From 024452834ab4e686fe563f22c28bfa9d14db3c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Sat, 31 Dec 2022 21:49:54 +0100 Subject: [PATCH] Update to 7.3.11 --- .gitignore | 1 + 382-cve-2015-20107.patch | 117 --------------------------------------- 386-cve-2021-28861.patch | 98 -------------------------------- pypy3.9.spec | 24 ++------ sources | 2 +- 5 files changed, 8 insertions(+), 234 deletions(-) delete mode 100644 382-cve-2015-20107.patch delete mode 100644 386-cve-2021-28861.patch diff --git a/.gitignore b/.gitignore index 60bbe63..4dc5e57 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ /pypy3.9-v7.3.8rc2-src.tar.bz2 /pypy3.9-v7.3.8-src.tar.bz2 /pypy3.9-v7.3.9-src.tar.bz2 +/pypy3.9-v7.3.11-src.tar.bz2 diff --git a/382-cve-2015-20107.patch b/382-cve-2015-20107.patch deleted file mode 100644 index 4860ad8..0000000 --- a/382-cve-2015-20107.patch +++ /dev/null @@ -1,117 +0,0 @@ -From c3caa02fe5e48e02a2ff2c0f409317022b05d34f Mon Sep 17 00:00:00 2001 -From: Petr Viktorin -Date: Fri, 3 Jun 2022 11:43:35 +0200 -Subject: [PATCH] 00382: CVE-2015-20107 - -Make mailcap refuse to match unsafe filenames/types/params (GH-91993) - -Upstream: https://github.com/python/cpython/issues/68966 - -Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 ---- - lib-python/3/mailcap.py | 26 ++++++++++++++++++++++++-- - lib-python/3/test/test_mailcap.py | 8 ++++++-- - 2 files changed, 30 insertions(+), 4 deletions(-) - -diff --git a/lib-python/3/mailcap.py b/lib-python/3/mailcap.py -index ae416a8..444c640 100644 ---- a/lib-python/3/mailcap.py -+++ b/lib-python/3/mailcap.py -@@ -2,6 +2,7 @@ - - import os - import warnings -+import re - - __all__ = ["getcaps","findmatch"] - -@@ -13,6 +14,11 @@ def lineno_sort_key(entry): - else: - return 1, 0 - -+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search -+ -+class UnsafeMailcapInput(Warning): -+ """Warning raised when refusing unsafe input""" -+ - - # Part 1: top-level interface. - -@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]): - entry to use. - - """ -+ if _find_unsafe(filename): -+ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None, None - entries = lookup(caps, MIMEtype, key) - # XXX This code should somehow check for the needsterminal flag. - for e in entries: - if 'test' in e: - test = subst(e['test'], filename, plist) -+ if test is None: -+ continue - if test and os.system(test) != 0: - continue - command = subst(e[key], MIMEtype, filename, plist) -- return command, e -+ if command is not None: -+ return command, e - return None, None - - def lookup(caps, MIMEtype, key=None): -@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]): - elif c == 's': - res = res + filename - elif c == 't': -+ if _find_unsafe(MIMEtype): -+ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None - res = res + MIMEtype - elif c == '{': - start = i -@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]): - i = i+1 - name = field[start:i] - i = i+1 -- res = res + findparam(name, plist) -+ param = findparam(name, plist) -+ if _find_unsafe(param): -+ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name) -+ warnings.warn(msg, UnsafeMailcapInput) -+ return None -+ res = res + param - # XXX To do: - # %n == number of parts if type is multipart/* - # %F == list of alternating type and filename for parts -diff --git a/lib-python/3/test/test_mailcap.py b/lib-python/3/test/test_mailcap.py -index c08423c..920283d 100644 ---- a/lib-python/3/test/test_mailcap.py -+++ b/lib-python/3/test/test_mailcap.py -@@ -121,7 +121,8 @@ class HelperFunctionTest(unittest.TestCase): - (["", "audio/*", "foo.txt"], ""), - (["echo foo", "audio/*", "foo.txt"], "echo foo"), - (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"), -- (["echo %t", "audio/*", "foo.txt"], "echo audio/*"), -+ (["echo %t", "audio/*", "foo.txt"], None), -+ (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"), - (["echo \\%t", "audio/*", "foo.txt"], "echo %t"), - (["echo foo", "audio/*", "foo.txt", plist], "echo foo"), - (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3") -@@ -205,7 +206,10 @@ class FindmatchTest(unittest.TestCase): - ('"An audio fragment"', audio_basic_entry)), - ([c, "audio/*"], - {"filename": fname}, -- ("/usr/local/bin/showaudio audio/*", audio_entry)), -+ (None, None)), -+ ([c, "audio/wav"], -+ {"filename": fname}, -+ ("/usr/local/bin/showaudio audio/wav", audio_entry)), - ([c, "message/external-body"], - {"plist": plist}, - ("showexternal /dev/null default john python.org /tmp foo bar", message_entry)) --- -2.35.3 - diff --git a/386-cve-2021-28861.patch b/386-cve-2021-28861.patch deleted file mode 100644 index dfa9969..0000000 --- a/386-cve-2021-28861.patch +++ /dev/null @@ -1,98 +0,0 @@ -From e42be9b593f1d5e83a947f73058b919395398424 Mon Sep 17 00:00:00 2001 -From: Julian Berman -Date: Fri, 23 Sep 2022 11:30:55 +0200 -Subject: [PATCH] Pull in the http.server vulnerability fix from - python/cpython#87389 - -Fixes an open redirection vulnerability for paths starting with `//`. - -Closes: #3812 - ---HG-- -branch : http_server_vuln_fix ---- - lib-python/3/http/server.py | 7 ++++ - lib-python/3/test/test_httpservers.py | 49 +++++++++++++++++++++++++++ - 2 files changed, 56 insertions(+) - -diff --git a/lib-python/3/http/server.py b/lib-python/3/http/server.py -index 38f7accad7..39de35458c 100644 ---- a/lib-python/3/http/server.py -+++ b/lib-python/3/http/server.py -@@ -332,6 +332,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler): - return False - self.command, self.path = command, path - -+ # gh-87389: The purpose of replacing '//' with '/' is to protect -+ # against open redirect attacks possibly triggered if the path starts -+ # with '//' because http clients treat //path as an absolute URI -+ # without scheme (similar to http://path) rather than a path. -+ if self.path.startswith('//'): -+ self.path = '/' + self.path.lstrip('/') # Reduce to a single / -+ - # Examine the headers and look for a Connection directive. - try: - self.headers = http.client.parse_headers(self.rfile, -diff --git a/lib-python/3/test/test_httpservers.py b/lib-python/3/test/test_httpservers.py -index c5b833723e..97dae7a7ce 100644 ---- a/lib-python/3/test/test_httpservers.py -+++ b/lib-python/3/test/test_httpservers.py -@@ -416,6 +416,55 @@ class SimpleHTTPServerTestCase(BaseTestCase): - self.check_status_and_reason(response, HTTPStatus.OK, - data=support.TESTFN_UNDECODABLE) - -+ def test_get_dir_redirect_location_domain_injection_bug(self): -+ """Ensure //evil.co/..%2f../../X does not put //evil.co/ in Location. -+ -+ //netloc/ in a Location header is a redirect to a new host. -+ https://github.com/python/cpython/issues/87389 -+ -+ This checks that a path resolving to a directory on our server cannot -+ resolve into a redirect to another server. -+ """ -+ os.mkdir(os.path.join(self.tempdir, 'existing_directory')) -+ url = f'/python.org/..%2f..%2f..%2f..%2f..