Rebase to 3.7.3rc1
Patches merged upstream: 317, 320 Patches rebased: 189 (pip and setuptools versions only)
This commit is contained in:
parent
ff4d48f430
commit
45a4368c6e
|
@ -16,9 +16,9 @@ index 4748ba4..fc02255 100644
|
|||
|
||||
+_WHEEL_DIR = "/usr/share/python-wheels/"
|
||||
|
||||
-_SETUPTOOLS_VERSION = "40.6.2"
|
||||
-_SETUPTOOLS_VERSION = "40.8.0"
|
||||
|
||||
-_PIP_VERSION = "18.1"
|
||||
-_PIP_VERSION = "19.0.3"
|
||||
+def _get_most_recent_wheel_version(pkg):
|
||||
+ prefix = os.path.join(_WHEEL_DIR, "{}-".format(pkg))
|
||||
+ suffix = "-py2.py3-none-any.whl"
|
||||
|
|
|
@ -1,111 +0,0 @@
|
|||
From c660debb97f4f422255a82fef2d77804552c043a Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Tue, 15 Jan 2019 18:16:30 +0100
|
||||
Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser
|
||||
|
||||
CVE-2019-5010, Fix a NULL pointer deref in ssl module. The cert parser did
|
||||
not handle CRL distribution points with empty DP or URI correctly. A
|
||||
malicious or buggy certificate can result into segfault.
|
||||
|
||||
Signed-off-by: Christian Heimes <christian@python.org>
|
||||
---
|
||||
Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++
|
||||
Lib/test/test_ssl.py | 22 +++++++++++++++++++
|
||||
.../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++
|
||||
Modules/_ssl.c | 4 ++++
|
||||
4 files changed, 51 insertions(+)
|
||||
create mode 100644 Lib/test/talos-2019-0758.pem
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
|
||||
diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
|
||||
new file mode 100644
|
||||
index 000000000000..13b95a77fd8a
|
||||
--- /dev/null
|
||||
+++ b/Lib/test/talos-2019-0758.pem
|
||||
@@ -0,0 +1,22 @@
|
||||
+-----BEGIN CERTIFICATE-----
|
||||
+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
|
||||
+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
|
||||
+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
|
||||
+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
|
||||
+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
|
||||
+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
|
||||
+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
|
||||
+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
|
||||
+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
|
||||
+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
|
||||
+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
|
||||
+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
|
||||
+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
|
||||
+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
|
||||
+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
|
||||
+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
|
||||
+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
|
||||
+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
|
||||
+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
|
||||
+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
|
||||
+-----END CERTIFICATE-----
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
index 7f6b93148f45..1fc657f4d867 100644
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -115,6 +115,7 @@ def data_file(*name):
|
||||
BADKEY = data_file("badkey.pem")
|
||||
NOKIACERT = data_file("nokia.pem")
|
||||
NULLBYTECERT = data_file("nullbytecert.pem")
|
||||
+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
|
||||
|
||||
DHFILE = data_file("ffdh3072.pem")
|
||||
BYTES_DHFILE = os.fsencode(DHFILE)
|
||||
@@ -348,6 +349,27 @@ def test_parse_cert(self):
|
||||
self.assertEqual(p['crlDistributionPoints'],
|
||||
('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
|
||||
|
||||
+ def test_parse_cert_CVE_2019_5010(self):
|
||||
+ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
|
||||
+ if support.verbose:
|
||||
+ sys.stdout.write("\n" + pprint.pformat(p) + "\n")
|
||||
+ self.assertEqual(
|
||||
+ p,
|
||||
+ {
|
||||
+ 'issuer': (
|
||||
+ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
|
||||
+ 'notAfter': 'Jun 14 18:00:58 2028 GMT',
|
||||
+ 'notBefore': 'Jun 18 18:00:58 2018 GMT',
|
||||
+ 'serialNumber': '02',
|
||||
+ 'subject': ((('countryName', 'UK'),),
|
||||
+ (('commonName',
|
||||
+ 'codenomicon-vm-2.test.lal.cisco.com'),)),
|
||||
+ 'subjectAltName': (
|
||||
+ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
|
||||
+ 'version': 3
|
||||
+ }
|
||||
+ )
|
||||
+
|
||||
def test_parse_cert_CVE_2013_4238(self):
|
||||
p = ssl._ssl._test_decode_cert(NULLBYTECERT)
|
||||
if support.verbose:
|
||||
diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
new file mode 100644
|
||||
index 000000000000..dffe347eec84
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
|
||||
@@ -0,0 +1,3 @@
|
||||
+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
|
||||
+not handle CRL distribution points with empty DP or URI correctly. A
|
||||
+malicious or buggy certificate can result into segfault.
