Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock packages pypy & pypy3: pypy (7.3.3+dfsg-2) unstable; urgency=medium . * Move pypy dependencies to Pre-Depends, as the pypy binary is used in package maintainer scripts. (Closes: #987213) pypy3 (7.3.3+dfsg-4) unstable; urgency=medium . * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in package maintainer scripts. (Closes: #987908) * Remove pydoc getfile feature. (CVE-2021-3426) * security: Restrict ftplib PASV hosts (no CVE assigned). [ Reason ] Promoting pypy dependencies from Depends to Pre-Depends, so that reverse-dependencies maintainer script execution is delayed until pypy's dependencies are in in place. (See: #987213) pypy3 (not a key package) gets the same patch, and a couple of security updates from upstream hg. [ Impact ] Upgrades of pypy libraries from buster to bullseye may fail, without this patch. [ Tests ] autopkgtests verify the broad functionality of the language. piuparts testing will be the best way to see that upgrading is now reliable. [ Risks ] Increasing Pre-Depends isn't ideal, and some of these libraries aren't needed for pypycompile/pypy3compile to run. But manually splitting the Pre-Depends and Depends risks more complexity and mistakes in the future. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [ ] attach debdiff against the package in testing unblock pypy/7.3.3+dfsg-2 unblock pypy3/7.3.3+dfsg-4 SR
diff -Nru pypy3-7.3.3+dfsg/debian/changelog pypy3-7.3.3+dfsg/debian/changelog --- pypy3-7.3.3+dfsg/debian/changelog 2021-02-25 14:55:51.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/changelog 2021-05-02 12:34:45.000000000 -0400 @@ -1,3 +1,12 @@ +pypy3 (7.3.3+dfsg-4) unstable; urgency=medium + + * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in + package maintainer scripts. (Closes: #987908) + * Remove pydoc getfile feature. (CVE-2021-3426) + * security: Restrict ftplib PASV hosts (no CVE assigned). + + -- Stefano Rivera <stefa...@debian.org> Sun, 02 May 2021 12:34:45 -0400 + pypy3 (7.3.3+dfsg-3) unstable; urgency=medium * Patch: CVE-2021-23336: Only use '&' as a query string separator. diff -Nru pypy3-7.3.3+dfsg/debian/control pypy3-7.3.3+dfsg/debian/control --- pypy3-7.3.3+dfsg/debian/control 2021-02-25 14:55:51.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/control 2021-05-02 12:34:45.000000000 -0400 @@ -36,11 +36,15 @@ Package: pypy3 Architecture: any -Depends: pypy3-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Depends: ${misc:Depends} Breaks: pypy3-dev (<< ${source:Version}) Provides: ${pypy3-abi} Suggests: pypy3-doc, pypy3-tk (= ${binary:Version}) -Pre-Depends: dpkg (>= 1.15.6~), ${misc:Pre-Depends} +Pre-Depends: + dpkg (>= 1.15.6~), + pypy3-lib (= ${binary:Version}), + ${misc:Pre-Depends}, + ${shlibs:Pre-Depends} Description: fast alternative implementation of Python 3.x - PyPy interpreter PyPy is a fast, compliant alternative implementation of the Python language (3.x). It has several advantages and distinct features: diff -Nru pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 --- pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 1969-12-31 20:00:00.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 2021-05-02 12:34:45.000000000 -0400 @@ -0,0 +1,77 @@ +From: Matti Picus <matti.pi...@gmail.com> +Date: Sun, 2 May 2021 10:57:58 -0400 +Subject: Stdlib: Remove the pydoc getfile feature (bpo 42988) (CVE-2021-3426) + +Bug-cPython: https://bugs.python.org/issue42988 +Origin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/f66a96388f8a0ba125005d5d524a31dfd3878a18 +--- + lib-python/3/pydoc.py | 18 ------------------ + lib-python/3/test/test_pydoc.py | 6 ------ + 2 files changed, 24 deletions(-) + +diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py +index b521a55..5247ef9 100644 +--- a/lib-python/3/pydoc.py ++++ b/lib-python/3/pydoc.py +@@ -2312,9 +2312,6 @@ def _url_handler(url, content_type="text/html"): + %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div> + </body></html>''' % (title, css_link, html_navbar(), contents) + +- def filelink(self, url, path): +- return '<a href="getfile?key=%s">%s</a>' % (url, path) +- + + html = _HTMLDoc() + +@@ -2400,19 +2397,6 @@ def _url_handler(url, content_type="text/html"): + 'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results)) + return 'Search Results', contents + +- def html_getfile(path): +- """Get and display a source file listing safely.""" +- path = urllib.parse.unquote(path) +- with tokenize.open(path) as fp: +- lines = html.escape(fp.read()) +- body = '<pre>%s</pre>' % lines +- heading = html.heading( +- '<big><big><strong>File Listing</strong></big></big>', +- '#ffffff', '#7799ee') +- contents = heading + html.bigsection( +- 'File: %s' % path, '#ffffff', '#ee77aa', body) +- return 'getfile %s' % path, contents +- + def html_topics(): + """Index of topic texts available.""" + +@@ -2504,8 +2488,6 @@ def _url_handler(url, content_type="text/html"): + op, _, url = url.partition('=') + if op == "search?key": + title, content = html_search(url) +- elif op == "getfile?key": +- title, content = html_getfile(url) + elif op == "topic?key": + # try topics first, then objects. + try: +diff --git a/lib-python/3/test/test_pydoc.py b/lib-python/3/test/test_pydoc.py +index ff903d6..2d18217 100644 +--- a/lib-python/3/test/test_pydoc.py ++++ b/lib-python/3/test/test_pydoc.py +@@ -1070,18 +1070,12 @@ class PydocUrlHandlerTest(PydocBaseTest): + ("topic?key=def", "Pydoc: KEYWORD def"), + ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), + ("foobar", "Pydoc: Error - foobar"), +- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), + ] + + with self.restrict_walk_packages(): + for url, title in requests: + self.call_url_handler(url, title) + +- path = string.__file__ +- title = "Pydoc: getfile " + path +- url = "getfile?key=" + path +- self.call_url_handler(url, title) +- + + class TestHelper(unittest.TestCase): + def test_keywords(self): diff -Nru pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout --- pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout 2021-02-25 14:55:51.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout 2021-05-02 12:34:45.000000000 -0400 @@ -190,7 +190,7 @@ _config_vars = None diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py -index b521a55..d528ffa 100644 +index 5247ef9..2ec5b96 100644 --- a/lib-python/3/pydoc.py +++ b/lib-python/3/pydoc.py @@ -413,6 +413,7 @@ class Doc: diff -Nru pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv --- pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv 1969-12-31 20:00:00.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv 2021-05-02 12:34:45.000000000 -0400 @@ -0,0 +1,91 @@ +From: Matti Picus <matti.pi...@gmail.com> +Date: Sun, 2 May 2021 11:01:59 -0400 +Subject: Stdlib: make ftplib not trust the PASV response (bpo 43285) + +Bug-cPython: https://bugs.python.org/issue43285 +Orgin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/2a9ed841f7acf38718bafe61e571b1b9a2d8b353 +--- + lib-python/3/ftplib.py | 9 ++++++++- + lib-python/3/test/test_ftplib.py | 27 ++++++++++++++++++++++++++- + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/lib-python/3/ftplib.py b/lib-python/3/ftplib.py +index 2ff251a..385e432 100644 +--- a/lib-python/3/ftplib.py ++++ b/lib-python/3/ftplib.py +@@ -104,6 +104,8 @@ class FTP: + welcome = None + passiveserver = 1 + encoding = "latin-1" ++ # Disables https://bugs.python.org/issue43285 security if set to True. ++ trust_server_pasv_ipv4_address = False + + # Initialization method (called by class instantiation). + # Initialize host to localhost, port to standard ftp port +@@ -333,8 +335,13 @@ class FTP: + return sock + + def makepasv(self): ++ """Internal: Does the PASV or EPSV handshake -> (address, port)""" + if self.af == socket.AF_INET: +- host, port = parse227(self.sendcmd('PASV')) ++ untrusted_host, port = parse227(self.sendcmd('PASV')) ++ if self.trust_server_pasv_ipv4_address: ++ host = untrusted_host ++ else: ++ host = self.sock.getpeername()[0] + else: + host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) + return host, port +diff --git a/lib-python/3/test/test_ftplib.py b/lib-python/3/test/test_ftplib.py +index 4ff2f71..3ca7cc1 100644 +--- a/lib-python/3/test/test_ftplib.py ++++ b/lib-python/3/test/test_ftplib.py +@@ -94,6 +94,10 @@ class DummyFTPHandler(asynchat.async_chat): + self.rest = None + self.next_retr_data = RETR_DATA + self.push('220 welcome') ++ # We use this as the string IPv4 