%2f../%0a%0d/../{self.tempdir_name}/existing_directory' -+ expected_location = f'{url}/' # /python.org.../ single slash single prefix, trailing slash -+ # Canonicalizes to /tmp/tempdir_name/existing_directory which does -+ # exist and is a dir, triggering the 301 redirect logic. -+ response = self.request(url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ self.assertEqual(location, expected_location, msg='non-attack failed!') -+ -+ # //python.org... multi-slash prefix, no trailing slash -+ attack_url = f'/{url}' -+ response = self.request(attack_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ self.assertFalse(location.startswith('//'), msg=location) -+ self.assertEqual(location, expected_location, -+ msg='Expected Location header to start with a single / and ' -+ 'end with a / as this is a directory redirect.') -+ -+ # ///python.org... triple-slash prefix, no trailing slash -+ attack3_url = f'//{url}' -+ response = self.request(attack3_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ self.assertEqual(response.getheader('Location'), expected_location) -+ -+ # If the second word in the http request (Request-URI for the http -+ # method) is a full URI, we don't worry about it, as that'll be parsed -+ # and reassembled as a full URI within BaseHTTPRequestHandler.send_head -+ # so no errant scheme-less //netloc//evil.co/ domain mixup can happen. -+ attack_scheme_netloc_2slash_url = f'https://pypi.org/{url}' -+ expected_scheme_netloc_location = f'{attack_scheme_netloc_2slash_url}/' -+ response = self.request(attack_scheme_netloc_2slash_url) -+ self.check_status_and_reason(response, HTTPStatus.MOVED_PERMANENTLY) -+ location = response.getheader('Location') -+ # We're just ensuring that the scheme and domain make it through, if -+ # there are or aren't multiple slashes at the start of the path that -+ # follows that isn't important in this Location: header. -+ self.assertTrue(location.startswith('https://pypi.org/'), msg=location) -+ - def test_get(self): - #constructs the path relative to the root directory of the HTTPServer - response = self.request(self.base_url + '/test') --- -GitLab - diff --git a/pypy3.9.spec b/pypy3.9.spec index 759733e..fe5f238 100644 --- a/pypy3.9.spec +++ b/pypy3.9.spec @@ -1,5 +1,5 @@ %global basever 7.3 -%global micro 9 +%global micro 11 #global pre ... %global pyversion 3.9 Name: pypy%{pyversion} @@ -10,7 +10,7 @@ Version: %{basever}.%{micro}%{?pre:~%{pre}} # by Python version as well. # This potentially allows tags like Obsoletes: pypy3 < %%{version}-%%{release}. # https://bugzilla.redhat.com/2053880 -%global baserelease 5 +%global baserelease 1 Release: %{baserelease}.%{pyversion}%{?dist} Summary: Python %{pyversion} implementation with a Just-In-Time compiler @@ -120,22 +120,6 @@ Patch9: 009-add-libxcrypt-support.patch # We conditionally apply this, but we use autosetup, so we use Source here Source189: 189-use-rpm-wheels.patch -# 00382 # -# CVE-2015-20107 -# -# Make mailcap refuse to match unsafe filenames/types/params (GH-91993) -# -# Upstream: https://github.com/python/cpython/issues/68966 -# -# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 -Patch382: 382-cve-2015-20107.patch - -# 00386 # -# CVE-2021-28861: open redirection in http.server -# Upstream: https://foss.heptapod.net/pypy/pypy/-/commit/e42be9b593f1d5e83a947f73058b919395398424.patch -# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2120642 -Patch386: 386-cve-2021-28861.patch - # Build-time requirements: # pypy's can be rebuilt using pypy2, rather than with CPython 2; doing so @@ -854,6 +838,10 @@ CheckPyPy pypy%{pyversion}-c %changelog +* Fri Dec 30 2022 Miro Hrončok - 7.3.11-1.3.9 +- Update to 7.3.11 +- Fixes: rhbz#2147520 + * Fri Dec 02 2022 Miro Hrončok - 7.3.9-5.3.9 - On Fedora 37+, obsolete the pypy3.7 package which is no longer available diff --git a/sources b/sources index ec552a9..5c795ba 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pypy3.9-v7.3.9-src.tar.bz2) = 83f8a6a2da351c190d2d224242cbc35e35529c7a8e8d842eaf5c945cbce2e172b02a340f32af3d49df8d5288370d794d5bc95fc12dd4a13d817c925abf06198a +SHA512 (pypy3.9-v7.3.11-src.tar.bz2) = 33c978ffbeeb39453028d1d1646ccfdace062ce48a5d939245bea41643038dd3687e80e34f88fa0622bcb175d7dd78f75cbe36b24229c8052f09d2d17dcdfd8c