Update to 5.9 (#1504427)

This commit is contained in:
Miro Hrončok 2017-10-20 20:31:31 +02:00
parent 79816c5293
commit 6eb88b1784
6 changed files with 79 additions and 238 deletions

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
/pypy3-2.4.0-src.tar.bz2
/pypy3.3-v5.2.0-alpha1-src.tar.bz2
/pypy3.3-v5.5.0-alpha-src.tar.bz2
/pypy3-v5.7.0-src.tar.bz2
/pypy3-v5.9.0-src.tar.bz2

View File

@ -1,35 +0,0 @@
From 4c0f6a6fe6c71009ab4a6b3716e70af021e04904 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Sat, 2 Jul 2016 20:18:12 +0200
Subject: [PATCH] Raise an error when STARTTLS fails
CVE-2016-0772 python: smtplib StartTLS stripping attack
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
rhbz#1351680: https://bugzilla.redhat.com/show_bug.cgi?id=1351680
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
- in changeset 101887:d590114c2394 3.4
- https://hg.python.org/cpython/rev/d590114c2394
---
lib-python/3/smtplib.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib-python/3/smtplib.py b/lib-python/3/smtplib.py
index 57f181b..5656cc6 100755
--- a/lib-python/3/smtplib.py
+++ b/lib-python/3/smtplib.py
@@ -680,6 +680,11 @@ class SMTP:
self.ehlo_resp = None
self.esmtp_features = {}
self.does_esmtp = 0
+ else:
+ # RFC 3207:
+ # 501 Syntax error (no parameters allowed)
+ # 454 TLS not available due to temporary reason
+ raise SMTPResponseException(resp, reply)
return (resp, reply)
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
--
2.9.0

