From 2c3b2229eb44215d3bf9cc53ea07d2aa93ae7c82 Mon Sep 17 00:00:00 2001 From: Iryna Shcherbina Date: Mon, 7 Aug 2017 18:26:47 +0200 Subject: [PATCH] Fix the "urllib FTP protocol stream injection" vulnerability (rhbz#1478916) --- 00272-fix-ftplib-to-reject-newlines.patch | 58 +++++++++++++++++++++++ python3.spec | 14 +++++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 00272-fix-ftplib-to-reject-newlines.patch diff --git a/00272-fix-ftplib-to-reject-newlines.patch b/00272-fix-ftplib-to-reject-newlines.patch new file mode 100644 index 0000000..66486a8 --- /dev/null +++ b/00272-fix-ftplib-to-reject-newlines.patch @@ -0,0 +1,58 @@ +From 8c2d4cf092c5f0335e7982392a33927579c4d512 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na +Date: Wed, 26 Jul 2017 21:11:25 +0900 +Subject: [PATCH] [3.6] bpo-30119: fix ftplib.FTP.putline() to throw an error + for a illegal command (#1214) (#2886) + +--- + Lib/ftplib.py | 2 ++ + Lib/test/test_ftplib.py | 6 +++++- + Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst | 2 ++ + 3 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst + +diff --git a/Lib/ftplib.py b/Lib/ftplib.py +index 8f36f537e8a..a02e595cb02 100644 +--- a/Lib/ftplib.py ++++ b/Lib/ftplib.py +@@ -186,6 +186,8 @@ def sanitize(self, s): + + # Internal: send one line to the server, appending CRLF + def putline(self, line): ++ if '\r' in line or '\n' in line: ++ raise ValueError('an illegal newline character should not be contained') + line = line + CRLF + if self.debugging > 1: + print('*put*', self.sanitize(line)) +diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py +index 12fabc5e8be..a561e9efa03 100644 +--- a/Lib/test/test_ftplib.py ++++ b/Lib/test/test_ftplib.py +@@ -484,6 +484,9 @@ def test_sanitize(self): + self.assertEqual(self.client.sanitize('PASS 12345'), repr('PASS *****')) + + def test_exceptions(self): ++ self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r\n0') ++ self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\n0') ++ self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r0') + self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 400') + self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 499') + self.assertRaises(ftplib.error_perm, self.client.sendcmd, 'echo 500') +@@ -492,7 +495,8 @@ def test_exceptions(self): + + def test_all_errors(self): + exceptions = (ftplib.error_reply, ftplib.error_temp, ftplib.error_perm, +- ftplib.error_proto, ftplib.Error, OSError, EOFError) ++ ftplib.error_proto, ftplib.Error, OSError, ++ EOFError) + for x in exceptions: + try: + raise x('exception not included in all_errors set') +diff --git a/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst b/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst +new file mode 100644 +index 00000000000..a37d3703842 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2017-07-26-15-15-00.bpo-30119.DZ6C_S.rst +@@ -0,0 +1,2 @@ ++ftplib.FTP.putline() now throws ValueError on commands that contains CR or ++LF. Patch by Dong-hee Na. diff --git a/python3.spec b/python3.spec index 91978da..ba8c992 100644 --- a/python3.spec +++ b/python3.spec @@ -133,7 +133,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 5%{?dist} +Release: 6%{?dist} License: Python Group: Development/Languages @@ -449,6 +449,13 @@ Patch270: 00270-fix-ssl-alpn-hook-test.patch # Reported upstream: http://bugs.python.org/issue31034 Patch271: 00271-asyncio-get-default-signal-handler.patch +# 00272 # +# Reject newline characters in ftplib.FTP.putline() arguments to +# avoid FTP protocol stream injection via malicious URLs. +# rhbz#1478916 +# Fixed upstream: http://bugs.python.org/issue30119 +Patch272: 00272-fix-ftplib-to-reject-newlines.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -723,6 +730,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch270 -p1 %patch271 -p1 +%patch272 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1688,6 +1696,10 @@ fi # ====================================================== %changelog +* Mon Aug 07 2017 Iryna Shcherbina - 3.6.2-6 +- Fix the "urllib FTP protocol stream injection" vulnerability +Resolves: rhbz#1478916 + * Tue Aug 01 2017 Tomas Orsava - 3.6.2-5 - Dropped BuildRequires on db4-devel which was useful for Python 2 (module bsddb), however, no longer needod for Python 3