Compare commits
7 Commits
Author | SHA1 | Date |
---|---|---|
Tomas Orsava | 35bab9e580 | |
Charalampos Stratakis | afe637f988 | |
Thomas Spura | b4602e4514 | |
Thomas Spura | 7155a85fdc | |
Thomas Spura | a0d16b6201 | |
Matej Stuchlik | db8996cc76 | |
Thomas Spura | cb053c7ab8 |
|
@ -0,0 +1,41 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Victor Stinner <victor.stinner@gmail.com>
|
||||
# Date 1423661015 -3600
|
||||
# Node ID 689092296ad31951f8f919fc06b49450e648e93d
|
||||
# Parent 645f3d750be139ce0198e15e221da07b22289a92
|
||||
Issue #23433: Fix faulthandler._stack_overflow()
|
||||
|
||||
Fix undefined behaviour: don't compare pointers. Use Py_uintptr_t type instead
|
||||
of void*. It fixes test_faulthandler on Fedora 22 which now uses GCC 5.
|
||||
|
||||
diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c
|
||||
--- a/Modules/faulthandler.c
|
||||
+++ b/Modules/faulthandler.c
|
||||
@@ -911,12 +911,12 @@ faulthandler_fatal_error_py(PyObject *se
|
||||
}
|
||||
|
||||
#if defined(HAVE_SIGALTSTACK) && defined(HAVE_SIGACTION)
|
||||
-static void*
|
||||
-stack_overflow(void *min_sp, void *max_sp, size_t *depth)
|
||||
+static Py_uintptr_t
|
||||
+stack_overflow(Py_uintptr_t min_sp, Py_uintptr_t max_sp, size_t *depth)
|
||||
{
|
||||
/* allocate 4096 bytes on the stack at each call */
|
||||
unsigned char buffer[4096];
|
||||
- void *sp = &buffer;
|
||||
+ Py_uintptr_t sp = (Py_uintptr_t)&buffer;
|
||||
*depth += 1;
|
||||
if (sp < min_sp || max_sp < sp)
|
||||
return sp;
|
||||
@@ -929,7 +929,8 @@ static PyObject *
|
||||
faulthandler_stack_overflow(PyObject *self)
|
||||
{
|
||||
size_t depth, size;
|
||||
- char *sp = (char *)&depth, *stop;
|
||||
+ Py_uintptr_t sp = (Py_uintptr_t)&depth;
|
||||
+ Py_uintptr_t stop;
|
||||
|
||||
depth = 0;
|
||||
stop = stack_overflow(sp - STACK_OVERFLOW_MAX_SIZE,
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Benjamin Peterson <benjamin@python.org>
|
||||
# Date 1427947446 14400
|
||||
# Node ID 1ad7c0253abe1252128d61c3d0127d22144cb354
|
||||
# Parent 47451f6e7e7528a6647dbdc435e9a9f5c13c0080
|
||||
replace 512 bit dh key with a 2014 bit one (closes #23844)
|
||||
|
||||
Patch by Cédric Krier.
|
||||
|
||||
diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/Lib/test/dh1024.pem
|
||||
@@ -0,0 +1,7 @@
|
||||
+-----BEGIN DH PARAMETERS-----
|
||||
+MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
|
||||
+rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
|
||||
+RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
|
||||
+-----END DH PARAMETERS-----
|
||||
+
|
||||
+Generated with: openssl dhparam -out dh1024.pem 1024
|
||||
diff --git a/Lib/test/dh512.pem b/Lib/test/dh512.pem
|
||||
deleted file mode 100644
|
||||
--- a/Lib/test/dh512.pem
|
||||
+++ /dev/null
|
||||
@@ -1,9 +0,0 @@
|
||||
------BEGIN DH PARAMETERS-----
|
||||
-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
|
||||
-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
|
||||
------END DH PARAMETERS-----
|
||||
-
|
||||
-These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
|
||||
-(http://www.skip-vpn.org/spec/numbers.html).
|
||||
-See there for how they were generated.
|
||||
-Note that g is not a generator, but this is not a problem since p is a safe prime.
