Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2019-06-24 21:44:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Mon Jun 24 21:44:43 2019 rev:138 rq:706252 version:2.7.16 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2019-04-14 12:21:24.491688153 +0200 +++ /work/SRC/openSUSE:Factory/.python.new.4615/python-base.changes 2019-06-24 21:44:46.923718456 +0200 @@ -1,0 +2,15 @@ +Wed May 29 08:58:16 UTC 2019 - Martin Liška <[email protected]> + +- Set _lto_cflags to nil as it will prevent to propage LTO + for Python modules that are built in a separate package. + +------------------------------------------------------------------- +Thu May 2 08:40:33 CEST 2019 - Matej Cepl <[email protected]> + +- bsc#1130840 (CVE-2019-9947): add CVE-2019-9947-no-ctrl-char-http.patch + Address the issue by disallowing URL paths with embedded + whitespace or control characters through into the underlying + http client request. Such potentially malicious header + injection URLs now cause a ValueError to be raised. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python.changes 2018-12-10 12:21:28.874937406 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.4615/python.changes 2019-06-24 21:44:47.191718606 +0200 @@ -1,0 +2,6 @@ +Wed May 29 08:58:16 UTC 2019 - Martin Liška <[email protected]> + +- Set _lto_cflags to nil as it will prevent to propage LTO + for Python modules that are built in a separate package. + +------------------------------------------------------------------- New: ---- CVE-2019-9947-no-ctrl-char-http.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.GSs6IL/_old 2019-06-24 21:44:51.583721072 +0200 +++ /var/tmp/diff_new_pack.GSs6IL/_new 2019-06-24 21:44:51.615721090 +0200 @@ -78,6 +78,9 @@ # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 [email protected] # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -191,12 +194,14 @@ %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END %build +%define _lto_cflags %{nil} export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv" autoreconf -f -i . # Modules/_ctypes/libffi ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.GSs6IL/_old 2019-06-24 21:44:51.951721279 +0200 +++ /var/tmp/diff_new_pack.GSs6IL/_new 2019-06-24 21:44:51.975721292 +0200 @@ -78,6 +78,9 @@ # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 [email protected] # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -137,6 +140,7 @@ %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.GSs6IL/_old 2019-06-24 21:44:52.335721494 +0200 +++ /var/tmp/diff_new_pack.GSs6IL/_new 2019-06-24 21:44:52.355721505 +0200 @@ -83,6 +83,9 @@ # PATCH-FIX-UPSTREAM CVE-2019-9948-avoid_local-file.patch bsc#1130847 [email protected] # removing unnecessary (and potentially harmful) URL scheme local-file:// Patch52: CVE-2019-9948-avoid_local-file.patch +# PATCH-FIX-UPSTREAM CVE-2019-9947-no-ctrl-char-http.patch bsc#1130840 [email protected] +# bpo#30458: Disallow control chars in http URLs. +Patch53: CVE-2019-9947-no-ctrl-char-http.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -243,6 +246,7 @@ %patch50 -p1 %patch51 -p1 %patch52 -p1 +%patch53 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac @@ -253,6 +257,7 @@ %endif %build +%define _lto_cflags %{nil} export OPT="%{optflags} -DOPENSSL_LOAD_CONF -fwrapv" autoreconf -f -i . # Modules/_ctypes/libffi ++++++ CVE-2019-9947-no-ctrl-char-http.patch ++++++ --- a/Lib/httplib.py +++ b/Lib/httplib.py @@ -247,6 +247,15 @@ _MAXHEADERS = 100 _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search +# These characters are not allowed within http URL paths. +# https://tools.ietf.org/html/rfc3986#section-3.3 +# in order to prevent CVE-2019-9740. +# We don't restrict chars above \x7f as putrequest() limits us to ASCII. +_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') +# Arguably only these _should_ allowed: +# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") +# We are more lenient for assumed real world compatibility purposes. + # We always set the Content-Length header for these methods because some # servers will otherwise respond with a 411 _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} @@ -927,6 +936,9 @@ class HTTPConnection: self._method = method if not url: url = '/' + # Prevent CVE-2019-9740. + if _contains_disallowed_url_pchar_re.search(url): + raise InvalidURL("URL can't contain control characters. {0!r}".format(url)) hdr = '%s %s %s' % (method, url, self._http_vsn_str) self._output(hdr) --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -2,6 +2,7 @@ import collections import urllib +import urllib2 import httplib import io import unittest @@ -13,6 +14,11 @@ import tempfile from test import test_support from base64 import b64encode +try: + import ssl +except ImportError: + ssl = None + def hexescape(char): """Escape char as RFC 2396 specifies""" @@ -364,6 +370,31 @@ Connection: close finally: self.unfakehttp() + def test_url_with_newline_header_injection_rejected(self): + self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.") + host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" + schemeless_url = "//" + host + ":8080/test/?test=a" + try: + # We explicitly test urllib.request.urlopen() instead of the top + # level 'def urlopen()' function defined in this... (quite ugly) + # test suite. they use different url opening codepaths. plain + # urlopen uses FancyURLOpener which goes via a codepath that + # calls urllib.parse.quote() on the URL which makes all of the + # above attempts at injection within the url _path_ safe. + with self.assertRaisesRegexp(httplib.InvalidURL, + r"contain control.*\\r"): + urllib2.urlopen("http:{0}".format(schemeless_url)) + if ssl is not None: + with self.assertRaisesRegexp(httplib.InvalidURL, + r"contain control.*\\n"): + urllib2.urlopen("https:{0}".format(schemeless_url)) + # This code path quotes the URL so there is no injection. + resp = urllib.urlopen("http:{0}".format(schemeless_url)) + self.assertNotIn(' ', resp.geturl()) + self.assertNotIn('\r', resp.geturl()) + self.assertNotIn('\n', resp.geturl()) + finally: + self.unfakehttp() class urlretrieve_FileTests(unittest.TestCase): """Test urllib.urlretrieve() on local files""" --- a/Lib/test/test_xmlrpc.py +++ b/Lib/test/test_xmlrpc.py @@ -1,4 +1,5 @@ import base64 +import contextlib import datetime import sys import time @@ -658,9 +659,14 @@ class SimpleServerTestCase(BaseServerTes def test_partial_post(self): # Check that a partial POST doesn't make the server loop: issue #14001. - conn = httplib.HTTPConnection(ADDR, PORT) - conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye') - conn.close() + with contextlib.closing(socket.create_connection((ADDR, PORT))) as conn: + conn.send(('POST /RPC2 HTTP/1.0\r\n' + + 'Content-Length: 100\r\n\r\n' + + 'bye HTTP/1.1\r\n' + + 'Host: {0}:{1}\r\n'.format(ADDR, PORT) + + 'Accept-Encoding: identity\r\n' + + 'Content-Length: 0\r\n\r\n').encode('ascii')) + class SimpleServerEncodingTestCase(BaseServerTestCase): @staticmethod