View File

@ -1,163 +0,0 @@
From 9a8db191cf8a3557a24e91081bf434d581b98c5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Sat, 2 Jul 2016 20:20:58 +0200
Subject: [PATCH] Disabled HTTP header injections in http.client.
CVE-2016-5699 python: http protocol steam injection attack
rhbz#1303699: https://bugzilla.redhat.com/show_bug.cgi?id=1303699
rhbz#1351687: https://bugzilla.redhat.com/show_bug.cgi?id=1351687
Based on an upstream change by Demian Brecht and Serhiy Storchaka
- in changeset 94952:bf3e1c9b80e9 3.4
- https://hg.python.org/cpython/rev/bf3e1c9b80e9
---
lib-python/3/http/client.py | 37 +++++++++++++++++++++++++
lib-python/3/test/test_httplib.py | 57 +++++++++++++++++++++++++++++++++++++++
2 files changed, 94 insertions(+)
diff --git a/lib-python/3/http/client.py b/lib-python/3/http/client.py
index e05c84d..476d6c8 100644
--- a/lib-python/3/http/client.py
+++ b/lib-python/3/http/client.py
@@ -70,6 +70,7 @@ import email.parser
import email.message
import io
import os
+import re
import socket
import collections
from urllib.parse import urlsplit
@@ -217,6 +218,34 @@ _MAXLINE = 65536
_MAXHEADERS = 100
+# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
+#
+# VCHAR = %x21-7E
+# obs-text = %x80-FF
+# header-field = field-name ":" OWS field-value OWS
+# field-name = token
+# field-value = *( field-content / obs-fold )
+# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+# field-vchar = VCHAR / obs-text
+#
+# obs-fold = CRLF 1*( SP / HTAB )
+# ; obsolete line folding
+# ; see Section 3.2.4
+
+# token = 1*tchar
+#
+# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
+# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+# / DIGIT / ALPHA
+# ; any VCHAR, except delimiters
+#
+# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1
+
+# the patterns for both name and value are more leniant than RFC
+# definitions to allow for backwards compatibility
+_is_legal_header_name = re.compile(b'^[^:\s][^:\r\n]*$').match
+_is_illegal_header_value = re.compile(b'\n(?![ \t])|\r(?![ \t\n])').search
+
class HTTPMessage(email.message.Message):
# XXX The only usage of this method is in
# http.server.CGIHTTPRequestHandler. Maybe move the code there so
@@ -1035,12 +1064,20 @@ class HTTPConnection:
if hasattr(header, 'encode'):
header = header.encode('ascii')
+
+ if not _is_legal_header_name(header):
+ raise ValueError('Invalid header name %r' % (header,))
+
values = list(values)
for i, one_value in enumerate(values):
if hasattr(one_value, 'encode'):
values[i] = one_value.encode('latin-1')
elif isinstance(one_value, int):
values[i] = str(one_value).encode('ascii')
+
+ if _is_illegal_header_value(values[i]):
+ raise ValueError('Invalid header value %r' % (values[i],))
+
value = b'\r\n\t'.join(values)
header = header + b': ' + value
self._output(header)
diff --git a/lib-python/3/test/test_httplib.py b/lib-python/3/test/test_httplib.py
index c8ded92..fd71bea 100644
--- a/lib-python/3/test/test_httplib.py
+++ b/lib-python/3/test/test_httplib.py
@@ -134,6 +134,33 @@ class HeaderTests(TestCase):
conn.putheader('Content-length', 42)
self.assertIn(b'Content-length: 42', conn._buffer)
+ conn.putheader('Foo', ' bar ')
+ self.assertIn(b'Foo: bar ', conn._buffer)
+ conn.putheader('Bar', '\tbaz\t')
+ self.assertIn(b'Bar: \tbaz\t', conn._buffer)
+ conn.putheader('Authorization', 'Bearer mytoken')
+ self.assertIn(b'Authorization: Bearer mytoken', conn._buffer)
+ conn.putheader('IterHeader', 'IterA', 'IterB')
+ self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer)
+ conn.putheader('LatinHeader', b'\xFF')
+ self.assertIn(b'LatinHeader: \xFF', conn._buffer)
+ conn.putheader('Utf8Header', b'\xc3\x80')
+ self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer)
+ conn.putheader('C1-Control', b'next\x85line')
+ self.assertIn(b'C1-Control: next\x85line', conn._buffer)
+ conn.putheader('Embedded-Fold-Space', 'is\r\n allowed')
+ self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer)
+ conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed')
+ self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer)
+ conn.putheader('Key Space', 'value')
+ self.assertIn(b'Key Space: value', conn._buffer)
+ conn.putheader('KeySpace ', 'value')
+ self.assertIn(b'KeySpace : value', conn._buffer)
+ conn.putheader(b'Nonbreak\xa0Space', 'value')
+ self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer)
+ conn.putheader(b'\xa0NonbreakSpace', 'value')
+ self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer)
+
def test_ipv6host_header(self):
# Default host header on IPv6 transaction should wrapped by [] if
# its actual IPv6 address
@@ -153,6 +180,36 @@ class HeaderTests(TestCase):
conn.request('GET', '/foo')
self.assertTrue(sock.data.startswith(expected))
+ def test_invalid_headers(self):
+ conn = client.HTTPConnection('example.com')
+ conn.sock = FakeSocket('')
+ conn.putrequest('GET', '/')
+
+ # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no
+ # longer allowed in header names
+ cases = (
+ (b'Invalid\r\nName', b'ValidValue'),
+ (b'Invalid\rName', b'ValidValue'),
+ (b'Invalid\nName', b'ValidValue'),
+ (b'\r\nInvalidName', b'ValidValue'),
+ (b'\rInvalidName', b'ValidValue'),
+ (b'\nInvalidName', b'ValidValue'),
+ (b' InvalidName', b'ValidValue'),
+ (b'\tInvalidName', b'ValidValue'),
+ (b'Invalid:Name', b'ValidValue'),
+ (b':InvalidName', b'ValidValue'),
+ (b'ValidName', b'Invalid\r\nValue'),
+ (b'ValidName', b'Invalid\rValue'),
+ (b'ValidName', b'Invalid\nValue'),
+ (b'ValidName', b'InvalidValue\r\n'),
+ (b'ValidName', b'InvalidValue\r'),
+ (b'ValidName', b'InvalidValue\n'),
+ )
+ for name, value in cases:
+ with self.subTest((name, value)):
+ with self.assertRaisesRegex(ValueError, 'Invalid header'):
+ conn.putheader(name, value)
+
class BasicTest(TestCase):
def test_status_lines(self):
--
2.9.0

