Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)

Raise an error when STARTTLS fails.

- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394

00202-fix-undefined-behaviour-in-faulthandler.patch

@@ -0,0 +1,41 @@
+
+# HG changeset patch
+# User Victor Stinner <victor.stinner@gmail.com>
+# Date 1423661015 -3600
+# Node ID 689092296ad31951f8f919fc06b49450e648e93d
+# Parent  645f3d750be139ce0198e15e221da07b22289a92
+Issue #23433: Fix faulthandler._stack_overflow()
+
+Fix undefined behaviour: don't compare pointers. Use Py_uintptr_t type instead
+of void*. It fixes test_faulthandler on Fedora 22 which now uses GCC 5.
+
+diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c
+--- a/Modules/faulthandler.c
++++ b/Modules/faulthandler.c
+@@ -911,12 +911,12 @@ faulthandler_fatal_error_py(PyObject *se
+ }
+ 
+ #if defined(HAVE_SIGALTSTACK) && defined(HAVE_SIGACTION)
+-static void*
+-stack_overflow(void *min_sp, void *max_sp, size_t *depth)
++static Py_uintptr_t
++stack_overflow(Py_uintptr_t min_sp, Py_uintptr_t max_sp, size_t *depth)
+ {
+     /* allocate 4096 bytes on the stack at each call */
+     unsigned char buffer[4096];
+-    void *sp = &buffer;
++    Py_uintptr_t sp = (Py_uintptr_t)&buffer;
+     *depth += 1;
+     if (sp < min_sp || max_sp < sp)
+         return sp;
+@@ -929,7 +929,8 @@ static PyObject *
+ faulthandler_stack_overflow(PyObject *self)
+ {
+     size_t depth, size;
+-    char *sp = (char *)&depth, *stop;
++    Py_uintptr_t sp = (Py_uintptr_t)&depth;
++    Py_uintptr_t stop;
+ 
+     depth = 0;
+     stop = stack_overflow(sp - STACK_OVERFLOW_MAX_SIZE,
+

00204-increase-dh-keys-size.patch

@@ -0,0 +1,49 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1427947446 14400
+# Node ID 1ad7c0253abe1252128d61c3d0127d22144cb354
+# Parent  47451f6e7e7528a6647dbdc435e9a9f5c13c0080
+replace 512 bit dh key with a 2014 bit one (closes #23844)
+
+Patch by Cédric Krier.
+
+diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
+new file mode 100644
+--- /dev/null
++++ b/Lib/test/dh1024.pem
+@@ -0,0 +1,7 @@
++-----BEGIN DH PARAMETERS-----
++MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
++rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
++RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
++-----END DH PARAMETERS-----
++
++Generated with: openssl dhparam -out dh1024.pem  1024
+diff --git a/Lib/test/dh512.pem b/Lib/test/dh512.pem
+deleted file mode 100644
+--- a/Lib/test/dh512.pem
++++ /dev/null
+@@ -1,9 +0,0 @@
+------BEGIN DH PARAMETERS-----
+-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
+-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
+------END DH PARAMETERS-----
+-
+-These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
+-(http://www.skip-vpn.org/spec/numbers.html).
+-See there for how they were generated.
+-Note that g is not a generator, but this is not a problem since p is a safe prime.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -64,7 +64,7 @@ BADKEY = data_file("badkey.pem")
+ NOKIACERT = data_file("nokia.pem")
+ NULLBYTECERT = data_file("nullbytecert.pem")
+ 
+-DHFILE = data_file("dh512.pem")
++DHFILE = data_file("dh1024.pem")
+ BYTES_DHFILE = os.fsencode(DHFILE)
+ 
+ 
+

00209-prevent-buffer-overflow-in-zipimport-module.patch

@@ -0,0 +1,16 @@
+diff --git a/Modules/zipimport.c b/Modules/zipimport.c
+index 06abb31..914bf5d 100644
+--- a/Modules/zipimport.c
++++ b/Modules/zipimport.c
+@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
+     }
+     file_offset += l;           /* Start of file data */
+ 
++    if (data_size > LONG_MAX - 1) {
++        fclose(fp);
++        PyErr_NoMemory();
++        return NULL;
++    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;

00210-Raise-an-error-when-STARTTLS-fails.patch

@@ -0,0 +1,35 @@
+From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Fri, 17 Jun 2016 16:08:11 +0200
+Subject: [PATCH] Raise an error when STARTTLS fails
+
+CVE-2016-0772 python: smtplib StartTLS stripping attack
+rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+
+Based on an upstream change by Benjamin Peterson <benjamin@python.org>
+- in changeset 101887:d590114c2394 3.4
+- https://hg.python.org/cpython/rev/d590114c2394
+---
+ Lib/smtplib.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+index 4756973..dfbf5f9 100755
+--- a/Lib/smtplib.py
++++ b/Lib/smtplib.py
+@@ -773,6 +773,11 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
++        else:
++            # RFC 3207:
++            # 501 Syntax error (no parameters allowed)
++            # 454 TLS not available due to temporary reason
++            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+-- 
+2.5.5
+

