Bug#983134: buster-pu: package python3.7/3.7.3-2+deb10u3

[Moritz Mühlenhoff]

Am Sat, Mar 13, 2021 at 05:29:30PM + schrieb Adam D. Barratt:
> Control: tags -1 + confirmed
> 
> On Fri, 2021-02-19 at 22:32 +0100, Moritz Muehlenhoff wrote:
> > +python3.7 (3.7.3-2+deb10u3) buster; urgency=medium
> > +
> > +  * CVE-2020-26116
> > +  * CVE-2021-3177
> > 
> 
> Please go ahead.

Uploaded.

Cheers,
Moritz

Bug#983134: buster-pu: package python3.7/3.7.3-2+deb10u3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Fri, 2021-02-19 at 22:32 +0100, Moritz Muehlenhoff wrote:
> +python3.7 (3.7.3-2+deb10u3) buster; urgency=medium
> +
> +  * CVE-2020-26116
> +  * CVE-2021-3177
> 

Please go ahead.

Regards,

Adam

Bug#983134: buster-pu: package python3.7/3.7.3-2+deb10u3

[Moritz Muehlenhoff]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@debian.org

debdiff below fixes two security issues, which don't warrant a DSA by itself.

Update has been tested on a Buster few systems (and verified with the PoC).

Cheers,
Moritz

diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog2020-07-25 15:00:39.0 +0200
+++ python3.7-3.7.3/debian/changelog2021-01-22 20:05:45.0 +0100
@@ -1,3 +1,10 @@
+python3.7 (3.7.3-2+deb10u3) buster; urgency=medium
+
+  * CVE-2020-26116
+  * CVE-2021-3177
+
+ -- Moritz Mühlenhoff   Fri, 22 Jan 2021 21:04:44 +0100
+
 python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
 
   * CVE-2019-20907
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 
python3.7-3.7.3/debian/patches/CVE-2020-26116.patch
--- python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 1970-01-01 
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 2021-01-22 
15:32:43.0 +0100
@@ -0,0 +1,84 @@
+Fixes CVE-2020-26116:
+
+From ca75fec1ed358f7324272608ca952b2d8226d11a Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Sun, 19 Jul 2020 02:27:35 -0700
+Subject: [PATCH] bpo-39603: Prevent header injection in http methods
+ (GH-18485) (GH-21538)
+
+reject control chars in http method in http.client.putrequest to prevent http 
header injection
+(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
+
+Co-authored-by: AMIR <31338382+amiremoham...@users.noreply.github.com>
+
+--- python3.7-3.7.3.orig/Lib/http/client.py
 python3.7-3.7.3/Lib/http/client.py
+@@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.c
+ #  _is_allowed_url_pchars_re = 
re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1107,6 +,8 @@ class HTTPConnection:
+ else:
+ raise CannotSendRequest(self.__state)
+ 
++self._validate_method(method)
++
+ # Save the method we use, we need it later in the response phase
+ self._method = method
+ if not url:
+@@ -1197,6 +1203,16 @@ class HTTPConnection:
+ # For HTTP/1.0, the server will assume "not chunked"
+ pass
+ 
++def _validate_method(self, method):
++"""Validate a method name for putrequest."""
++# prevent http header injection
++match = _contains_disallowed_method_pchar_re.search(method)
++if match:
++raise ValueError(
++f"method can't contain control characters. {method!r} "
++f"(found at least {match.group()!r})")
++
++
+ def putheader(self, header, *values):
+ """Send a request header line to the server.
+ 
+--- python3.7-3.7.3.orig/Lib/test/test_httplib.py
 python3.7-3.7.3/Lib/test/test_httplib.py
+@@ -360,6 +360,28 @@ class HeaderTests(TestCase):
+ self.assertEqual(lines[2], "header: Second: val")
+ 
+ 
++class HttpMethodTests(TestCase):
++def test_invalid_method_names(self):
++methods = (
++'GET\r',
++'POST\n',
++'PUT\n\r',
++'POST\nValue',
++'POST\nHOST:abc',
++'GET\nrHost:abc\n',
++'POST\rRemainder:\r',
++'GET\rHOST:\n',
++'\nPUT'
++)
++
++for method in methods:
++with self.assertRaisesRegex(
++ValueError, "method can't contain control characters"):
++conn = client.HTTPConnection('example.com')
++conn.sock = FakeSocket(None)
++conn.request(method=method, url="/")
++
++
+ class TransferEncodingTest(TestCase):
+ expected_body = b"It's just a flesh wound"
+ 
diff -Nru python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 
python3.7-3.7.3/debian/patches/CVE-2021-3177.patch
--- python3.7-3.7.3/debian/patches/CVE-2021-3177.patch  1970-01-01 
01:00:00.0 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2021-3177.patch  2021-01-22 
15:33:44.0 +0100
@@ -0,0 +1,169 @@
+Fixes CVE-2021-3177:
+
+From d9b8f138b7df3b455b54653ca59f491b4840d6fa Mon Sep 17 00:00:00 2001
+From: Benjamin Peterson 
+Date: Mon, 18 Jan 2021 15:24:02 -0600
+Subject: [PATCH] [3.7] closes bpo-42938: Replace snprintf with Python unicode
+ formatting in ctypes param reprs. (GH-24249)
+
+(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7)
+
+Co-authored-by: Benjamin Peterson 
+
+---