Hello community, here is the log from the commit of package python3 for openSUSE:Factory checked in at 2019-06-18 14:42:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3 (Old) and /work/SRC/openSUSE:Factory/.python3.new.4811 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3" Tue Jun 18 14:42:58 2019 rev:93 rq:704730 version:3.7.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python3/python3-base.changes 2019-04-02 09:16:30.940415243 +0200 +++ /work/SRC/openSUSE:Factory/.python3.new.4811/python3-base.changes 2019-06-18 14:43:05.817751625 +0200 @@ -1,0 +2,43 @@ +Wed May 22 10:53:03 UTC 2019 - Martin Liška <[email protected]> + +- Set _lto_cflags to nil as the package is using LTO via --enable-lto. + That will prevent to propage LTO for Python modules that are + built in a separate package. + +------------------------------------------------------------------- +Mon Apr 29 15:40:34 CEST 2019 - Matej Cepl <[email protected]> + +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. + +------------------------------------------------------------------- +Wed Apr 10 10:22:58 CEST 2019 - Matej Cepl <[email protected]> + +- Fix metadata of patches. +- Rename boo1071941-make-install-in-sep-loc.patch to + 00251-change-user-install-location.patch which is the original + name, so it can be looked up in the Fedora VCS. + +------------------------------------------------------------------- +Tue Apr 9 04:55:24 UTC 2019 - John Vandenberg <[email protected]> + +- Mark distutils bdist_wininst command unsupported + with 00316-mark-bdist_wininst-unsupported.patch +- Remove Windows bdist_wininst executables from runtime package + +------------------------------------------------------------------- +Tue Apr 9 01:21:45 CEST 2019 - Matej Cepl <[email protected]> + +- Update to 3.7.3, which is the maintenance release without any + significant changes in API. + - Updated patches: + - CVE-2019-5010-null-defer-x509-cert-DOS.patch + - distutils-reproducible-compile.patch + - python-3.3.0b1-fix_date_time_compiler.patch + - python-3.6.0-multilib.patch + - raise_SIGING_not_handled.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python3/python3-doc.changes 2019-04-02 09:16:33.160417598 +0200 +++ /work/SRC/openSUSE:Factory/.python3.new.4811/python3-doc.changes 2019-06-18 14:43:05.897751614 +0200 @@ -1,0 +2,48 @@ +Wed May 22 10:53:03 UTC 2019 - Martin Liška <[email protected]> + +- Set _lto_cflags to nil as the package is using LTO via --enable-lto. + That will prevent to propage LTO for Python modules that are + built in a separate package. + +------------------------------------------------------------------- +Mon Apr 29 15:40:34 CEST 2019 - Matej Cepl <[email protected]> + +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. + +------------------------------------------------------------------- +Wed Apr 10 10:22:58 CEST 2019 - Matej Cepl <[email protected]> + +- Fix metadata of patches. +- Rename boo1071941-make-install-in-sep-loc.patch to + 00251-change-user-install-location.patch which is the original + name, so it can be looked up in the Fedora VCS. + +------------------------------------------------------------------- +Tue Apr 9 04:55:24 UTC 2019 - John Vandenberg <[email protected]> + +- Mark distutils bdist_wininst command unsupported + with 00316-mark-bdist_wininst-unsupported.patch +- Remove Windows bdist_wininst executables from runtime package + +------------------------------------------------------------------- +Tue Apr 9 01:21:45 CEST 2019 - Matej Cepl <[email protected]> + +- Update to 3.7.3, which is the maintenance release without any + significant changes in API. + - Updated patches: + - CVE-2019-5010-null-defer-x509-cert-DOS.patch + - distutils-reproducible-compile.patch + - python-3.3.0b1-fix_date_time_compiler.patch + - python-3.6.0-multilib.patch + - raise_SIGING_not_handled.patch + +------------------------------------------------------------------- +Wed Mar 20 14:59:58 UTC 2019 - Matěj Cepl <[email protected]> + +- Remove building of Qt Develop help files. + +------------------------------------------------------------------- python3.changes: same change Old: ---- Python-3.7.2.tar.xz Python-3.7.2.tar.xz.asc boo1071941-make-install-in-sep-loc.patch New: ---- 00251-change-user-install-location.patch 00316-mark-bdist_wininst-unsupported.patch CVE-2019-9947-no-ctrl-char-http.patch Python-3.7.3.tar.xz Python-3.7.3.