Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)

Raise an error when STARTTLS fails. - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 - rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 - Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
2016-06-17 16:14:12 +02:00 · 2016-06-17 16:14:12 +02:00 · 35bab9e580
parent afe637f988
commit 35bab9e580
2 changed files with 53 additions and 2 deletions
--- a/00210-Raise-an-error-when-STARTTLS-fails.patch
+++ b/00210-Raise-an-error-when-STARTTLS-fails.patch
@ -0,0 +1,35 @@
+From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Fri, 17 Jun 2016 16:08:11 +0200
+Subject: [PATCH] Raise an error when STARTTLS fails
+
+CVE-2016-0772 python: smtplib StartTLS stripping attack
+rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+
+Based on an upstream change by Benjamin Peterson <benjamin@python.org>
+- in changeset 101887:d590114c2394 3.4
+- https://hg.python.org/cpython/rev/d590114c2394
+---
+ Lib/smtplib.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+index 4756973..dfbf5f9 100755
+--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
+@@ -773,6 +773,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+-- 
+2.5.5
+
--- a/python3.spec
+++ b/python3.spec
@ -140,7 +140,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: Python
 Group: Development/Languages

@ -736,6 +736,14 @@ Patch204: 00204-increase-dh-keys-size.patch
 # FIXED UPSTREAM
 Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch

+# 00210 #
+# CVE-2016-0772 python: smtplib StartTLS stripping attack
+# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
+# Raise an error when STARTTLS fails
+Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora 17 onwards,
@ -1026,6 +1034,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
 %patch204 -p1

 %patch209 -p1
+%patch210 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1916,7 +1925,14 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
-* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.2-6
+* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 3.4.2-8
+- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
+- Raise an error when STARTTLS fails
+- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
+
+* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.2-7
 - Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()

 * Thu Jul 09 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.2-6