View File

@ -1,30 +1,37 @@
diff --git pypy3-v5.5.0-src/lib-python/3/test/regrtest.py pypy3-v5.5.0-src/lib-python/3/test/regrtest.py-new
index 8d18a9297a..e99322ebe1 100755
--- pypy3-v5.5.0-src/lib-python/3/test/regrtest.py
+++ pypy3-v5.5.0-src/lib-python/3/test/regrtest.py-new
@@ -169,7 +169,6 @@ option '-uall,-gui'.
import importlib
commit ea4d6a12548eea7ce0424feea13a499fb7085e96
Author: rpm-build <rpm-build>
Date: Wed Mar 29 04:31:55 2017 +0200
011-no-faulthandler.patch
diff --git a/lib-python/3/test/regrtest.py b/lib-python/3/test/regrtest.py
index c1d85f6..3d3072c 100755
--- a/lib-python/3/test/regrtest.py
+++ b/lib-python/3/test/regrtest.py
@@ -124,7 +124,6 @@ import importlib
import argparse
import builtins
-import faulthandler
import getopt
import io
import json
@@ -197,6 +196,10 @@ try:
import multiprocessing.process
import locale
@@ -152,7 +151,10 @@ try:
import _multiprocessing, multiprocessing.process
except ImportError:
multiprocessing = None
-
+try:
+ import faulthandler
+except ImportError:
+ faulthandler = None
# Some times __path__ and __file__ are not absolute (e.g. while running from
@@ -283,17 +286,18 @@ def main(tests=None, testdir=None, verbose=0, quiet=False,
# Lib/) and, if we change the CWD to run the tests in a temporary dir, some
@@ -486,17 +488,18 @@ def main(tests=None, **kwargs):
directly to set the values that would normally be set by flags
on the command line.
"""
- # Display the Python traceback on fatal errors (e.g. segfault)
- faulthandler.enable(all_threads=True)
-
@ -51,3 +58,37 @@ index 8d18a9297a..e99322ebe1 100755
replace_stdout()
diff --git a/lib-python/3/test/support/__init__.py b/lib-python/3/test/support/__init__.py
index 5d7f308..4424637 100644
--- a/lib-python/3/test/support/__init__.py
+++ b/lib-python/3/test/support/__init__.py
@@ -6,7 +6,6 @@ if __name__ != 'test.support':
import collections.abc
import contextlib
import errno
-import faulthandler
import fnmatch
import functools
import gc
@@ -65,6 +64,11 @@ try:
except ImportError:
resource = None
+try:
+ import faulthandler
+except ImportError:
+ faulthandler = None
+
__all__ = [
# globals
"PIPE_MAX_SIZE", "verbose", "max_memuse", "use_resources", "failfast",
@@ -2060,7 +2064,8 @@ def start_threads(threads, unlock=None):
finally:
started = [t for t in started if t.isAlive()]
if started:
- faulthandler.dump_traceback(sys.stdout)
+ if faulthandler is not None:
+ faulthandler.dump_traceback(sys.stdout)
raise AssertionError('Unable to join %d threads' % len(started))
@contextlib.contextmanager

