Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)

Raise an error when STARTTLS fails

- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
- rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679
- Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
This commit is contained in:
Miro Hrončok 2016-06-30 16:51:30 +02:00
parent 5acd38513f
commit f1894aa779
2 changed files with 51 additions and 1 deletions

View File

@ -0,0 +1,35 @@
From 935f806ae382a45620873dea0eafc536c9e01323 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Thu, 30 Jun 2016 14:51:24 +0200
Subject: [PATCH] Raise an error when STARTTLS fails
CVE-2016-0772 python: smtplib StartTLS stripping attack
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
- in changeset 101886:b3ce713fb9be 2.7
- https://hg.python.org/cpython/rev/b3ce713fb9be
---
lib-python/2.7/smtplib.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib-python/2.7/smtplib.py b/lib-python/2.7/smtplib.py
index 8388b98..e1651c0 100755
--- a/lib-python/2.7/smtplib.py
+++ b/lib-python/2.7/smtplib.py
@@ -656,6 +656,11 @@ class SMTP:
self.ehlo_resp = None
self.esmtp_features = {}
self.does_esmtp = 0
+ else:
+ # RFC 3207:
+ # 501 Syntax error (no parameters allowed)
+ # 454 TLS not available due to temporary reason
+ raise SMTPResponseException(resp, reply)
return (resp, reply)
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
--
2.9.0

View File

@ -1,6 +1,6 @@
Name: pypy Name: pypy
Version: 5.0.1 Version: 5.0.1
Release: 2%{?dist} Release: 3%{?dist}
Summary: Python implementation with a Just-In-Time compiler Summary: Python implementation with a Just-In-Time compiler
Group: Development/Languages Group: Development/Languages
@ -153,6 +153,13 @@ Patch1: 006-always-log-stdout.patch
# community that won't make sense outside of it). [Sorry to be a killjoy] # community that won't make sense outside of it). [Sorry to be a killjoy]
Patch2: 007-remove-startup-message.patch Patch2: 007-remove-startup-message.patch
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be
# Raise an error when STARTTLS fails
Patch3: 009-raise-an-error-when-STARTTLS-fails.patch
# Build-time requirements: # Build-time requirements:
# pypy's can be rebuilt using itself, rather than with CPython; doing so # pypy's can be rebuilt using itself, rather than with CPython; doing so
@ -268,6 +275,7 @@ Build of PyPy with support for micro-threads for massive concurrency
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# Replace /usr/local/bin/python shebangs with /usr/bin/python: # Replace /usr/local/bin/python shebangs with /usr/bin/python:
find -name "*.py" -exec \ find -name "*.py" -exec \
sed \ sed \
@ -710,6 +718,13 @@ CheckPyPy %{name}-c-stackless
%changelog %changelog
* Thu Jun 30 2016 Miro Hrončok <mhroncok@redhat.com> - 5.0.1-3
- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
- Raise an error when STARTTLS fails
- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
- rhbz#1351679: https://bugzilla.redhat.com/show_bug.cgi?id=1351679
- Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
* Fri May 13 2016 Miro Hrončok <mhroncok@redhat.com> - 5.0.1-2 * Fri May 13 2016 Miro Hrončok <mhroncok@redhat.com> - 5.0.1-2
- Move header files back to %%{pypy_include_dir} (rhbz#1328025) - Move header files back to %%{pypy_include_dir} (rhbz#1328025)