Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2020-02-15 22:23:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Sat Feb 15 22:23:53 2020 rev:149 rq:772516 version:2.7.17 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2020-02-06 13:18:52.128661751 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.26092/python-base.changes 2020-02-15 22:24:01.319264363 +0100 @@ -1,0 +2,21 @@ +Sat Feb 8 23:29:28 CET 2020 - Matej Cepl <[email protected]> + +- Add CVE-2019-9674-zip-bomb.patch to improve documentation + warning about dangers of zip-bombs and other security problems + with zipfile library. (bsc#1162825 CVE-2019-9674) + +------------------------------------------------------------------- +Sat Feb 8 22:30:51 CET 2020 - Matej Cepl <[email protected]> + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl <[email protected]> + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python-doc.changes 2020-02-06 13:18:52.896662128 +0100 +++ /work/SRC/openSUSE:Factory/.python.new.26092/python-doc.changes 2020-02-15 22:24:01.371264391 +0100 @@ -1,0 +2,14 @@ +Sat Feb 8 22:30:51 CET 2020 - Matej Cepl <[email protected]> + +- Change to Requires: libpython%{so_version} == %{version}-%{release} + to python-base to keep both packages always synchronized (add + %{so_version}) (bsc#1162224). + +------------------------------------------------------------------- +Thu Feb 6 23:14:47 CET 2020 - Matej Cepl <[email protected]> + +- Add CVE-2020-8492-urllib-ReDoS.patch fixing the security bug + "Python urrlib allowed an HTTP server to conduct Regular + Expression Denial of Service (ReDoS)" (bsc#1162367) + +------------------------------------------------------------------- python.changes: same change New: ---- CVE-2019-9674-zip-bomb.patch CVE-2020-8492-urllib-ReDoS.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.PQlltO/_old 2020-02-15 22:24:02.495264998 +0100 +++ /var/tmp/diff_new_pack.PQlltO/_new 2020-02-15 22:24:02.495264998 +0100 @@ -16,6 +16,8 @@ # +%define so_version 2_7-1_0 + Name: python-base Version: 2.7.17 Release: 0 @@ -85,6 +87,13 @@ Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 [email protected] +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 [email protected] +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -101,7 +110,7 @@ BuildRequires: netcfg Requires: python-rpm-macros # explicitly, see bnc#697251: -Requires: libpython2_7-1_0 = %{version} +Requires: libpython%{so_version} = %{version}-%{release} Provides: %{name} = %{python_version} # bug437293 %ifarch ppc64 @@ -157,7 +166,7 @@ The expat module is a Python interface to the expat XML parser. Since Python2.x, it is part of the core Python distribution. -%package -n libpython2_7-1_0 +%package -n libpython%{so_version} Summary: Python Interpreter shared library Group: Development/Languages/Python @@ -208,6 +217,8 @@ %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.PQlltO/_old 2020-02-15 22:24:02.515265009 +0100 +++ /var/tmp/diff_new_pack.PQlltO/_new 2020-02-15 22:24:02.515265009 +0100 @@ -85,6 +85,13 @@ Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 [email protected] +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 [email protected] +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -149,6 +156,8 @@ %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.PQlltO/_old 2020-02-15 22:24:02.531265018 +0100 +++ /var/tmp/diff_new_pack.PQlltO/_new 2020-02-15 22:24:02.535265020 +0100 @@ -89,6 +89,13 @@ Patch56: adapted-from-F00251-change-user-install-location.patch # Switch couple of tests failing on acient SLE-12 Patch57: python-2.7.17-switch-off-failing-SSL-tests.patch +# PATCH-FIX-UPSTREAM CVE-2020-8492-urllib-ReDoS.patch bsc#1162367 [email protected] +# Fixes Python urrlib allowed an HTTP server to conduct Regular +# Expression Denial of Service (ReDoS) +Patch58: CVE-2020-8492-urllib-ReDoS.patch +# PATCH-FIX-UPSTREAM CVE-2019-9674-zip-bomb.patch bsc#1162825 [email protected] +# Improve documentation warning against the possible zip bombs +Patch59: CVE-2019-9674-zip-bomb.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -267,6 +274,8 @@ %patch51 -p1 %patch55 -p1 %patch56 -p1 +%patch58 -p1 +%patch59 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2019-9674-zip-bomb.patch ++++++ >From b73fe12d4d85fc92e4b9658e417046b68fb68ecc Mon Sep 17 00:00:00 2001 From: nick sung <[email protected]> Date: Fri, 17 May 2019 15:45:31 +0800 Subject: [PATCH 1/4] bpo-36260: Add pitfalls to zipfile module documentation We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. This gave us the idea of documentation improvement. So, we moved a little bit forward :P And the doc patch can be found (pr). --- Doc/library/zipfile.rst | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) --- a/Doc/library/zipfile.rst +++ b/Doc/library/zipfile.rst @@ -553,5 +553,47 @@ Command-line options Test whether the zipfile is valid or not. +Decompression pitfalls +---------------------- +The extraction in zipfile module might fail due to some pitfalls +listed below. + +From file itself +~~~~~~~~~~~~~~~~ + +Decompression may fail due to incorrect password / CRC checksum +/ ZIP format or unsupported compression method / decryption. + +File System limitations +~~~~~~~~~~~~~~~~~~~~~~~ + +Exceeding limitations on different file systems can cause +decompression failed. Such as allowable characters in the +directory entries, length of the file name, length of the +pathname, size of a single file, and number of files, etc. + +Resources limitations +~~~~~~~~~~~~~~~~~~~~~ + +The lack of memory or disk volume would lead to decompression +failed. For example, decompression bombs (aka `ZIP bomb`_) apply +to zipfile library that can cause disk volume exhaustion. + +Interruption +~~~~~~~~~~~~ + +Interruption during the decompression, such as pressing control-C +or killing the decompression process may result in incomplete +decompression of the archive. + +Default behaviors of extraction +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Not knowing the default extraction behaviors can cause unexpected +decompression results. For example, when extracting the same +archive twice, it overwrites files without asking. + + +.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst @@ -0,0 +1 @@ +Add decompression pitfalls to zipfile module documentation. \ No newline at end of file ++++++ CVE-2020-8492-urllib-ReDoS.patch ++++++ >From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001 From: Victor Stinner <[email protected]> Date: Thu, 30 Jan 2020 16:13:03 +0100 Subject: [PATCH 1/2] bpo-39503: Fix urllib basic auth regex The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. --- Lib/urllib2.py | 2 +- Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst --- /dev/null +++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst @@ -0,0 +1,4 @@ +CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the +:mod:`urllib.request` module uses an inefficient regular expression which can +be exploited by an attacker to cause a denial of service. Fix the regex to +prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -856,7 +856,7 @@ class AbstractBasicAuthHandler: # allow for double- and single-quoted realm values # (single quotes are a violation of the RFC, but appear in the wild) - rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' + rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' 'realm=(["\']?)([^"\']*)\\2', re.I) # XXX could pre-emptively send auth info already accepted (RFC 2617,
