Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)

Raise an error when STARTTLS fails. - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 - rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344 - Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
2016-06-16 19:39:34 +02:00 · 2016-06-16 19:39:34 +02:00 · 570612449e
parent 138d744295
commit 570612449e
2 changed files with 52 additions and 1 deletions
--- a/00210-Raise-an-error-when-STARTTLS-fails.patch
+++ b/00210-Raise-an-error-when-STARTTLS-fails.patch
@ -0,0 +1,35 @@
+From c2c98ddde2665d12e34f17c4eac90832df720114 Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Thu, 16 Jun 2016 18:56:18 +0200
+Subject: [PATCH] Raise an error when STARTTLS fails
+
+CVE-2016-0772 python: smtplib StartTLS stripping attack
+rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
+
+Based on an upstream change by Benjamin Peterson <benjamin@python.org>
+- in changeset 101886:b3ce713fb9be 2.7
+- https://hg.python.org/cpython/rev/b3ce713fb9be
+---
+ Lib/smtplib.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+index 8388b98..e1651c0 100755
+--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
+@@ -656,6 +656,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+-- 
+2.5.5
+
--- a/python.spec
+++ b/python.spec
@ -108,7 +108,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python-docs when changing this:
 Version: 2.7.11
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -917,6 +917,14 @@ Patch200: 00200-skip-thread-test.patch
 # FIXED UPSTREAM
 Patch201: 00201-prevent-buffer-overflow-in-zipimport-module.patch

+# 00210 #
+# CVE-2016-0772 python: smtplib StartTLS stripping attack
+# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+# rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
+# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be
+# Raise an error when STARTTLS fails
+Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora 17 onwards,
@ -1282,6 +1290,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
 %endif
 %patch200 -p1
 %patch201 -p1
+%patch210 -p1


 # This shouldn't be necesarry, but is right now (2.2a3)
@ -2133,6 +2142,13 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
+* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 2.7.11-6
+- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
+- Raise an error when STARTTLS fails
+- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+- rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
+- Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
+
 * Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.11-5
 - Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()