commit python3 for openSUSE:Factory

[root]

Hello community,

here is the log from the commit of package python3 for openSUSE:Factory checked 
in at 2019-02-02 21:45:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python3 (Old)
 and      /work/SRC/openSUSE:Factory/.python3.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python3"

Sat Feb  2 21:45:55 2019 rev:91 rq:670332 version:3.7.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/python3/python3-base.changes     2019-01-28 
20:45:29.586091526 +0100
+++ /work/SRC/openSUSE:Factory/.python3.new.28833/python3-base.changes  
2019-02-02 21:46:00.244149482 +0100
@@ -1,0 +2,17 @@
+Wed Jan 30 18:07:49 CET 2019 - mc...@suse.com
+
+- Put LICENSE file where it belongs (bsc#1121852)
+
+-------------------------------------------------------------------
+Sat Jan 19 16:19:38 CET 2019 - mc...@suse.com
+
+- bsc#1122191: add CVE-2019-5010-null-defer-x509-cert-DOS.patch
+  fixing bpo-35746.
+  An exploitable denial-of-service vulnerability exists in the
+  X509 certificate parser of Python.org Python 2.7.11 / 3.7.2.
+  A specially crafted X509 certificate can cause a NULL pointer
+  dereference, resulting in a denial of service. An attacker can
+  initiate or accept TLS connections using crafted certificates
+  to trigger this vulnerability.
+
+-------------------------------------------------------------------
python3-doc.changes: same change
python3.changes: same change

New:
----
  CVE-2019-5010-null-defer-x509-cert-DOS.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python3-base.spec ++++++
--- /var/tmp/diff_new_pack.lpeWXt/_old  2019-02-02 21:46:03.972146253 +0100
+++ /var/tmp/diff_new_pack.lpeWXt/_new  2019-02-02 21:46:03.972146253 +0100
@@ -168,6 +168,10 @@
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch27:        boo1071941-make-install-in-sep-loc.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 
mc...@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch28:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 ### COMMON-PATCH-END ###
 
 %description
@@ -263,6 +267,7 @@
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
@@ -366,7 +371,6 @@
 export PDOCS=%{buildroot}%{_docdir}/%{name}
 install -d -m 755 $PDOCS
 install -c -m 644 %{SOURCE4} $PDOCS/
-install -c -m 644 LICENSE    $PDOCS/
 install -c -m 644 README.rst $PDOCS/
 
 # tools
@@ -485,7 +489,7 @@
 # docs
 %dir %{_docdir}/%{name}
 %doc %{_docdir}/%{name}/README.rst
-%license %{_docdir}/%{name}/LICENSE
+%license LICENSE
 %doc %{_docdir}/%{name}/README.SUSE
 %{_mandir}/man1/python3.1*
 %{_mandir}/man1/python%{python_version}.1*

++++++ python3-doc.spec ++++++
--- /var/tmp/diff_new_pack.lpeWXt/_old  2019-02-02 21:46:03.992146236 +0100
+++ /var/tmp/diff_new_pack.lpeWXt/_new  2019-02-02 21:46:04.000146229 +0100
@@ -95,6 +95,10 @@
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch27:        boo1071941-make-install-in-sep-loc.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 
mc...@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch28:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 ### COMMON-PATCH-END ###
 
 %description
@@ -143,6 +147,7 @@
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ python3.spec ++++++
--- /var/tmp/diff_new_pack.lpeWXt/_old  2019-02-02 21:46:04.080146160 +0100
+++ /var/tmp/diff_new_pack.lpeWXt/_new  2019-02-02 21:46:04.088146153 +0100
@@ -89,6 +89,7 @@
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
 BuildRequires:  sqlite-devel
+BuildRequires:  timezone
 BuildRequires:  tk-devel
 BuildRequires:  xz
 BuildRequires:  pkgconfig(x11)
@@ -133,6 +134,10 @@
 # to /usr/local if executable is /usr/bin/python* and RPM build
 # is not detected to make pip and distutils install into separate location
 Patch27:        boo1071941-make-install-in-sep-loc.patch
+# PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 
mc...@suse.com
+# https://github.com/python/cpython/pull/11569
+# Fix segfault in ssl's cert parser
+Patch28:        CVE-2019-5010-null-defer-x509-cert-DOS.patch
 ### COMMON-PATCH-END ###
 
 %description
@@ -192,6 +197,7 @@
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

++++++ CVE-2019-5010-null-defer-x509-cert-DOS.patch ++++++
>From a37f52436f9aa4b9292878b72f3ff1480e2606c3 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christ...@python.org>
Date: Tue, 15 Jan 2019 23:47:42 +0100
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)

Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.

Signed-off-by: Christian Heimes <christ...@python.org>



https://bugs.python.org/issue35746
---
 Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
 Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
 .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
 Modules/_ssl.c                                |  4 ++++
 4 files changed, 51 insertions(+)
 create mode 100644 Lib/test/talos-2019-0758.pem
 create mode 100644 
Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst

--- /dev/null
+++ b/Lib/test/talos-2019-0758.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
+-----END CERTIFICATE-----
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexist
 BADKEY = data_file("badkey.pem")
 NOKIACERT = data_file("nokia.pem")
 NULLBYTECERT = data_file("nullbytecert.pem")
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
 
 DHFILE = data_file("ffdh3072.pem")
 BYTES_DHFILE = os.fsencode(DHFILE)
@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase
         self.assertEqual(p['crlDistributionPoints'],
                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
 
+    def test_parse_cert_CVE_2019_5010(self):
+        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
+        if support.verbose:
+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
+        self.assertEqual(
+            p,
+            {
+                'issuer': (
+                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
+                'notAfter': 'Jun 14 18:00:58 2028 GMT',
+                'notBefore': 'Jun 18 18:00:58 2018 GMT',
+                'serialNumber': '02',
+                'subject': ((('countryName', 'UK'),),
+                            (('commonName',
+                              'codenomicon-vm-2.test.lal.cisco.com'),)),
+                'subjectAltName': (
+                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
+                'version': 3
+            }
+        )
+
     def test_parse_cert_CVE_2013_4238(self):
         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
         if support.verbose:
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
@@ -0,0 +1,3 @@
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
+not handle CRL distribution points with empty DP or URI correctly. A
+malicious or buggy certificate can result into segfault.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) {
         STACK_OF(GENERAL_NAME) *gns;
 
         dp = sk_DIST_POINT_value(dps, i);
+        if (dp->distpoint == NULL) {
+            /* Ignore empty DP value, CVE-2019-5010 */
+            continue;
+        }
         gns = dp->distpoint->name.fullname;
 
         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {