Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@debian.org
debdiff below fixes two security issues, which don't warrant a DSA by itself.
Update has been tested on a Buster few systems (and verified with the PoC).
Cheers,
Moritz
diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog2020-07-25 15:00:39.0 +0200
+++ python3.7-3.7.3/debian/changelog2021-01-22 20:05:45.0 +0100
@@ -1,3 +1,10 @@
+python3.7 (3.7.3-2+deb10u3) buster; urgency=medium
+
+ * CVE-2020-26116
+ * CVE-2021-3177
+
+ -- Moritz Mühlenhoff Fri, 22 Jan 2021 21:04:44 +0100
+
python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
* CVE-2019-20907
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-26116.patch
python3.7-3.7.3/debian/patches/CVE-2020-26116.patch
--- python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 1970-01-01
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 2021-01-22
15:32:43.0 +0100
@@ -0,0 +1,84 @@
+Fixes CVE-2020-26116:
+
+From ca75fec1ed358f7324272608ca952b2d8226d11a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Sun, 19 Jul 2020 02:27:35 -0700
+Subject: [PATCH] bpo-39603: Prevent header injection in http methods
+ (GH-18485) (GH-21538)
+
+reject control chars in http method in http.client.putrequest to prevent http
header injection
+(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
+
+Co-authored-by: AMIR <31338382+amiremoham...@users.noreply.github.com>
+
+--- python3.7-3.7.3.orig/Lib/http/client.py
python3.7-3.7.3/Lib/http/client.py
+@@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.c
+ # _is_allowed_url_pchars_re =
re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1107,6 +,8 @@ class HTTPConnection:
+ else:
+ raise CannotSendRequest(self.__state)
+
++self._validate_method(method)
++
+ # Save the method we use, we need it later in the response phase
+ self._method = method
+ if not url:
+@@ -1197,6 +1203,16 @@ class HTTPConnection:
+ # For HTTP/1.0, the server will assume "not chunked"
+ pass
+
++def _validate_method(self, method):
++"""Validate a method name for putrequest."""
++# prevent http header injection
++match = _contains_disallowed_method_pchar_re.search(method)
++if match:
++raise ValueError(
++f"method can't contain control characters. {method!r} "
++f"(found at least {match.group()!r})")
++
++
+ def putheader(self, header, *values):
+ """Send a request header line to the server.
+
+--- python3.7-3.7.3.orig/Lib/test/test_httplib.py
python3.7-3.7.3/Lib/test/test_httplib.py
+@@ -360,6 +360,28 @@ class HeaderTests(TestCase):
+ self.assertEqual(lines[2], "header: Second: val")
+
+
++class HttpMethodTests(TestCase):
++def test_invalid_method_names(self):
++methods = (
++'GET\r',
++'POST\n',
++'PUT\n\r',
++'POST\nValue',
++'POST\nHOST:abc',
++'GET\nrHost:abc\n',
++'POST\rRemainder:\r',
++'GET\rHOST:\n',
++'\nPUT'
++)
++
++for method in methods:
++with self.assertRaisesRegex(
++ValueError, "method can't contain control characters"):
++conn = client.HTTPConnection('example.com')
++conn.sock = FakeSocket(None)
++conn.request(method=method, url="/")
++
++
+ class TransferEncodingTest(TestCase):
+ expected_body = b"It's just a flesh wound"
+
diff -Nru python3.7-3.7.3/debian/patches/CVE-2021-3177.patch
python3.7-3.7.3/debian/patches/CVE-2021-3177.patch
--- python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 1970-01-01
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 2021-01-22
15:33:44.0 +0100
@@ -0,0 +1,169 @@
+Fixes CVE-2021-3177:
+
+From d9b8f138b7df3b455b54653ca59f491b4840d6fa Mon Sep 17 00:00:00 2001
+From: Benjamin Peterson
+Date: Mon, 18 Jan 2021 15:24:02 -0600
+Subject: [PATCH] [3.7] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24249)
+
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+
+Co-authored-by: Benjamin Peterson
+
+---