|
||||
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
|
||||
index 4e3352d9e661..0e720e268d93 100644
|
||||
--- a/Modules/_ssl.c
|
||||
+++ b/Modules/_ssl.c
|
||||
@@ -1515,6 +1515,10 @@ _get_crl_dp(X509 *certificate) {
|
||||
STACK_OF(GENERAL_NAME) *gns;
|
||||
|
||||
dp = sk_DIST_POINT_value(dps, i);
|
||||
+ if (dp->distpoint == NULL) {
|
||||
+ /* Ignore empty DP value, CVE-2019-5010 */
|
||||
+ continue;
|
||||
+ }
|
||||
gns = dp->distpoint->name.fullname;
|
||||
|
||||
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
|
|
@ -1,150 +0,0 @@
|
|||
From daad2c482c91de32d8305abbccc76a5de8b3a8be Mon Sep 17 00:00:00 2001
|
||||
From: Steve Dower <steve.dower@microsoft.com>
|
||||
Date: Thu, 7 Mar 2019 09:08:18 -0800
|
||||
Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
|
||||
to separators (GH-12201)
|
||||
|
||||
---
|
||||
Doc/library/urllib.parse.rst | 18 +++++++++++++++
|
||||
Lib/test/test_urlparse.py | 23 +++++++++++++++++++
|
||||
Lib/urllib/parse.py | 17 ++++++++++++++
|
||||
.../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
|
||||
4 files changed, 61 insertions(+)
|
||||
create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
|
||||
|
||||
diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
|
||||
index 0c8f0f607314..b565e1edd321 100644
|
||||
--- a/Doc/library/urllib.parse.rst
|
||||
+++ b/Doc/library/urllib.parse.rst
|
||||
@@ -124,6 +124,11 @@ or on combining URL components into a URL string.
|
||||
Unmatched square brackets in the :attr:`netloc` attribute will raise a
|
||||
:exc:`ValueError`.
|
||||
|
||||
+ Characters in the :attr:`netloc` attribute that decompose under NFKC
|
||||
+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
|
||||
+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
|
||||
+ decomposed before parsing, no error will be raised.
|
||||
+
|
||||
.. versionchanged:: 3.2
|
||||
Added IPv6 URL parsing capabilities.
|
||||
|
||||
@@ -136,6 +141,10 @@ or on combining URL components into a URL string.
|
||||
Out-of-range port numbers now raise :exc:`ValueError`, instead of
|
||||
returning :const:`None`.
|
||||
|
||||
+ .. versionchanged:: 3.7.3
|
||||
+ Characters that affect netloc parsing under NFKC normalization will
|
||||
+ now raise :exc:`ValueError`.
|
||||
+
|
||||
|
||||
.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
|
||||
|
||||
@@ -257,10 +266,19 @@ or on combining URL components into a URL string.
|
||||
Unmatched square brackets in the :attr:`netloc` attribute will raise a
|
||||
:exc:`ValueError`.
|
||||
|
||||
+ Characters in the :attr:`netloc` attribute that decompose under NFKC
|
||||
+ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
|
||||
+ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
|
||||
+ decomposed before parsing, no error will be raised.
|
||||
+
|
||||
.. versionchanged:: 3.6
|
||||
Out-of-range port numbers now raise :exc:`ValueError`, instead of
|
||||
returning :const:`None`.
|
||||
|
||||
+ .. versionchanged:: 3.7.3
|
||||
+ Characters that affect netloc parsing under NFKC normalization will
|
||||
+ now raise :exc:`ValueError`.
