Fix for CVE-2016-1000110 HTTPoxy attack
This commit is contained in:
parent
3f17ce7e15
commit
a759357958
|
@ -1,39 +0,0 @@
|
|||
From 0f12cb75c708978f9201c1dd3464d2a8572b4544 Mon Sep 17 00:00:00 2001
|
||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||
Date: Fri, 8 Jul 2016 20:24:10 +0200
|
||||
Subject: [PATCH] CVE-2016-5636 fix
|
||||
|
||||
---
|
||||
Modules/zipimport.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
|
||||
index 7240cb4..2e6a61f 100644
|
||||
--- a/Modules/zipimport.c
|
||||
+++ b/Modules/zipimport.c
|
||||
@@ -861,6 +861,10 @@ get_data(char *archive, PyObject *toc_entry)
|
||||
&date, &crc)) {
|
||||
return NULL;
|
||||
}
|
||||
+ if (data_size < 0) {
|
||||
+ PyErr_Format(ZipImportError, "negative data size");
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
fp = fopen(archive, "rb");
|
||||
if (!fp) {
|
||||
@@ -895,6 +899,11 @@ get_data(char *archive, PyObject *toc_entry)
|
||||
PyMarshal_ReadShortFromFile(fp); /* local header size */
|
||||
file_offset += l; /* Start of file data */
|
||||
|
||||
+ if (data_size > LONG_MAX - 1) {
|
||||
+ fclose(fp);
|
||||
+ PyErr_NoMemory();
|
||||
+ return NULL;
|
||||
+ }
|
||||
raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
|
||||
data_size : data_size + 1);
|
||||
if (raw_data == NULL) {
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From c2c98ddde2665d12e34f17c4eac90832df720114 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Orsava <torsava@redhat.com>
|
||||
Date: Thu, 16 Jun 2016 18:56:18 +0200
|
||||
Subject: [PATCH] Raise an error when STARTTLS fails
|
||||
|
||||
CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
|
||||
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
|
||||
- in changeset 101886:b3ce713fb9be 2.7
|
||||
- https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
---
|
||||
Lib/smtplib.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
|
||||
index 8388b98..e1651c0 100755
|
||||
--- a/Lib/smtplib.py
|
||||
+++ b/Lib/smtplib.py
|
||||
@@ -656,6 +656,11 @@ class SMTP:
|
||||
self.ehlo_resp = None
|
||||
self.esmtp_features = {}
|
||||
self.does_esmtp = 0
|
||||
+ else:
|
||||
+ # RFC 3207:
|
||||
+ # 501 Syntax error (no parameters allowed)
|
||||
+ # 454 TLS not available due to temporary reason
|
||||
+ raise SMTPResponseException(resp, reply)
|
||||
return (resp, reply)
|
||||
|
||||
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -0,0 +1,111 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Senthil Kumaran <senthil@uthcode.com>
|
||||
# Date 1469882993 25200
|
||||
# Node ID ba915d561667fa0584ad89f8d5a844fd43803c0d
|
||||
# Parent c8c1ea94379a7706638f1571988576d504d7fc98
|
||||
Prevent HTTPoxy attack (CVE-2016-1000110)
|
||||
|
||||
Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which
|
||||
indicates that the script is in CGI mode.
|
||||
|
||||
Issue reported and patch contributed by Rémi Rampin.
|
||||
|
||||
diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst
|
||||
--- a/Doc/howto/urllib2.rst
|
||||
+++ b/Doc/howto/urllib2.rst
|
||||
@@ -525,6 +525,11 @@ setting up a `Basic Authentication`_ han
|
||||
through a proxy. However, this can be enabled by extending urllib2 as
|
||||
shown in the recipe [#]_.
|
||||
|
||||
+.. note::
|
||||
+
|
||||
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see
|
||||
+ the documentation on :func:`~urllib.getproxies`.
|
||||
+
|
||||
|
||||
Sockets and Layers
|
||||
==================
|
||||
diff --git a/Doc/library/urllib.rst b/Doc/library/urllib.rst
|
||||
--- a/Doc/library/urllib.rst
|
||||
+++ b/Doc/library/urllib.rst
|
||||
@@ -295,6 +295,16 @@ Utility functions
|
||||
If both lowercase and uppercase environment variables exist (and disagree),
|
||||
lowercase is preferred.