macros.python3

@@ -4,3 +4,13 @@
 %python3_version %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3])")
 %python3_version_nodots %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3].replace('.',''))")
 %py3dir %{_builddir}/python3-%{name}-%{version}-%{release}
+
+%py3_shbang_opts -s
+
+%py3_build() %{expand:\
+CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} build --executable="%{__python3} %{py3_shbang_opts}" %{?1}\
+}
+
+%py3_install() %{expand:\
+CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} install -O1 --skip-build --root %{buildroot} %{?1}\
+}

python3.spec

@@ -140,7 +140,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 4%{?dist}
+Release: 8%{?dist}
 License: Python
 Group: Development/Languages
 
@@ -722,6 +722,27 @@ Patch200: 00200-gettext-plural-fix.patch
 # Note: Backported from scl
 Patch201: 00201-fix-memory-leak-in-gdbm.patch 
 
+# 00202 #
+# Fixes undefined behaviour in faulthandler which caused test to hang on x86_64
+# http://bugs.python.org/issue23433
+Patch202: 00202-fix-undefined-behaviour-in-faulthandler.patch
+
+# openssl requires DH keys to be > 768bits
+Patch204: 00204-increase-dh-keys-size.patch
+
+# https://bugs.python.org/issue26171
+# https://hg.python.org/cpython/rev/10dad6da1b28/
+# Fix possible integer overflow and heap corruption in zipimporter.get_data()
+# FIXED UPSTREAM
+Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
+
+# 00210 #
+# CVE-2016-0772 python: smtplib StartTLS stripping attack
+# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
+# Raise an error when STARTTLS fails
+Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
 
 # (New patches go here ^^^)
 #
@@ -791,10 +812,12 @@ Summary: Libraries and header files needed for Python 3 development
 Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+BuildRequires: python-macros
+Requires: python-macros
 Conflicts: %{name} < %{version}-%{release}
 
 %description devel
-This package contains libraries and header files used to build applications 
+This package contains libraries and header files used to build applications
 with and native libraries for Python 3
 
 %package tools
@@ -900,6 +923,11 @@ for f in md5module.c sha1module.c sha256module.c sha512module.c; do
     rm Modules/$f
 done
 
+%if 0%{with_rewheel}
+%global pip_version 6.0.8
+sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/ensurepip/__init__.py
+%endif
+
 #
 # Apply patches:
 #
@@ -1002,6 +1030,11 @@ done
 %patch196 -p1
 # 00197: upstream as of Python 3.4.2
 %patch199 -p1
+%patch202 -p1
+%patch204 -p1
+
+%patch209 -p1
+%patch210 -p1
 
 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@@ -1119,7 +1152,8 @@ BuildPython debug \
 %else
   "--with-pydebug --with-count-allocs --with-call-profile --without-ensurepip" \
 %endif
-  false
+  false \
+  -O0
 %endif # with_debug_build
 
 BuildPython optimized \
@@ -1192,7 +1226,8 @@ make install DESTDIR=%{buildroot} INSTALL="install -p"
 # Install the "debug" build first, so that we can move some files aside
 %if 0%{?with_debug_build}
 InstallPython debug \
-  %{py_INSTSONAME_debug}
+  %{py_INSTSONAME_debug} \
+  -O0
 %endif # with_debug_build
 
 # Now the optimized build:
@@ -1457,7 +1492,7 @@ CheckPython() {
     %ifarch ppc64le aarch64
     -x test_faulthandler \
     %endif
-    %ifarch %{power64} s390 s390x
+    %ifarch %{power64} s390 s390x armv7hl aarch64
     -x test_gdb
     %endif
 
@@ -1890,6 +1925,31 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 3.4.2-8
+- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
+- Raise an error when STARTTLS fails
+- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
+- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
+- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
+
+* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.2-7
+- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
+
+* Thu Jul 09 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.2-6
+- sync with master branch to backport some fixes
+- Use 1024bit DH key in test_ssl (Matej Stuchlik)
+- Use -O0 when compiling -debug build (Matej Stuchlik)
+- Update pip version variable to the version we actually ship (Matej Stuchlik)
+- Fixed undefined behaviour in faulthandler which caused test to hang on x86_64
+  (http://bugs.python.org/issue23433) (Matej Stuchlik)
+- Disable test_gdb on aarch64 (rhbz#1196181), it joins all other non x86 arches
+  (Peter Robinson)
+- Also disable gdb test on armv7hl
+
+* Mon Jun 29 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.2-5
+- python3-devel: Require python-macros for version independant macros such as
+  python_provide. See fpc#281 and fpc#534.
+
 * Mon Jan 12 2015 Dan Horák <dan[at]danny.cz> - 3.4.2-4
 - build with valgrind on ppc64le
 - disable test_gdb on s390(x) until rhbz#1181034 is resolved