|
||||
+
|
||||
|
||||
.. function:: urlunsplit(parts)
|
||||
|
||||
diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
|
||||
index be50b47603aa..e6638aee2244 100644
|
||||
--- a/Lib/test/test_urlparse.py
|
||||
+++ b/Lib/test/test_urlparse.py
|
||||
@@ -1,3 +1,5 @@
|
||||
+import sys
|
||||
+import unicodedata
|
||||
import unittest
|
||||
import urllib.parse
|
||||
|
||||
@@ -984,6 +986,27 @@ def test_all(self):
|
||||
expected.append(name)
|
||||
self.assertCountEqual(urllib.parse.__all__, expected)
|
||||
|
||||
+ def test_urlsplit_normalization(self):
|
||||
+ # Certain characters should never occur in the netloc,
|
||||
+ # including under normalization.
|
||||
+ # Ensure that ALL of them are detected and cause an error
|
||||
+ illegal_chars = '/:#?@'
|
||||
+ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
|
||||
+ denorm_chars = [
|
||||
+ c for c in map(chr, range(128, sys.maxunicode))
|
||||
+ if (hex_chars & set(unicodedata.decomposition(c).split()))
|
||||
+ and c not in illegal_chars
|
||||
+ ]
|
||||
+ # Sanity check that we found at least one such character
|
||||
+ self.assertIn('\u2100', denorm_chars)
|
||||
+ self.assertIn('\uFF03', denorm_chars)
|
||||
+
|
||||
+ for scheme in ["http", "https", "ftp"]:
|
||||
+ for c in denorm_chars:
|
||||
+ url = "{}://netloc{}false.netloc/path".format(scheme, c)
|
||||
+ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
|
||||
+ with self.assertRaises(ValueError):
|
||||
+ urllib.parse.urlsplit(url)
|
||||
|
||||
class Utility_Tests(unittest.TestCase):
|
||||
"""Testcase to test the various utility functions in the urllib."""
|
||||
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
|
||||
index f691ab74f87f..39c5d6a80824 100644
|
||||
--- a/Lib/urllib/parse.py
|
||||
+++ b/Lib/urllib/parse.py
|
||||
@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
|
||||
delim = min(delim, wdelim) # use earliest delim position
|
||||
return url[start:delim], url[delim:] # return (domain, rest)
|
||||
|
||||
+def _checknetloc(netloc):
|
||||
+ if not netloc or netloc.isascii():
|
||||
+ return
|
||||
+ # looking for characters like \u2100 that expand to 'a/c'
|
||||
+ # IDNA uses NFKC equivalence, so normalize for this check
|
||||
+ import unicodedata
|
||||
+ netloc2 = unicodedata.normalize('NFKC', netloc)
|
||||
+ if netloc == netloc2:
|
||||
+ return
|
||||
+ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
|
||||
+ for c in '/?#@:':
|
||||
+ if c in netloc2:
|
||||
+ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
|
||||
+ "characters under NFKC normalization")
|
||||
+
|
||||
def urlsplit(url, scheme='', allow_fragments=True):
|
||||
"""Parse a URL into 5 components:
|
||||
<scheme>://<netloc>/<path>?<query>#<fragment>
|
||||
@@ -419,6 +434,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
||||
url, fragment = url.split('#', 1)
|
||||
if '?' in url:
|
||||
url, query = url.split('?', 1)
|
||||
+ _checknetloc(netloc)
|
||||
v = SplitResult('http', netloc, url, query, fragment)
|
||||
_parse_cache[key] = v
|
||||
return _coerce_result(v)
|
||||
@@ -442,6 +458,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
|
||||
url, fragment = url.split('#', 1)
|
||||
if '?' in url:
|
||||
url, query = url.split('?', 1)
|
||||
+ _checknetloc(netloc)
|
||||
v = SplitResult(scheme, netloc, url, query, fragment)
|
||||
_parse_cache[key] = v
|
||||
return _coerce_result(v)
|
||||
diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
|
||||
new file mode 100644
|
||||
index 000000000000..5546394157f9
|
||||
--- /dev/null
|
||||
+++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
|
||||
@@ -0,0 +1,3 @@
|
||||
+Changes urlsplit() to raise ValueError when the URL contains characters that
|
||||
+decompose under IDNA encoding (NFKC-normalization) into characters that
|
||||
+affect how the URL is parsed.