|
||||
|
||||
+ .. note::
|
||||
+
|
||||
+ If the environment variable ``REQUEST_METHOD`` is set, which usually
|
||||
+ indicates your script is running in a CGI environment, the environment
|
||||
+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is
|
||||
+ because that variable can be injected by a client using the "Proxy:"
|
||||
+ HTTP header. If you need to use an HTTP proxy in a CGI environment,
|
||||
+ either use ``ProxyHandler`` explicitly, or make sure the variable name
|
||||
+ is in lowercase (or at least the ``_proxy`` suffix).
|
||||
+
|
||||
.. note::
|
||||
urllib also exposes certain utility functions like splittype, splithost and
|
||||
others parsing URL into various components. But it is recommended to use
|
||||
diff --git a/Doc/library/urllib2.rst b/Doc/library/urllib2.rst
|
||||
--- a/Doc/library/urllib2.rst
|
||||
+++ b/Doc/library/urllib2.rst
|
||||
@@ -229,6 +229,11 @@ The following classes are provided:
|
||||
|
||||
To disable autodetected proxy pass an empty dictionary.
|
||||
|
||||
+ .. note::
|
||||
+
|
||||
+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set;
|
||||
+ see the documentation on :func:`~urllib.getproxies`.
|
||||
+
|
||||
|
||||
.. class:: HTTPPasswordMgr()
|
||||
|
||||
diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
|
||||
--- a/Lib/test/test_urllib.py
|
||||
+++ b/Lib/test/test_urllib.py
|
||||
@@ -170,6 +170,18 @@ class ProxyTests(unittest.TestCase):
|
||||
self.assertTrue(urllib.proxy_bypass_environment('anotherdomain.com:8888'))
|
||||
self.assertTrue(urllib.proxy_bypass_environment('newdomain.com:1234'))
|
||||
|
||||
+ def test_proxy_cgi_ignore(self):
|
||||
+ try:
|
||||
+ self.env.set('HTTP_PROXY', 'http://somewhere:3128')
|
||||
+ proxies = urllib.getproxies_environment()
|
||||
+ self.assertEqual('http://somewhere:3128', proxies['http'])
|
||||
+ self.env.set('REQUEST_METHOD', 'GET')
|
||||
+ proxies = urllib.getproxies_environment()
|
||||
+ self.assertNotIn('http', proxies)
|
||||
+ finally:
|
||||
+ self.env.unset('REQUEST_METHOD')
|
||||
+ self.env.unset('HTTP_PROXY')
|
||||
+
|
||||
def test_proxy_bypass_environment_host_match(self):
|
||||
bypass = urllib.proxy_bypass_environment
|
||||
self.env.set('NO_PROXY',
|
||||
diff --git a/Lib/urllib.py b/Lib/urllib.py
|
||||
--- a/Lib/urllib.py
|
||||
+++ b/Lib/urllib.py
|
||||
@@ -1380,12 +1380,21 @@ def getproxies_environment():
|
||||
If you need a different way, you can pass a proxies dictionary to the
|
||||
[Fancy]URLopener constructor.
|
||||
"""
|
||||
+ # Get all variables
|
||||
proxies = {}
|
||||
for name, value in os.environ.items():
|
||||
name = name.lower()
|
||||
if value and name[-6:] == '_proxy':
|
||||
proxies[name[:-6]] = value
|
||||
|
||||
+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY
|
||||
+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:"
|
||||
+ # header from the client
|
||||
+ # If "proxy" is lowercase, it will still be used thanks to the next block
|
||||
+ if 'REQUEST_METHOD' in os.environ:
|
||||
+ proxies.pop('http', None)
|
||||
+
|
||||
+ # Get lowercase variables
|
||||
for name, value in os.environ.items():
|
||||
if name[-6:] == '_proxy':
|
||||
name = name.lower()
|
||||
|
68
python.spec
68
python.spec
|
@ -108,7 +108,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
|||
Name: %{python}
|
||||
# Remember to also rebase python-docs when changing this:
|
||||
Version: 2.7.12
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: Python
|
||||
Group: Development/Languages
|
||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||
|
@ -915,27 +915,35 @@ Patch198: 00198-add-rewheel-module.patch
|
|||
Patch200: 00200-skip-thread-test.patch
|
||||
|
||||
# 00209 #
|
||||
# Fix test breakage with version 2.2.0 of Expat
|
||||
# rhbz#1353919: https://bugzilla.redhat.com/show_bug.cgi?id=1353919
|
||||
# FIXED UPSTREAM: http://bugs.python.org/issue27369
|
