%s">%s</a>' % (url, path)
-
html = _HTMLDoc()
@@ -2399,19 +2396,6 @@ def _url_handler(url, content_type="text
'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
return 'Search Results', contents
- def html_getfile(path):
- """Get and display a source file listing safely."""
- path = urllib.parse.unquote(path)
- with tokenize.open(path) as fp:
- lines = html.escape(fp.read())
- body = '<pre>%s</pre>' % lines
- heading = html.heading(
- '<big><big><strong>File Listing</strong></big></big>',
- '#ffffff', '#7799ee')
- contents = heading + html.bigsection(
- 'File: %s' % path, '#ffffff', '#ee77aa', body)
- return 'getfile %s' % path, contents
-
def html_topics():
"""Index of topic texts available."""
@@ -2503,8 +2487,6 @@ def _url_handler(url, content_type="text
op, _, url = url.partition('=')
if op == "search?key":
title, content = html_search(url)
- elif op == "getfile?key":
- title, content = html_getfile(url)
elif op == "topic?key":
# try topics first, then objects.
try:
--- a/Lib/test/test_pydoc.py
+++ b/Lib/test/test_pydoc.py
@@ -1052,18 +1052,12 @@ class PydocUrlHandlerTest(PydocBaseTest)
("topic?key=def", "Pydoc: KEYWORD def"),
("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
("foobar", "Pydoc: Error - foobar"),
- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
]
with self.restrict_walk_packages():
for url, title in requests:
self.call_url_handler(url, title)
- path = string.__file__
- title = "Pydoc: getfile " + path
- url = "getfile?key=" + path
- self.call_url_handler(url, title)
-
class TestHelper(unittest.TestCase):
def test_keywords(self):
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schw??rer.