|
34
python3.spec
34
python3.spec
|
@ -13,8 +13,11 @@ URL: https://www.python.org/
|
|||
|
||||
# WARNING When rebasing to a new Python version,
|
||||
# remember to update the python3-docs package as well
|
||||
Version: %{pybasever}.2
|
||||
Release: 8%{?dist}
|
||||
%global general_version %{pybasever}.3
|
||||
%global prerel rc1
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 1%{?dist}
|
||||
License: Python
|
||||
|
||||
|
||||
|
@ -198,7 +201,7 @@ BuildRequires: python-pip-wheel
|
|||
# Source code and patches
|
||||
# =======================
|
||||
|
||||
Source: https://www.python.org/ftp/python/%{version}/Python-%{version}%{?prerel}.tar.xz
|
||||
Source: https://www.python.org/ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
|
||||
|
||||
# A simple script to check timestamps of bytecode files
|
||||
# Run in check section with Python that is currently being built
|
||||
|
@ -300,16 +303,6 @@ Patch274: 00274-fix-arch-names.patch
|
|||
# So we mark the command as unsupported - and the tests are skipped
|
||||
Patch316: 00316-mark-bdist_wininst-unsupported.patch
|
||||
|
||||
# 00317 #
|
||||
# Security fix for CVE-2019-5010: Fix segfault in ssl's cert parser
|
||||
# Fixed upstream https://bugs.python.org/issue35746
|
||||
Patch317: 00317-CVE-2019-5010.patch
|
||||
|
||||
# 00320 #
|
||||
# Security fix for CVE-2019-9636: Information Disclosure due to urlsplit improper NFKC normalization
|
||||
# Fixed upstream https://bugs.python.org/issue36216
|
||||
Patch320: 00320-CVE-2019-9636.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
|
||||
|
@ -397,8 +390,8 @@ Summary: Python runtime libraries
|
|||
Requires: python-setuptools-wheel
|
||||
Requires: python-pip-wheel
|
||||
%else
|
||||
Provides: bundled(python3-pip) = 18.1
|
||||
Provides: bundled(python3-setuptools) = 40.6.2
|
||||
Provides: bundled(python3-pip) = 19.0.3
|
||||
Provides: bundled(python3-setuptools) = 40.8.0
|
||||
%endif
|
||||
|
||||
# There are files in the standard library that have python shebang.
|
||||
|
@ -552,8 +545,8 @@ so extensions for both versions can co-exist in the same directory.
|
|||
Requires: python-setuptools-wheel
|
||||
Requires: python-pip-wheel
|
||||
%else
|
||||
Provides: bundled(python3-pip) = 18.1
|
||||
Provides: bundled(python3-setuptools) = 40.6.2
|
||||
Provides: bundled(python3-pip) = 19.0.3
|
||||
Provides: bundled(python3-setuptools) = 40.8.0
|
||||
%endif
|
||||
|
||||
# The description for the flat package
|
||||
|
@ -572,7 +565,7 @@ version once Python %{pybasever} is stable.
|
|||
# ======================================================
|
||||
|
||||
%prep
|
||||
%setup -q -n Python-%{version}%{?prerel}
|
||||
%setup -q -n Python-%{upstream_version}
|
||||
# Remove all exe files to ensure we are not shipping prebuilt binaries
|
||||
# note that those are only used to create Microsoft Windows installers
|
||||
# and that functionality is broken on Linux anyway
|
||||
|
@ -605,8 +598,6 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||
%patch251 -p1
|
||||
%patch274 -p1
|
||||
%patch316 -p1
|
||||
%patch317 -p1
|
||||
%patch320 -p1
|
||||
|
||||
|
||||
# Remove files that should be generated by the build
|
||||
|
@ -1527,6 +1518,9 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Thu Mar 21 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.3~rc1-1
|
||||
- Update to 3.7.3rc1
|
||||
|
||||
* Thu Mar 14 2019 Miro Hrončok <mhroncok@redhat.com> - 3.7.2-8
|
||||
- Security fix for CVE-2019-9636 (#1688543, #1688546)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (Python-3.7.2.tar.xz) = 6cd2d6d8455558783b99d55985cd7b22d67b98f41a09b4fdd96f680a630a4e035220d2b903f8c59ed513aa5ffe6730fa947ddb55bb72ce36f0e945ef8af5d971
|
||||
SHA512 (Python-3.7.3rc1.tar.xz) = a0266a414f5a5828587e43e95fad494be2b0ac4563faefc26ef3f36fb19abb8cfe9b845e4ffec7652ac3ce17b7f47d2b89cd2032017d0f607a9fe4a5f08c4da7
|
||||
|
|
Loading…
Reference in New Issue