||||
Patch209: 00209-fix-test-pyexpat-failure.patch
|
||||
|
||||
# 00237 #
|
||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
# rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
# Raise an error when STARTTLS fails
|
||||
# Patch237: 00237-Raise-an-error-when-STARTTLS-fails.patch
|
||||
|
||||
# 00241 #
|
||||
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
|
||||
# rhbz#1345858: https://bugzilla.redhat.com/show_bug.cgi?id=1345858
|
||||
# https://hg.python.org/cpython/rev/985fc64c60d6/
|
||||
# https://hg.python.org/cpython/rev/2edbdb79cd6d
|
||||
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
# FIXED UPSTREAM: https://bugs.python.org/issue26171
|
||||
#Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
||||
#Patch241: 00241-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
||||
|
||||
# 00210 #
|
||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
# rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
# Raise an error when STARTTLS fails
|
||||
# Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
|
||||
|
||||
# 00211 #
|
||||
# Fix test breakage with version 2.2.0 of Expat
|
||||
# rhbz#1353919: https://bugzilla.redhat.com/show_bug.cgi?id=1353919
|
||||
# FIXED UPSTREAM: http://bugs.python.org/issue27369
|
||||
Patch211: 00211-fix-test-pyexpat-failure.patch
|
||||
# 00242 #
|
||||
# HTTPoxy attack (CVE-2016-1000110)
|
||||
# https://httpoxy.org/
|
||||
# FIXED UPSTREAM: http://bugs.python.org/issue27568
|
||||
# Based on a patch by Rémi Rampin
|
||||
# Resolves: rhbz#1359175
|
||||
Patch242: 00242-CVE-2016-1000110-httpoxy.patch
|
||||
|
||||
# 00243 #
|
||||
# Patch243: 00243-fix-mips64-triplet.patch
|
||||
|
@ -943,23 +951,12 @@ Patch211: 00211-fix-test-pyexpat-failure.patch
|
|||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
||||
# please try to keep the patch numbers in-sync between the two specfiles:
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
# please try to keep the patch numbers in-sync between all specfiles.
|
||||
#
|
||||
# - use the same patch number across both specfiles for conceptually-equivalent
|
||||
# fixes, ideally with the same name
|
||||
# More information, and a patch number catalog, is at:
|
||||
#
|
||||
# - when a patch is relevant to both specfiles, use the same introductory
|
||||
# comment in both specfiles where possible (to improve "diff" output when
|
||||
# comparing them)
|
||||
#
|
||||
# - when a patch is only relevant for one of the two specfiles, leave a gap
|
||||
# in the patch numbering in the other specfile, adding a comment when
|
||||
# omitting a patch, both in the manifest section here, and in the "prep"
|
||||
# phase below
|
||||
#
|
||||
# Hopefully this will make it easier to ensure that all relevant fixes are
|
||||
# applied to both versions.
|
||||
# https://fedoraproject.org/wiki/SIGs/Python/PythonPatches
|
||||
|
||||
# This is the generated patch to "configure"; see the description of
|
||||
# %{regenerate_autotooling_patch}
|
||||
|
@ -1305,9 +1302,10 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
|
|||
%patch198 -p1
|
||||
%endif
|
||||
%patch200 -p1
|
||||
# 00209: upstream as of Python 2.7.12
|
||||
# 00210: upstream as of Python 2.7.12
|
||||
%patch211 -p1
|
||||
%patch209 -p1
|
||||
# 00237: upstream as of Python 2.7.12
|
||||
# 00241: upstream as of Python 2.7.12
|
||||
%patch242 -p1
|
||||
|
||||
|
||||
# This shouldn't be necesarry, but is right now (2.2a3)
|
||||
|
@ -2162,6 +2160,10 @@ rm -fr %{buildroot}
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Tue Aug 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.12-3
|
||||
- Fix for CVE-2016-1000110 HTTPoxy attack
|
||||
- SPEC file cleanup
|
||||
|
||||
* Mon Aug 01 2016 Michal Toman <mtoman@fedoraproject.org> - 2.7.12-2
|
||||
- Build properly on MIPS
|
||||
|
||||
|
|
Loading…
Reference in New Issue