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-base.spec ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.525751377 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.525751377 +0200 @@ -72,7 +72,7 @@ ### COMMON-DEF-END ### Name: python3-base -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: Python 3 Interpreter and Stdlib Core License: Python-2.0 @@ -158,23 +158,32 @@ Patch15: subprocess-raise-timeout.patch # skip some tests only for PowerPC Patch23: skip_random_failing_tests.patch -# Fix SOURCE_DATE_EPOCH problems (bpo-34022, bpo-29708) -# https://github.com/python/cpython/pull/10775 -# https://github.com/python/cpython/pull/10327 +# Fix SOURCE_DATE_EPOCH problems (bpo#34022, bpo#29708) +# gh#python/cpython#10775 and gh#python/cpython#10327 Patch24: bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch Patch25: python3-imp-returntype.patch -# https://github.com/python/cpython/pull/7778 +# PATCH-FIX-UPSTREAM raise_SIGING_not_handled.patch bpo#23395 [email protected] +# Raise an exception if the SIGINT signal is ignored or not handled +# gh#python/cpython#7778 Patch26: raise_SIGING_not_handled.patch -# Fix installation in /usr/local (boo#1071941), originally from Fedora -# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# PATCH-FIX-UPSTREAM boo1071941-make-install-in-sep-loc.patch bsc#1071941 [email protected] +# Fix installation in /usr/local (boo#1071941), originally from the Fedora VCS. +# # Set values of prefix and exec_prefix in distutils install command # to /usr/local if executable is /usr/bin/python* and RPM build # is not detected to make pip and distutils install into separate location -Patch27: boo1071941-make-install-in-sep-loc.patch +Patch27: 00251-change-user-install-location.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch28: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM 00316-mark-bdist_wininst-unsupported.patch [email protected] +# Mark distutils bdist_wininst command unsupported, causing +# the associated test to be skipped. Originally from the Fedora VCS. +Patch29: 00316-mark-bdist_wininst-unsupported.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch30: CVE-2019-9947-no-ctrl-char-http.patch ### COMMON-PATCH-END ### %description @@ -272,6 +281,8 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac @@ -292,10 +303,14 @@ # drop duplicate README from site-packages rm Lib/site-packages/README.txt +# remove unnecessary Windows executables +rm Lib/distutils/command/wininst-*.exe + ### COMMON-PREP-END ### %build ### COMMON-CONFIG-BEGIN ### +%define _lto_cflags %{nil} # use rpm_opt_flags export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv $(pkg-config --cflags-only-I libffi)" ++++++ python3-doc.spec ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.549751373 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.549751373 +0200 @@ -66,7 +66,7 @@ ### COMMON-DEF-END ### # Name: python3-doc -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: Additional Package Documentation for Python 3 License: Python-2.0 @@ -97,23 +97,32 @@ Patch15: subprocess-raise-timeout.patch # skip some tests only for PowerPC Patch23: skip_random_failing_tests.patch -# Fix SOURCE_DATE_EPOCH problems (bpo-34022, bpo-29708) -# https://github.com/python/cpython/pull/10775 -# https://github.com/python/cpython/pull/10327 +# Fix SOURCE_DATE_EPOCH problems (bpo#34022, bpo#29708) +# gh#python/cpython#10775 and gh#python/cpython#10327 Patch24: bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch Patch25: python3-imp-returntype.patch -# https://github.com/python/cpython/pull/7778 +# PATCH-FIX-UPSTREAM raise_SIGING_not_handled.patch bpo#23395 [email protected] +# Raise an exception if the SIGINT signal is ignored or not handled +# gh#python/cpython#7778 Patch26: raise_SIGING_not_handled.patch -# Fix installation in /usr/local (boo#1071941), originally from Fedora -# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# PATCH-FIX-UPSTREAM boo1071941-make-install-in-sep-loc.patch bsc#1071941 [email protected] +# Fix installation in /usr/local (boo#1071941), originally from the Fedora VCS. +# # Set values of prefix and exec_prefix in distutils install command # to /usr/local if executable is /usr/bin/python* and RPM build # is not detected to make pip and distutils install into separate location -Patch27: boo1071941-make-install-in-sep-loc.patch +Patch27: 00251-change-user-install-location.