Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python311 for openSUSE:Factory
checked in at 2022-11-10 14:23:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python311 (Old)
and /work/SRC/openSUSE:Factory/.python311.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python311"
Thu Nov 10 14:23:05 2022 rev:10 rq:1034963 version:3.11.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python311/python311.changes 2022-10-27
13:55:02.980836021 +0200
+++ /work/SRC/openSUSE:Factory/.python311.new.1597/python311.changes
2022-11-10 14:23:40.974824587 +0100
@@ -1,0 +2,7 @@
+Wed Nov 9 18:31:23 UTC 2022 - Matej Cepl <mc...@suse.com>
+
+- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
+ CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
+ extremely long domain names.
+
+-------------------------------------------------------------------
New:
----
CVE-2022-45061-DoS-by-IDNA-decode.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python311.spec ++++++
--- /var/tmp/diff_new_pack.ylOtFH/_old 2022-11-10 14:23:41.842829500 +0100
+++ /var/tmp/diff_new_pack.ylOtFH/_new 2022-11-10 14:23:41.846829523 +0100
@@ -169,6 +169,9 @@
# PATCH-FIX-UPSTREAM 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
gh#python/cpython#98366 mc...@suse.com
# this patch makes things totally awesome
Patch37: 98437-sphinx.locale._-as-gettext-in-pyspecific.patch
+# PATCH-FIX-UPSTREAM CVE-2022-45061-DoS-by-IDNA-decode.patch bsc#1205244
mc...@suse.com
+# Avoid DoS by decoding IDNA for too long domain names
+Patch38: CVE-2022-45061-DoS-by-IDNA-decode.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -436,6 +439,7 @@
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ CVE-2022-45061-DoS-by-IDNA-decode.patch ++++++
>From 3a692f2234d2ddb65db33d2516fff357a139c724 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <g...@krypto.org>
Date: Mon, 7 Nov 2022 16:54:41 -0800
Subject: [PATCH 1/3] gh-98433: Fix quadratic time idna decoding. (GH-99092)
There was an unnecessary quadratic loop in idna decoding. This restores
the behavior to linear.
This also adds an early length check in IDNA decoding to outright reject
huge inputs early on given the ultimate result is defined to be 63 or fewer
characters.
(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
Co-authored-by: Gregory P. Smith <g...@krypto.org>
---
Lib/encodings/idna.py | 32
++++------
Lib/test/test_codecs.py | 6
+
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6
+
3 files changed, 27 insertions(+), 17 deletions(-)
create mode 100644
Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
--- a/Lib/encodings/idna.py
+++ b/Lib/encodings/idna.py
@@ -39,23 +39,21 @@ def nameprep(label):
# Check bidi
RandAL = [stringprep.in_table_d1(x) for x in label]
- for c in RandAL:
- if c:
- # There is a RandAL char in the string. Must perform further
- # tests:
- # 1) The characters in section 5.8 MUST be prohibited.
- # This is table C.8, which was already checked
- # 2) If a string contains any RandALCat character, the string
- # MUST NOT contain any LCat character.
- if any(stringprep.in_table_d2(x) for x in label):
- raise UnicodeError("Violation of BIDI requirement 2")
-
- # 3) If a string contains any RandALCat character, a
- # RandALCat character MUST be the first character of the
- # string, and a RandALCat character MUST be the last
- # character of the string.
- if not RandAL[0] or not RandAL[-1]:
- raise UnicodeError("Violation of BIDI requirement 3")
+ if any(RandAL):
+ # There is a RandAL char in the string. Must perform further
+ # tests:
+ # 1) The characters in section 5.8 MUST be prohibited.
+ # This is table C.8, which was already checked
+ # 2) If a string contains any RandALCat character, the string
+ # MUST NOT contain any LCat character.
+ if any(stringprep.in_table_d2(x) for x in label):
+ raise UnicodeError("Violation of BIDI requirement 2")
+ # 3) If a string contains any RandALCat character, a
+ # RandALCat character MUST be the first character of the
+ # string, and a RandALCat character MUST be the last
+ # character of the string.
+ if not RandAL[0] or not RandAL[-1]:
+ raise UnicodeError("Violation of BIDI requirement 3")
return label
--- a/Lib/test/test_codecs.py
+++ b/Lib/test/test_codecs.py
@@ -1552,6 +1552,12 @@ class IDNACodecTest(unittest.TestCase):
self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
self.assertEqual("pyth\xf6n.org.".encode("idna"),
b"xn--pythn-mua.org.")
+ def test_builtin_decode_length_limit(self):
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*1100).decode("idna")
+ with self.assertRaisesRegex(UnicodeError, "too long"):
+ (b"xn--016c"+b"a"*70).decode("idna")
+
def test_stream(self):
r = codecs.getreader("idna")(io.BytesIO(b"abc"))
r.read(3)
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -0,0 +1,6 @@
+The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
+related name resolution functions no longer involves a quadratic algorithm.
+This prevents a potential CPU denial of service if an out-of-spec excessive
+length hostname involving bidirectional characters were decoded. Some protocols
+such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
+to supply such a name.