address to direct the client ++ # to in response to a PASV command. To test security behavior. ++ # https://bugs.python.org/issue43285/. ++ self.fake_pasv_server_ip = '252.253.254.255' + + def collect_incoming_data(self, data): + self.in_buffer.append(data) +@@ -136,7 +140,8 @@ class DummyFTPHandler(asynchat.async_chat): + sock.bind((self.socket.getsockname()[0], 0)) + sock.listen() + sock.settimeout(TIMEOUT) +- ip, port = sock.getsockname()[:2] ++ port = sock.getsockname()[1] ++ ip = self.fake_pasv_server_ip + ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256 + self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) + conn, addr = sock.accept() +@@ -694,6 +699,26 @@ class TestFTPClass(TestCase): + # IPv4 is in use, just make sure send_epsv has not been used + self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') + ++ def test_makepasv_issue43285_security_disabled(self): ++ """Test the opt-in to the old vulnerable behavior.""" ++ self.client.trust_server_pasv_ipv4_address = True ++ bad_host, port = self.client.makepasv() ++ self.assertEqual( ++ bad_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((self.client.sock.getpeername()[0], port), ++ timeout=TIMEOUT).close() ++ ++ def test_makepasv_issue43285_security_enabled_default(self): ++ self.assertFalse(self.client.trust_server_pasv_ipv4_address) ++ trusted_host, port = self.client.makepasv() ++ self.assertNotEqual( ++ trusted_host, self.server.handler_instance.fake_pasv_server_ip) ++ # Opening and closing a connection keeps the dummy server happy ++ # instead of timing out on accept. ++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close() ++ + def test_with_statement(self): + self.client.quit() + diff -Nru pypy3-7.3.3+dfsg/debian/patches/series pypy3-7.3.3+dfsg/debian/patches/series --- pypy3-7.3.3+dfsg/debian/patches/series 2021-02-25 14:55:51.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/patches/series 2021-05-02 12:34:45.000000000 -0400 @@ -12,6 +12,8 @@ platform-lsbrelease rlcompleter-invalidterminal fix-_crypt-imports +cve-2021-3426 +ftplib-restrict-pasv core-utf8-errors-ignore core-type-annotation-scoping fcntl-segfault diff -Nru pypy3-7.3.3+dfsg/debian/rules pypy3-7.3.3+dfsg/debian/rules --- pypy3-7.3.3+dfsg/debian/rules 2021-02-25 14:55:51.000000000 -0400 +++ pypy3-7.3.3+dfsg/debian/rules 2021-05-02 12:34:45.000000000 -0400 @@ -83,6 +83,10 @@ override_dh_compress: dh_compress -X.inv -X.txt +override_dh_shlibdeps-arch: + dh_shlibdeps --package=pypy3 -- -dPre-Depends + dh_shlibdeps --arch --remaining-packages + override_dh_installdeb: set -e; for maintscript in preinst postinst prerm; do \ sed -e 's/#VERSION#/$(VER)/g' \
diff -Nru pypy-7.3.3+dfsg/debian/changelog pypy-7.3.3+dfsg/debian/changelog --- pypy-7.3.3+dfsg/debian/changelog 2020-11-21 13:14:19.000000000 -0400 +++ pypy-7.3.3+dfsg/debian/changelog 2021-05-02 10:44:17.000000000 -0400 @@ -1,3 +1,10 @@ +pypy (7.3.3+dfsg-2) unstable; urgency=medium + + * Move pypy dependencies to Pre-Depends, as the pypy binary is used in + package maintainer scripts. (Closes: #987213) + + -- Stefano Rivera <stefa...@debian.org> Sun, 02 May 2021 10:44:17 -0400 + pypy (7.3.3+dfsg-1) unstable; urgency=medium * New upstream release (identical to RC1). diff -Nru pypy-7.3.3+dfsg/debian/control pypy-7.3.3+dfsg/debian/control --- pypy-7.3.3+dfsg/debian/control 2020-11-21 13:14:19.000000000 -0400 +++ pypy-7.3.3+dfsg/debian/control 2021-05-02 10:44:17.000000000 -0400 @@ -34,7 +34,8 @@ Package: pypy Architecture: any -Depends: pypy-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: pypy-lib (= ${binary:Version}), ${shlibs:Pre-Depends} +Depends: ${misc:Depends} Breaks: pypy-backports.functools-lru-cache (<< 1.5-3~), pypy-dev (<< ${source:Version}) diff -Nru pypy-7.3.3+dfsg/debian/rules pypy-7.3.3+dfsg/debian/rules --- pypy-7.3.3+dfsg/debian/rules 2020-11-21 13:14:19.000000000 -0400 +++ pypy-7.3.3+dfsg/debian/rules 2021-05-02 10:44:17.000000000 -0400 @@ -73,6 +73,10 @@ override_dh_compress: dh_compress -X.inv -X.txt +override_dh_shlibdeps-arch: + dh_shlibdeps --package=pypy -- -dPre-Depends + dh_shlibdeps --arch --remaining-packages + override_dh_installdeb: set -e; for maintscript in preinst postinst prerm; do \ sed -e 's/#VERSION#/$(VER)/g' \