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch28: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM 00316-mark-bdist_wininst-unsupported.patch [email protected] +# Mark distutils bdist_wininst command unsupported, causing +# the associated test to be skipped. Originally from the Fedora VCS. +Patch29: 00316-mark-bdist_wininst-unsupported.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch30: CVE-2019-9947-no-ctrl-char-http.patch ### COMMON-PATCH-END ### %description @@ -151,6 +160,8 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac @@ -171,6 +182,9 @@ # drop duplicate README from site-packages rm Lib/site-packages/README.txt +# remove unnecessary Windows executables +rm Lib/distutils/command/wininst-*.exe + ### COMMON-PREP-END ### %build ++++++ python3.spec ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.573751370 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.577751370 +0200 @@ -71,7 +71,7 @@ ### COMMON-DEF-END ### # Name: python3 -Version: 3.7.2 +Version: 3.7.3 Release: 0 Summary: Python 3 Interpreter License: Python-2.0 @@ -136,23 +136,32 @@ Patch15: subprocess-raise-timeout.patch # skip some tests only for PowerPC Patch23: skip_random_failing_tests.patch -# Fix SOURCE_DATE_EPOCH problems (bpo-34022, bpo-29708) -# https://github.com/python/cpython/pull/10775 -# https://github.com/python/cpython/pull/10327 +# Fix SOURCE_DATE_EPOCH problems (bpo#34022, bpo#29708) +# gh#python/cpython#10775 and gh#python/cpython#10327 Patch24: bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch Patch25: python3-imp-returntype.patch -# https://github.com/python/cpython/pull/7778 +# PATCH-FIX-UPSTREAM raise_SIGING_not_handled.patch bpo#23395 [email protected] +# Raise an exception if the SIGINT signal is ignored or not handled +# gh#python/cpython#7778 Patch26: raise_SIGING_not_handled.patch -# Fix installation in /usr/local (boo#1071941), originally from Fedora -# https://src.fedoraproject.org/rpms/python3/blob/master/f/00251-change-user-install-location.patch +# PATCH-FIX-UPSTREAM boo1071941-make-install-in-sep-loc.patch bsc#1071941 [email protected] +# Fix installation in /usr/local (boo#1071941), originally from the Fedora VCS. +# # Set values of prefix and exec_prefix in distutils install command # to /usr/local if executable is /usr/bin/python* and RPM build # is not detected to make pip and distutils install into separate location -Patch27: boo1071941-make-install-in-sep-loc.patch +Patch27: 00251-change-user-install-location.patch # PATCH-FIX-UPSTREAM CVE-2019-5010-null-defer-x509-cert-DOS.patch bnc#1122191 [email protected] # https://github.com/python/cpython/pull/11569 # Fix segfault in ssl's cert parser Patch28: CVE-2019-5010-null-defer-x509-cert-DOS.patch +# PATCH-FIX-UPSTREAM 00316-mark-bdist_wininst-unsupported.patch [email protected] +# Mark distutils bdist_wininst command unsupported, causing +# the associated test to be skipped. Originally from the Fedora VCS. +Patch29: 00316-mark-bdist_wininst-unsupported.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch30: CVE-2019-9947-no-ctrl-char-http.patch ### COMMON-PATCH-END ### %description @@ -214,6 +223,8 @@ %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 +%patch30 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac @@ -234,10 +245,14 @@ # drop duplicate README from site-packages rm Lib/site-packages/README.txt +# remove unnecessary Windows executables +rm Lib/distutils/command/wininst-*.exe + ### COMMON-PREP-END ### %build ### COMMON-CONFIG-BEGIN ### +%define _lto_cflags %{nil} # use rpm_opt_flags export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv $(pkg-config --cflags-only-I libffi)" ++++++ 00251-change-user-install-location.patch ++++++ >From 332b947dfc8d0f0d3a4525864b121d0f239beb4d Mon Sep 17 00:00:00 2001 From: Michal Cyprian <[email protected]> Date: Jun 26 2017 14:32:56 +0000 Subject: Make pip and distutils in user environment install into separate location --- --- /dev/null +++ b/00251-change-user-install-location.patch @@ -0,0 +1,46 @@ +diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py +index 9d31d13..ed44a93 100644 +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -424,8 +424,18 @@ class install(Command): + raise DistutilsOptionError( + "must not supply exec-prefix without prefix") + +- self.prefix = os.path.normpath(sys.prefix) +- self.exec_prefix = os.path.normpath(sys.exec_prefix) ++ # self.prefix is set to sys.prefix + /local/ ++ # if the executable is /usr/bin/python* and RPM build ++ # is not detected to make pip and distutils install into ++ # the separate location. ++ if (sys.executable.startswith("/usr/bin/python") ++ and 'RPM_BUILD_ROOT' not in os.environ): ++ addition = "/local" ++ else: ++ addition = "" ++ ++ self.prefix = os.path.normpath(sys.prefix) + addition ++ self.exec_prefix = os.path.normpath(sys.exec_prefix) + addition + + else: + if self.exec_prefix is None: +diff --git a/Lib/site.py b/Lib/site.py +index 4744eb0..b5fe571 100644 +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -326,7 +326,15 @@ def getsitepackages(prefixes=None): + return sitepackages + + def addsitepackages(known_paths, prefixes=None): +- """Add site-packages to sys.path""" ++ """Add site-packages to sys.path. ++ ++ '/usr/local' is included in PREFIXES if the executable is /usr/bin/python* ++ and RPM build is not detected to make sudo pip installed packages visible. ++ ++ """ ++ if (ENABLE_USER_SITE and sys.executable.startswith("/usr/bin/python") ++ and 'RPM_BUILD_ROOT' not in os.environ): ++ PREFIXES.insert(0, "/usr/local") + for sitedir in getsitepackages(prefixes): + if os.path.isdir(sitedir): + addsitedir(sitedir, known_paths) ++++++ 00316-mark-bdist_wininst-unsupported.patch ++++++ diff --git a/Lib/distutils/command/bdist_wininst.py b/Lib/distutils/command/bdist_wininst.py index 0871a4f..8796b68 100644 --- a/Lib/distutils/command/bdist_wininst.py +++ b/Lib/distutils/command/bdist_wininst.py @@ -12,6 +12,8 @@ from distutils.sysconfig import get_python_version from distutils import log class bdist_wininst(Command): + # Marker for tests that we have the unsupported bdist_wininst + _unsupported = True description = "create an executable installer for MS Windows" ++++++ CVE-2019-5010-null-defer-x509-cert-DOS.patch ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.601751366 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.601751366 +0200 @@ -21,44 +21,11 @@ create mode 100644 Lib/test/talos-2019-0758.pem create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst ---- /dev/null -+++ b/Lib/test/talos-2019-0758.pem -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO -+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 -+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh -+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB -+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES -+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD -+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C -+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP -+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF -+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp -+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io -+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 -+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu -+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG -+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p -+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr -+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit -+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV -+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ -+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== -+-----END CERTIFICATE----- --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py -@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexist - BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") -+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") - - DHFILE = data_file("ffdh3072.pem") - BYTES_DHFILE = os.fsencode(DHFILE) -@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase - self.assertEqual(p['crlDistributionPoints'], - ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) +@@ -400,6 +400,27 @@ class BasicSocketTests(unittest.TestCase + } + ) + def test_parse_cert_CVE_2019_5010(self): + p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) @@ -84,22 +51,3 @@ def test_parse_cert_CVE_2013_4238(self): p = ssl._ssl._test_decode_cert(NULLBYTECERT) if support.verbose: ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst -@@ -0,0 +1,3 @@ -+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did -+not handle CRL distribution points with empty DP or URI correctly. A -+malicious or buggy certificate can result into segfault. ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) { - STACK_OF(GENERAL_NAME) *gns; - - dp = sk_DIST_POINT_value(dps, i); -+ if (dp->distpoint == NULL) { -+ /* Ignore empty DP value, CVE-2019-5010 */ -+ continue; -+ } - gns = dp->distpoint->name.fullname; - - for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { ++++++ CVE-2019-9947-no-ctrl-char-http.patch ++++++ --- a/Lib/http/client.py +++ b/Lib/http/client.py @@ -140,6 +140,15 @@ _MAXHEADERS = 100 _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search +# These characters are not allowed within http URL paths. +# https://tools.ietf.org/html/rfc3986#section-3.3 +# in order to prevent CVE-2019-9740. +# We don't restrict chars above \x7f as putrequest() limits us to ASCII. +_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') +# Arguably only these _should_ allowed: +# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") +# We are more lenient for assumed real world compatibility purposes. + # We always set the Content-Length header for these methods because some # servers will otherwise respond with a 411 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} @@ -1101,6 +1110,9 @@ class HTTPConnection: self._method = method if not url: url = '/' + # Prevent CVE-2019-9740. + if _contains_disallowed_url_pchar_re.search(url): + raise InvalidURL(f"URL can't contain control characters. {url!r}") request = '%s %s %s' % (method, url, self._http_vsn_str) # Non-ASCII characters should have been eliminated earlier --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -329,6 +329,29 @@ class urlopen_HttpTests(unittest.TestCas finally: self.unfakehttp() + def test_url_with_newline_header_injection_rejected(self): + self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") + host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" + schemeless_url = "//" + host + ":8080/test/?test=a" + try: + # We explicitly test urllib.request.urlopen() instead of the top + # level 'def urlopen()' function defined in this... (quite ugly) + # test suite. they use different url opening codepaths. plain + # urlopen uses FancyURLOpener which goes via a codepath that + # calls urllib.parse.quote() on the URL which makes all of the + # above attempts at injection within the url _path_ safe. + with self.assertRaisesRegex(http.client.InvalidURL, r"contain control.*\\r"): + urllib.request.urlopen(f"http:{schemeless_url}") + with self.assertRaisesRegex(http.client.InvalidURL, r"contain control.*\\n"): + urllib.request.urlopen(f"https:{schemeless_url}") + # This code path quotes the URL so there is no injection. + resp = urlopen(f"http:{schemeless_url}") + self.assertNotIn(' ', resp.geturl()) + self.assertNotIn('\r', resp.geturl()) + self.assertNotIn('\n', resp.geturl()) + finally: + self.unfakehttp() + def test_read_0_9(self): # "0.9" response accepted (but not "simple responses" without # a status line) --- a/Lib/test/test_xmlrpc.py +++ b/Lib/test/test_xmlrpc.py @@ -944,9 +944,13 @@ class SimpleServerTestCase(BaseServerTes def test_partial_post(self): # Check that a partial POST doesn't make the server loop: issue #14001. - conn = http.client.HTTPConnection(ADDR, PORT) - conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye') - conn.close() + with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn: + conn.send(('POST /RPC2 HTTP/1.0\r\n' + + 'Content-Length: 100\r\n\r\n' + + 'bye HTTP/1.1\r\n' + + f'Host: {ADDR}:{PORT}\r\n' + + 'Accept-Encoding: identity\r\n' + + 'Content-Length: 0\r\n\r\n').encode('ascii')) def test_context_manager(self): with xmlrpclib.ServerProxy(URL) as server: --- /dev/null +++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst @@ -0,0 +1 @@ +Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. \ No newline at end of file ++++++ Python-3.7.2.tar.xz -> Python-3.7.3.tar.xz ++++++ /work/SRC/openSUSE:Factory/python3/Python-3.7.2.tar.xz /work/SRC/openSUSE:Factory/.python3.new.4811/Python-3.7.3.tar.xz differ: char 26, line 1 ++++++ distutils-reproducible-compile.patch ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.681751354 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.685751354 +0200 @@ -1,8 +1,6 @@ -Index: Python-3.6.2/Lib/distutils/util.py -=================================================================== ---- Python-3.6.2.orig/Lib/distutils/util.py -+++ Python-3.6.2/Lib/distutils/util.py -@@ -431,7 +431,7 @@ byte_compile(files, optimize=%r, force=% +--- a/Lib/distutils/util.py ++++ b/Lib/distutils/util.py +@@ -421,7 +421,7 @@ byte_compile(files, optimize=%r, force=% else: from py_compile import compile ++++++ python-3.3.0b1-fix_date_time_compiler.patch ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.721751349 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.721751349 +0200 @@ -1,6 +1,6 @@ --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -754,11 +754,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ +@@ -761,11 +761,18 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \ $(MODOBJS) \ $(srcdir)/Modules/getbuildinfo.c $(CC) -c $(PY_CORE_CFLAGS) \ ++++++ python-3.6.0-multilib.patch ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.737751346 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.737751346 +0200 @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4733,12 +4733,26 @@ AC_MSG_CHECKING(LDVERSION) +@@ -4751,12 +4751,26 @@ AC_MSG_CHECKING(LDVERSION) LDVERSION='$(VERSION)$(ABIFLAGS)' AC_MSG_RESULT($LDVERSION) @@ -31,7 +31,7 @@ --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -129,13 +129,16 @@ exec_prefix= @exec_prefix@ +@@ -136,13 +136,16 @@ exec_prefix= @exec_prefix@ # Install prefix for data files datarootdir= @datarootdir@ @@ -49,7 +49,7 @@ ABIFLAGS= @ABIFLAGS@ # Detailed destination directories -@@ -762,6 +765,7 @@ Modules/getpath.o: $(srcdir)/Modules/get +@@ -769,6 +772,7 @@ Modules/getpath.o: $(srcdir)/Modules/get -DEXEC_PREFIX='"$(exec_prefix)"' \ -DVERSION='"$(VERSION)"' \ -DVPATH='"$(VPATH)"' \ @@ -93,7 +93,7 @@ #endif #ifndef LANDMARK -@@ -867,7 +868,7 @@ calculate_init(PyCalculatePath *calculat +@@ -912,7 +913,7 @@ calculate_init(PyCalculatePath *calculat if (!calculate->prefix) { return DECODE_LOCALE_ERR("EXEC_PREFIX define", len); } @@ -132,7 +132,7 @@ if HAS_USER_SITE: --- a/Lib/distutils/sysconfig.py +++ b/Lib/distutils/sysconfig.py -@@ -129,8 +129,9 @@ def get_python_lib(plat_specific=0, stan +@@ -142,8 +142,9 @@ def get_python_lib(plat_specific=0, stan prefix = plat_specific and EXEC_PREFIX or PREFIX if os.name == "posix": @@ -223,7 +223,7 @@ s = os.path.expanduser(os.path.expandvars(s)) --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py -@@ -267,8 +267,9 @@ class HelperFunctionsTests(unittest.Test +@@ -269,8 +269,9 @@ class HelperFunctionsTests(unittest.Test dirs = site.getsitepackages() if os.sep == '/': # OS X, Linux, FreeBSD, etc ++++++ raise_SIGING_not_handled.patch ++++++ --- /var/tmp/diff_new_pack.ykx4lW/_old 2019-06-18 14:43:07.777751341 +0200 +++ /var/tmp/diff_new_pack.ykx4lW/_new 2019-06-18 14:43:07.777751341 +0200 @@ -36,7 +36,7 @@ --- a/Doc/c-api/exceptions.rst +++ b/Doc/c-api/exceptions.rst -@@ -504,18 +504,26 @@ Signal Handling +@@ -508,18 +508,26 @@ Signal Handling cleared if it was previously set. @@ -110,7 +110,7 @@ from test import lock_tests from test import support -@@ -1164,6 +1165,7 @@ class BoundedSemaphoreTests(lock_tests.B +@@ -1165,6 +1166,7 @@ class BoundedSemaphoreTests(lock_tests.B class BarrierTests(lock_tests.BarrierTests): barriertype = staticmethod(threading.Barrier) @@ -118,7 +118,7 @@ class MiscTestCase(unittest.TestCase): def test__all__(self): extra = {"ThreadError"} -@@ -1171,5 +1173,43 @@ class MiscTestCase(unittest.TestCase): +@@ -1172,5 +1174,43 @@ class MiscTestCase(unittest.TestCase): support.check__all__(self, threading, ('threading', '_thread'), extra=extra, blacklist=blacklist) @@ -164,7 +164,7 @@ unittest.main() --- a/Misc/ACKS +++ b/Misc/ACKS -@@ -254,7 +254,7 @@ Donn Cave +@@ -255,7 +255,7 @@ Donn Cave Charles Cazabon Jesús Cea Avión Per Cederqvist