View File

@ -1,6 +1,7 @@
Name: pypy3
Version: 5.5.0
Release: 6%{?dist}
Version: 5.9.0
%global pyversion 3.5
Release: 1%{?dist}
Summary: Python 3 implementation with a Just-In-Time compiler
# LGPL and another free license we'd need to ask spot about are present in some
@ -131,7 +132,7 @@ ExcludeArch: aarch64
%(echo '%{__os_install_post}' | sed -e 's!/usr/lib[^[:space:]]*/brp-python-bytecompile[[:space:]].*$!!g')
# Source and patches:
Source0: https://bitbucket.org/pypy/pypy/downloads/pypy3.3-v%{version}-alpha-src.tar.bz2
Source0: https://bitbucket.org/pypy/pypy/downloads/pypy3-v%{version}-src.tar.bz2
# Supply various useful RPM macros for building python modules against pypy:
# __pypy, pypy_sitelib, pypy_sitearch
@ -141,36 +142,21 @@ Source2: macros.pypy3
# set to indicate progress.
# This obscures useful messages, and may waste CPU cycles, so suppress it, and
# merely render dots:
Patch0: 001-nevertty.patch
Patch1: 001-nevertty.patch
# Patch pypy.translator.platform so that stdout from "make" etc gets logged,
# rather than just stderr, so that the command-line invocations of the compiler
# and linker are captured:
Patch1: 006-always-log-stdout.patch
Patch6: 006-always-log-stdout.patch
# Disable the printing of a quote from IRC on startup (these are stored in
# ROT13 form in lib_pypy/_pypy_irc_topic.py). Some are cute, but some could
# cause confusion for end-users (and many are in-jokes within the PyPy
# community that won't make sense outside of it). [Sorry to be a killjoy]
Patch2: 007-remove-startup-message.patch
# CVE-2016-0772 python: smtplib StartTLS stripping attack
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
# rhbz#1351680: https://bugzilla.redhat.com/show_bug.cgi?id=1351680
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
# Raise an error when STARTTLS fails
Patch4: 009-raise-an-error-when-STARTTLS-fails.patch
# CVE-2016-5699 python: http protocol steam injection attack
# rhbz#1303699: https://bugzilla.redhat.com/show_bug.cgi?id=1303699
# rhbz#1351687: https://bugzilla.redhat.com/show_bug.cgi?id=1351687
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9
# Disabled HTTP header injections in http.client
Patch5: 010-disabled-HTTP-header-injections-in-http.client.patch
Patch7: 007-remove-startup-message.patch
# It seems ppc64 has no faulthandler
Patch6: 011-no-faulthandler.patch
Patch11: 011-no-faulthandler.patch
# Build-time requirements:
@ -186,12 +172,14 @@ Patch6: 011-no-faulthandler.patch
%if 0%{use_self_when_building}
# pypy3 can only be build with pypy2
BuildRequires: pypy
# no pypy-pycparser available ATM
%global bootstrap_python_interp pypy
%else
# pypy3 can only be build with python2
BuildRequires: python2-devel
BuildRequires: python-pycparser
%global bootstrap_python_interp python
%endif
@ -523,8 +511,9 @@ find \
mkdir -p %{buildroot}/%{pypyprefix}/site-packages
ln -s %{pypyprefix}/bin/pypy3.3 %{buildroot}/%{_bindir}/pypy3.3
ln -s pypy3.3 %{buildroot}/%{_bindir}/pypy3
ln -s ./pypy3 %{buildroot}%{pypyprefix}/bin/pypy%{pyversion}
ln -s %{pypyprefix}/bin/pypy%{pyversion} %{buildroot}%{_bindir}/pypy%{pyversion}
ln -s pypy%{pyversion} %{buildroot}%{_bindir}/pypy3
# pypy uses .pyc files by default (--objspace-usepycfiles), but has a slightly
# different bytecode format to CPython. It doesn't use .pyo files: the -O flag
@ -790,10 +779,10 @@ CheckPyPy() {
#pypy/goal/pypy pypy/test_all.py --resultlog=pypyjit_new.log
%if %{run_selftests}
CheckPyPy pypy-c
CheckPyPy %{name}-c
%if 0%{with_stackless}
CheckPyPy pypy3-stackless
CheckPyPy %{name}-stackless
%endif
%endif # run_selftests
@ -821,7 +810,7 @@ CheckPyPy pypy3-stackless
%license LICENSE
%doc README.rst
%{_bindir}/pypy3
%{_bindir}/pypy3.3
%{_bindir}/pypy%{pyversion}
%{pypyprefix}/bin/
%exclude %{_libdir}/%{name}-%{version}.tar.bz2
@ -840,6 +829,13 @@ CheckPyPy pypy3-stackless
%changelog
* Fri Oct 20 2017 Miro Hrončok <mhroncok@redhat.com> - 5.9.0-1
- Update to 5.9 (#1504427)
- Remove merged patches
- Reindex the patches to match the filenames
- Rebase the faulthandler Patch11
- BR python-pycparser
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

View File

@ -1 +1 @@
536008fd7b17af8878915393fc1ecfc3 pypy3.3-v5.5.0-alpha-src.tar.bz2
SHA512 (pypy3-v5.9.0-src.tar.bz2) = 3d5384d644fdd1bc8b95f5747dbd1771ae06eb2cfc7b57be359b8bf40177676afd097620d0cb9d9000c40d8cce075cfa6bfd92de987d3dd927c04d7d595dc5bd