Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2022-06-13 13:01:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Mon Jun 13 13:01:56 2022 rev:171 rq:981989 version:2.7.18
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2022-05-25
20:34:23.960214004 +0200
+++ /work/SRC/openSUSE:Factory/.python.new.1548/python-base.changes
2022-06-13 13:02:00.473073218 +0200
@@ -1,0 +2,7 @@
+Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
+ CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
+ command injection in the mailcap module.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/python/python-doc.changes 2022-03-04
00:17:09.780279173 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.1548/python-doc.changes
2022-06-13 13:02:00.533073302 +0200
@@ -1,0 +2,13 @@
+Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
+ CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
+ command injection in the mailcap module.
+
+-------------------------------------------------------------------
+Tue May 24 07:05:36 UTC 2022 - Martin Li??ka <mli...@suse.cz>
+
+- Filter out executable-stack error that is triggered for i586
+ target.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/python/python.changes 2022-03-20
20:55:12.590497217 +0100
+++ /work/SRC/openSUSE:Factory/.python.new.1548/python.changes 2022-06-13
13:02:00.553073330 +0200
@@ -2 +2 @@
-Fri Mar 18 14:13:25 UTC 2022 - Marcus Meissner <meiss...@suse.com>
+Thu Jun 9 16:43:30 UTC 2022 - Matej Cepl <mc...@suse.com>
@@ -4,3 +4,9 @@
-- python-2.7.9-sles-disable-verification-by-default.patch: remove
- as it by default now always does strict enforcement anyway and it
- is 2022.
+- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
+ CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
+ command injection in the mailcap module.
+
+-------------------------------------------------------------------
+Tue May 24 07:05:36 UTC 2022 - Martin Li??ka <mli...@suse.cz>
+
+- Filter out executable-stack error that is triggered for i586
+ target.
New:
----
CVE-2015-20107-mailcap-unsafe-filenames.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.TlnsBJ/_old 2022-06-13 13:02:02.401075912 +0200
+++ /var/tmp/diff_new_pack.TlnsBJ/_new 2022-06-13 13:02:02.405075916 +0200
@@ -127,6 +127,9 @@
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
+# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511
mc...@suse.com
+# avoid the command injection in the mailcap module.
+Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -262,6 +265,7 @@
%patch67 -p1
%patch68 -p1
%patch69 -p1
+%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.TlnsBJ/_old 2022-06-13 13:02:02.425075945 +0200
+++ /var/tmp/diff_new_pack.TlnsBJ/_new 2022-06-13 13:02:02.429075951 +0200
@@ -126,6 +126,9 @@
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
+# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511
mc...@suse.com
+# avoid the command injection in the mailcap module.
+Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
Provides: pyth_doc = %{version}
Provides: pyth_ps = %{version}
@@ -199,6 +202,7 @@
%patch67 -p1
%patch68 -p1
%patch69 -p1
+%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.TlnsBJ/_old 2022-06-13 13:02:02.453075984 +0200
+++ /var/tmp/diff_new_pack.TlnsBJ/_new 2022-06-13 13:02:02.457075990 +0200
@@ -126,6 +126,9 @@
# whole long discussion is on bpo#43882
# fix for santization URLs containing ASCII newline and tabs in urllib.parse
Patch69: CVE-2022-0391-urllib_parse-newline-parsing.patch
+# PATCH-FIX-UPSTREAM CVE-2015-20107-mailcap-unsafe-filenames.patch bsc#1198511
mc...@suse.com
+# avoid the command injection in the mailcap module.
+Patch70: CVE-2015-20107-mailcap-unsafe-filenames.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -315,6 +318,7 @@
%patch67 -p1
%patch68 -p1
%patch69 -p1
+%patch70 -p1
# For patch 66
cp -v %{SOURCE66} Lib/test/recursion.tar
++++++ CVE-2015-20107-mailcap-unsafe-filenames.patch ++++++
---
Doc/library/mailcap.rst | 13 +++++++++++++
Lib/mailcap.py | 28 ++++++++++++++++++++++++++--
2 files changed, 39 insertions(+), 2 deletions(-)
--- a/Doc/library/mailcap.rst
+++ b/Doc/library/mailcap.rst
@@ -55,6 +55,19 @@ standard. However, mailcap files are su
will automatically check such conditions and skip the entry if the check
fails.
+.. versionchanged:: 3.11
+
+ To prevent security issues with shell metacharacters (symbols that have
+ special effects in a shell command line), ``findmatch`` will refuse
+ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
+ into the returned command line.
+
+ If a disallowed character appears in *filename*, ``findmatch`` will always
+ return ``(None, None)`` as if no entry was found.
+ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
+ ``findmatch`` will ignore all mailcap entries which use that value.
+ A :mod:`warning <warnings>` will be raised in either case.
+
.. function:: getcaps()
Returns a dictionary mapping MIME types to a list of mailcap file entries.
This
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@@ -1,9 +1,17 @@
"""Mailcap file handling. See RFC 1524."""
import os
+import warnings
+import re
__all__ = ["getcaps","findmatch"]
+_find_unsafe = re.compile(ur'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+ """Warning raised when refusing unsafe input"""
+
+
# Part 1: top-level interface.
def getcaps():
@@ -18,6 +26,10 @@ def getcaps():
"""
caps = {}
for mailcap in listmailcapfiles():
+ if _find_unsafe(mailcap):
+ msg = "Refusing to use mailcap with filename %r. Use a safe
temporary filename." % (mailcap,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None, None
try:
fp = open(mailcap, 'r')
except IOError:
@@ -149,10 +161,13 @@ def findmatch(caps, MIMEtype, key='view'
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
+ if test is None:
+ continue
if test and os.system(test) != 0:
continue
command = subst(e[key], MIMEtype, filename, plist)
- return command, e
+ if command is not None:
+ return command, e
return None, None
def lookup(caps, MIMEtype, key=None):
@@ -184,6 +199,10 @@ def subst(field, MIMEtype, filename, pli
elif c == 's':
res = res + filename
elif c == 't':
+ if _find_unsafe(MIMEtype):
+ msg = "Refusing to substitute MIME type %r into a shell
command." % (MIMEtype,)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
res = res + MIMEtype
elif c == '{':
start = i
@@ -191,7 +210,12 @@ def subst(field, MIMEtype, filename, pli
i = i+1
name = field[start:i]
i = i+1
- res = res + findparam(name, plist)
+ param = findparam(name, plist)
+ if _find_unsafe(param):
+ msg = "Refusing to substitute parameter %r (%s) into a
shell command" % (param, name)
+ warnings.warn(msg, UnsafeMailcapInput)
+ return None
+ res = res + param
# XXX To do:
# %n == number of parts if type is multipart/*
# %F == list of alternating type and filename for parts
