-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update python to version 2.7.18 / rev 188 via SR 1111680
https://build.opensuse.org/request/show/1111680 by user mcepl + anag+factory - (bsc#1214691, CVE-2022-48566) Add CVE-2022-48566-compare_digest-more-constant.patch to make compare_digest more constant-time. - (bsc#1214685, CVE-2022-48565) Add CVE-2022-48565-plistlib-XML-vulns.patch (from gh#python/cpython#86217) reject XML entity declarations in plist files. - Remove BOTH CVE-2023-27043-email-parsing-errors.patch and Revert-gh105127-left-tests.patch (as per discussion on bsc#1210638).
- Loading branch information
1 parent
15b96bb
commit 81e2964
Showing
12 changed files
with
223 additions
and
363 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
From 4d8f9e2e4461de92bd1e0c92ed433480d761670f Mon Sep 17 00:00:00 2001 | ||
From: Ned Deily <nad@python.org> | ||
Date: Mon, 19 Oct 2020 22:36:27 -0400 | ||
Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files | ||
(GH-22760) (GH-22801) | ||
|
||
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com> | ||
(cherry picked from commit e512bc799e3864fe3b1351757261762d63471efc) | ||
|
||
Co-authored-by: Ned Deily <nad@python.org> | ||
--- | ||
Lib/plistlib.py | 10 +++++ | ||
Lib/test/test_plistlib.py | 19 ++++++++++ | ||
Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | 3 + | ||
3 files changed, 32 insertions(+) | ||
create mode 100644 Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | ||
|
||
--- a/Lib/plistlib.py | ||
+++ b/Lib/plistlib.py | ||
@@ -403,9 +403,19 @@ class PlistParser: | ||
parser.StartElementHandler = self.handleBeginElement | ||
parser.EndElementHandler = self.handleEndElement | ||
parser.CharacterDataHandler = self.handleData | ||
+ parser.EntityDeclHandler = self.handle_entity_decl | ||
parser.ParseFile(fileobj) | ||
return self.root | ||
|
||
+ def handle_entity_decl(self, entity_name, is_parameter_entity, value, | ||
+ base, system_id, public_id, notation_name): | ||
+ # Reject plist files with entity declarations to avoid XML | ||
+ # vulnerabilies in expat. Regular plist files don't contain | ||
+ # those declerations, and Apple's plutil tool does not accept | ||
+ # them either. | ||
+ raise ValueError( | ||
+ "XML entity declarations are not supported in plist files") | ||
+ | ||
def handleBeginElement(self, element, attrs): | ||
self.data = [] | ||
handler = getattr(self, "begin_" + element, None) | ||
--- a/Lib/test/test_plistlib.py | ||
+++ b/Lib/test/test_plistlib.py | ||
@@ -86,6 +86,19 @@ TESTDATA = """<?xml version="1.0" encodi | ||
</plist> | ||
""".replace(" " * 8, "\t") # Apple as well as plistlib.py output hard tabs | ||
|
||
+XML_PLIST_WITH_ENTITY=b'''\ | ||
+<?xml version="1.0" encoding="UTF-8"?> | ||
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [ | ||
+ <!ENTITY entity "replacement text"> | ||
+ ]> | ||
+<plist version="1.0"> | ||
+ <dict> | ||
+ <key>A</key> | ||
+ <string>&entity;</string> | ||
+ </dict> | ||
+</plist> | ||
+''' | ||
+ | ||
|
||
class TestPlistlib(unittest.TestCase): | ||
|
||
@@ -195,6 +208,12 @@ class TestPlistlib(unittest.TestCase): | ||
self.assertEqual(test1, result1) | ||
self.assertEqual(test2, result2) | ||
|
||
+ def test_xml_plist_with_entity_decl(self): | ||
+ with self.assertRaisesRegexp(ValueError, | ||
+ "XML entity declarations are not supported"): | ||
+ plistlib.readPlistFromString(XML_PLIST_WITH_ENTITY) | ||
+ | ||
+ | ||
|
||
def test_main(): | ||
test_support.run_unittest(TestPlistlib) | ||
--- /dev/null | ||
+++ b/Misc/NEWS.d/next/Security/2020-10-19-10-56-27.bpo-42051.EU_B7u.rst | ||
@@ -0,0 +1,3 @@ | ||
+The :mod:`plistlib` module no longer accepts entity declarations in XML | ||
+plist files to avoid XML vulnerabilities. This should not affect users as | ||
+entity declarations are not used in regular plist files. |
35 changes: 35 additions & 0 deletions
35
packages/p/python/CVE-2022-48566-compare_digest-more-constant.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
From 8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a Mon Sep 17 00:00:00 2001 | ||
From: "Miss Islington (bot)" | ||
<31488909+miss-islington@users.noreply.github.com> | ||
Date: Mon, 14 Dec 2020 09:04:57 -0800 | ||
Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-23438) | ||
(GH-23767) | ||
|
||
The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization. | ||
|
||
(This is change GH-1 from https://bugs.python.org/issue40791 .) | ||
(cherry picked from commit 31729366e2bc09632e78f3896dbce0ae64914f28) | ||
|
||
Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com> | ||
--- | ||
Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | 1 + | ||
Modules/operator.c | 2 +- | ||
2 files changed, 2 insertions(+), 1 deletion(-) | ||
create mode 100644 Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | ||
|
||
--- /dev/null | ||
+++ b/Misc/NEWS.d/next/Security/2020-05-28-06-06-47.bpo-40791.QGZClX.rst | ||
@@ -0,0 +1 @@ | ||
+Add ``volatile`` to the accumulator variable in ``hmac.compare_digest``, making constant-time-defeating optimizations less likely. | ||
\ No newline at end of file | ||
--- a/Modules/operator.c | ||
+++ b/Modules/operator.c | ||
@@ -259,7 +259,7 @@ _tscmp(const unsigned char *a, const uns | ||
volatile const unsigned char *left; | ||
volatile const unsigned char *right; | ||
Py_ssize_t i; | ||
- unsigned char result; | ||
+ volatile unsigned char result; | ||
|
||
/* loop count depends on length of b */ | ||
length = len_b; |
137 changes: 0 additions & 137 deletions
137
packages/p/python/CVE-2023-27043-email-parsing-errors.patch
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.