|
||||
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
|
||||
--- a/Lib/test/test_ssl.py
|
||||
+++ b/Lib/test/test_ssl.py
|
||||
@@ -64,7 +64,7 @@ BADKEY = data_file("badkey.pem")
|
||||
NOKIACERT = data_file("nokia.pem")
|
||||
NULLBYTECERT = data_file("nullbytecert.pem")
|
||||
|
||||
-DHFILE = data_file("dh512.pem")
|
||||
+DHFILE = data_file("dh1024.pem")
|
||||
BYTES_DHFILE = os.fsencode(DHFILE)
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
|
||||
index 06abb31..914bf5d 100644
|
||||
--- a/Modules/zipimport.c
|
||||
+++ b/Modules/zipimport.c
|
||||
@@ -1112,6 +1112,11 @@ get_data(PyObject *archive, PyObject *toc_entry)
|
||||
}
|
||||
file_offset += l; /* Start of file data */
|
||||
|
||||
+ if (data_size > LONG_MAX - 1) {
|
||||
+ fclose(fp);
|
||||
+ PyErr_NoMemory();
|
||||
+ return NULL;
|
||||
+ }
|
||||
bytes_size = compress == 0 ? data_size : data_size + 1;
|
||||
if (bytes_size == 0)
|
||||
bytes_size++;
|
|
@ -0,0 +1,35 @@
|
|||
From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Orsava <torsava@redhat.com>
|
||||
Date: Fri, 17 Jun 2016 16:08:11 +0200
|
||||
Subject: [PATCH] Raise an error when STARTTLS fails
|
||||
|
||||
CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
|
||||
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
|
||||
- in changeset 101887:d590114c2394 3.4
|
||||
- https://hg.python.org/cpython/rev/d590114c2394
|
||||
---
|
||||
Lib/smtplib.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
|
||||
index 4756973..dfbf5f9 100755
|
||||
--- a/Lib/smtplib.py
|
||||
+++ b/Lib/smtplib.py
|
||||
@@ -773,6 +773,11 @@ class SMTP:
|
||||
self.ehlo_resp = None
|
||||
self.esmtp_features = {}
|
||||
self.does_esmtp = 0
|
||||
+ else:
|
||||
+ # RFC 3207:
|
||||
+ # 501 Syntax error (no parameters allowed)
|
||||
+ # 454 TLS not available due to temporary reason
|
||||
+ raise SMTPResponseException(resp, reply)
|
||||
return (resp, reply)
|
||||
|
||||
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -4,3 +4,13 @@
|
|||
%python3_version %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3])")
|
||||
%python3_version_nodots %(%{__python3} -c "import sys; sys.stdout.write(sys.version[:3].replace('.',''))")
|
||||
%py3dir %{_builddir}/python3-%{name}-%{version}-%{release}
|
||||
|
||||
%py3_shbang_opts -s
|
||||
|
||||
%py3_build() %{expand:\
|
||||
CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} build --executable="%{__python3} %{py3_shbang_opts}" %{?1}\
|
||||
}
|
||||
|
||||
%py3_install() %{expand:\
|
||||
CFLAGS="%{optflags}" %{__python3} %{py_setup} %{?py_setup_args} install -O1 --skip-build --root %{buildroot} %{?1}\
|
||||
}
|
||||
|
|
70
python3.spec
70
python3.spec
|
@ -140,7 +140,7 @@
|
|||
Summary: Version 3 of the Python programming language aka Python 3000
|
||||
Name: python3
|
||||
Version: %{pybasever}.2
|
||||
Release: 4%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: Python
|
||||
Group: Development/Languages
|
||||
|
||||
|
@ -722,6 +722,27 @@ Patch200: 00200-gettext-plural-fix.patch
|
|||
# Note: Backported from scl
|
||||
Patch201: 00201-fix-memory-leak-in-gdbm.patch
|
||||
|
||||
# 00202 #
|
||||
# Fixes undefined behaviour in faulthandler which caused test to hang on x86_64
|
||||
# http://bugs.python.org/issue23433
|
||||
Patch202: 00202-fix-undefined-behaviour-in-faulthandler.patch
|
||||
|
||||
# openssl requires DH keys to be > 768bits
|
||||
Patch204: 00204-increase-dh-keys-size.patch
|
||||
|
||||
# https://bugs.python.org/issue26171
|
||||
# https://hg.python.org/cpython/rev/10dad6da1b28/
|
||||
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
# FIXED UPSTREAM
|
||||
Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
|
||||
|
||||
# 00210 #
|
||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
