Fix the "urllib FTP protocol stream injection" vulnerability (rhbz#1478916)

2017-08-07 18:26:47 +02:00 · 2017-08-07 18:26:47 +02:00 · 2c3b2229eb
commit 2c3b2229eb
parent 7ce2b35305
2 changed files with 71 additions and 1 deletions
--- a/00272-fix-ftplib-to-reject-newlines.patch
+++ b/00272-fix-ftplib-to-reject-newlines.patch
@ -0,0 +1,58 @@
+From 8c2d4cf092c5f0335e7982392a33927579c4d512 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Wed, 26 Jul 2017 21:11:25 +0900
+Subject: [PATCH] [3.6] bpo-30119: fix ftplib.FTP.putline() to throw an error
+ for a illegal command (#1214) (#2886)
+
+---
+ Lib/ftplib.py                                                     | 2 ++
+ Lib/test/test_ftplib.py                                           | 6 +++++-
+ Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst | 2 ++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst
+
+diff --git a/Lib/ftplib.py b/Lib/ftplib.py
+index 8f36f537e8a..a02e595cb02 100644
+--- a/Lib/ftplib.py
+++ b/Lib/ftplib.py
+@@ -186,6 +186,8 @@ def sanitize(self, s):
+ 
+     # Internal: send one line to the server, appending CRLF
+     def putline(self, line):
+        if '\r' in line or '\n' in line:
+            raise ValueError('an illegal newline character should not be contained')
+         line = line + CRLF
+         if self.debugging > 1:
+             print('*put*', self.sanitize(line))
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+index 12fabc5e8be..a561e9efa03 100644
+--- a/Lib/test/test_ftplib.py
+++ b/Lib/test/test_ftplib.py
+@@ -484,6 +484,9 @@ def test_sanitize(self):
+         self.assertEqual(self.client.sanitize('PASS 12345'), repr('PASS *****'))
+ 
+     def test_exceptions(self):
+        self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r\n0')
+        self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\n0')
+        self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r0')
+         self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 400')
+         self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 499')
+         self.assertRaises(ftplib.error_perm, self.client.sendcmd, 'echo 500')
+@@ -492,7 +495,8 @@ def test_exceptions(self):
+ 
+     def test_all_errors(self):
+         exceptions = (ftplib.error_reply, ftplib.error_temp, ftplib.error_perm,
+-                      ftplib.error_proto, ftplib.Error, OSError, EOFError)
+                      ftplib.error_proto, ftplib.Error, OSError,
+                      EOFError)
+         for x in exceptions:
+             try:
+                 raise x('exception not included in all_errors set')
+diff --git a/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst b/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst
+new file mode 100644
+index 00000000000..a37d3703842
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst
+@@ -0,0 +1,2 @@
+ftplib.FTP.putline() now throws ValueError on commands that contains CR or
+LF. Patch by Dong-hee Na.
--- a/python3.spec
+++ b/python3.spec
@ -133,7 +133,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: Python
 Group: Development/Languages

@ -449,6 +449,13 @@ Patch270: 00270-fix-ssl-alpn-hook-test.patch
 # Reported upstream: http://bugs.python.org/issue31034
 Patch271: 00271-asyncio-get-default-signal-handler.patch

+# 00272 #
+# Reject newline characters in ftplib.FTP.putline() arguments to
+# avoid FTP protocol stream injection via malicious URLs.
+# rhbz#1478916
+# Fixed upstream: http://bugs.python.org/issue30119
+Patch272: 00272-fix-ftplib-to-reject-newlines.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -723,6 +730,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en

 %patch270 -p1
 %patch271 -p1
+%patch272 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1688,6 +1696,10 @@ fi
 # ======================================================

 %changelog
+* Mon Aug 07 2017 Iryna Shcherbina <ishcherb@redhat.com> - 3.6.2-6
+- Fix the "urllib FTP protocol stream injection" vulnerability
+Resolves: rhbz#1478916
+
 * Tue Aug 01 2017 Tomas Orsava <torsava@redhat.com> - 3.6.2-5
 - Dropped BuildRequires on db4-devel which was useful for Python 2 (module
  bsddb), however, no longer needod for Python 3