Bug#966272: marked as done (buster-pu: package python3.7/3.7.3-2+deb10u2)

Debian Bug Tracking System Sat, 01 Aug 2020 05:06:13 -0700

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id 
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #966272,
regarding buster-pu: package python3.7/3.7.3-2+deb10u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
966272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966272
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

Fixes three minor security issues, debdiff attached.

Cheers,
        Moritz

diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog    2019-12-20 18:01:46.000000000 +0100
+++ python3.7-3.7.3/debian/changelog    2020-07-25 15:00:39.000000000 +0200
@@ -1,3 +1,11 @@
+python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
+
+  * CVE-2019-20907
+  * CVE-2020-14422
+  * CVE-2020-8492
+
+ -- Moritz Mühlenhoff <[email protected]>  Sat, 25 Jul 2020 15:03:44 +0200
+
 python3.7 (3.7.3-2+deb10u1) buster; urgency=medium
 
   * CVE-2019-9740
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 
python3.7-3.7.3/debian/patches/CVE-2019-20907.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-20907.diff  1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-20907.diff  2020-07-22 
18:02:59.000000000 +0200
@@ -0,0 +1,26 @@
+From 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <[email protected]>
+Date: Wed, 15 Jul 2020 05:35:08 -0700
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454) (GH-21484)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile 
module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi <[email protected]>
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3b596cbf49d27..3be5188c8b0a2 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1233,6 +1233,8 @@ def _proc_pax(self, tarfile):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             # Normally, we could just use "utf-8" as the encoding and "strict"
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 
python3.7-3.7.3/debian/patches/CVE-2020-14422.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-14422.diff  1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-14422.diff  2020-07-22 
18:02:59.000000000 +0200
@@ -0,0 +1,62 @@
+From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <[email protected]>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21231)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash 
collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <[email protected]>
+
+Signed-off-by: Tapas Kundu <[email protected]>
+---
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d73ab..54882934c3dc1 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, 
int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2088,7 +2088,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, 
int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb126f..1fb6a929dc2d9 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ def testsixtofour(self):
+                          sixtofouraddr.sixtofour)
+         self.assertFalse(bad_addr.sixtofour)
+ 
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV4HashIsNotConstant(self):
++        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++        self.assertNotEqual(ipv4_address1.__hash__(), 
ipv4_address2.__hash__())
++
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV6HashIsNotConstant(self):
++        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++        self.assertNotEqual(ipv6_address1.__hash__(), 
ipv6_address2.__hash__())
+ 
+ if __name__ == '__main__':
+     unittest.main()
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-8492.diff 
python3.7-3.7.3/debian/patches/CVE-2020-8492.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-8492.diff   1970-01-01 
01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-8492.diff   2020-07-25 
14:59:50.000000000 +0200
@@ -0,0 +1,25 @@
+Backport of b57a73694e26e8b2391731b5ee0b1be59437388e to only cover
+the CVE-2020-8492 fix without the AbstractBasicAuthHandler change
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 0d3f9670fef40..4f42919b09eae 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -944,8 +944,15 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-                    'realm=(["\']?)([^"\']*)\\2', re.I)
++    rx = re.compile('(?:^|,)'   # start of the string or ','
++                    '[ \t]*'    # optional whitespaces
++                    '([^ \t]+)' # scheme like "Basic"
++                    '[ \t]+'    # mandatory whitespaces
++                    # realm=xxx
++                    # realm='xxx'
++                    # realm="xxx"
++                    'realm=(["\']?)([^"\']*)\\2',
++                    re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+     # end of section 2, and section 1.2 immediately after "credentials"
diff -Nru python3.7-3.7.3/debian/patches/series 
python3.7-3.7.3/debian/patches/series
--- python3.7-3.7.3/debian/patches/series       2019-12-20 17:58:50.000000000 
+0100
+++ python3.7-3.7.3/debian/patches/series       2020-07-22 18:03:39.000000000 
+0200
@@ -43,3 +43,7 @@
 CVE-2019-10160-2.diff
 CVE-2019-16056.diff
 CVE-2019-16935.diff
+CVE-2019-20907.diff
+CVE-2020-14422.diff
+CVE-2020-8492.diff
+

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---

Bug#966272: marked as done (buster-pu: package python3.7/3.7.3-2+deb10u2)

Reply via email to