|
||||
# Raise an error when STARTTLS fails
|
||||
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
|
@ -791,10 +812,12 @@ Summary: Libraries and header files needed for Python 3 development
|
|||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
BuildRequires: python-macros
|
||||
Requires: python-macros
|
||||
Conflicts: %{name} < %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
This package contains libraries and header files used to build applications
|
||||
This package contains libraries and header files used to build applications
|
||||
with and native libraries for Python 3
|
||||
|
||||
%package tools
|
||||
|
@ -900,6 +923,11 @@ for f in md5module.c sha1module.c sha256module.c sha512module.c; do
|
|||
rm Modules/$f
|
||||
done
|
||||
|
||||
%if 0%{with_rewheel}
|
||||
%global pip_version 6.0.8
|
||||
sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/ensurepip/__init__.py
|
||||
%endif
|
||||
|
||||
#
|
||||
# Apply patches:
|
||||
#
|
||||
|
@ -1002,6 +1030,11 @@ done
|
|||
%patch196 -p1
|
||||
# 00197: upstream as of Python 3.4.2
|
||||
%patch199 -p1
|
||||
%patch202 -p1
|
||||
%patch204 -p1
|
||||
|
||||
%patch209 -p1
|
||||
%patch210 -p1
|
||||
|
||||
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
||||
# are many differences between 2.6 and the Python 3 library.
|
||||
|
@ -1119,7 +1152,8 @@ BuildPython debug \
|
|||
%else
|
||||
"--with-pydebug --with-count-allocs --with-call-profile --without-ensurepip" \
|
||||
%endif
|
||||
false
|
||||
false \
|
||||
-O0
|
||||
%endif # with_debug_build
|
||||
|
||||
BuildPython optimized \
|
||||
|
@ -1192,7 +1226,8 @@ make install DESTDIR=%{buildroot} INSTALL="install -p"
|
|||
# Install the "debug" build first, so that we can move some files aside
|
||||
%if 0%{?with_debug_build}
|
||||
InstallPython debug \
|
||||
%{py_INSTSONAME_debug}
|
||||
%{py_INSTSONAME_debug} \
|
||||
-O0
|
||||
%endif # with_debug_build
|
||||
|
||||
# Now the optimized build:
|
||||
|
@ -1457,7 +1492,7 @@ CheckPython() {
|
|||
%ifarch ppc64le aarch64
|
||||
-x test_faulthandler \
|
||||
%endif
|
||||
%ifarch %{power64} s390 s390x
|
||||
%ifarch %{power64} s390 s390x armv7hl aarch64
|
||||
-x test_gdb
|
||||
%endif
|
||||
|
||||
|
@ -1890,6 +1925,31 @@ rm -fr %{buildroot}
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 3.4.2-8
|
||||
- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
- Raise an error when STARTTLS fails
|
||||
- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||
- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
|
||||
|
||||
* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.4.2-7
|
||||
- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
|
||||
* Thu Jul 09 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.2-6
|
||||
- sync with master branch to backport some fixes
|
||||
- Use 1024bit DH key in test_ssl (Matej Stuchlik)
|
||||
- Use -O0 when compiling -debug build (Matej Stuchlik)
|
||||
- Update pip version variable to the version we actually ship (Matej Stuchlik)
|
||||
- Fixed undefined behaviour in faulthandler which caused test to hang on x86_64
|
||||
(http://bugs.python.org/issue23433) (Matej Stuchlik)
|
||||
- Disable test_gdb on aarch64 (rhbz#1196181), it joins all other non x86 arches
|
||||
(Peter Robinson)
|
||||
- Also disable gdb test on armv7hl
|
||||
|
||||
* Mon Jun 29 2015 Thomas Spura <tomspur@fedoraproject.org> - 3.4.2-5
|
||||
- python3-devel: Require python-macros for version independant macros such as
|
||||
python_provide. See fpc#281 and fpc#534.
|
||||
|
||||
* Mon Jan 12 2015 Dan Horák <dan[at]danny.cz> - 3.4.2-4
|
||||
- build with valgrind on ppc64le
|
||||
- disable test_gdb on s390(x) until rhbz#1181034 is resolved
|
||||
|
|
Loading…
Reference in New Issue