diff --git a/SPECS/python3/CVE-2021-3177.patch b/SPECS/python3/CVE-2021-3177.patch new file mode 100644 index 0000000000..576f7fad67 --- /dev/null +++ b/SPECS/python3/CVE-2021-3177.patch @@ -0,0 +1,184 @@ +From 7e223976ef9eca5eb539a21b8579138f301778df Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 14:47:05 -0600 +Subject: [PATCH] [3.7] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (24239). (cherry picked from commit + 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson +--- + Lib/ctypes/test/test_parameters.py | 43 +++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 55 +++++++------------ + 3 files changed, 66 insertions(+), 34 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 0000000000000..7df65a156feab +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 73413531bdbf0..9cbf9801ad188 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -463,58 +463,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -523,22 +512,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", +- (unsigned char)self->tag, self); ++ return PyUnicode_FromFormat("", ++ (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", +- (unsigned char)self->tag, self); ++ return PyUnicode_FromFormat("", ++ (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index eb8d10504e..16b45758cd 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -2,7 +2,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.7.9 -Release: 3%{?dist} +Release: 4%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ Patch1: python3-support-mariner-platform.patch Patch2: Replace-unsupported-TLS-methods.patch # CVE-2020-27619 patch is pulled from upstream commit Patch3: CVE-2020-27619.patch +Patch4: CVE-2021-3177.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 BuildRequires: libffi-devel >= 3.0.13 @@ -119,8 +120,8 @@ The PyPA recommended tool for installing Python packages. %package setuptools Summary: Download, build, install, upgrade, and uninstall Python packages. Group: Development/Tools -Requires: python3-xml Requires: python3 = %{version}-%{release} +Requires: python3-xml BuildArch: noarch %description setuptools @@ -135,11 +136,7 @@ Requires: python3 = %{version}-%{release} The test package contains all regression tests for Python as well as the modules test.support and test.regrtest. test.support is used to enhance your tests while test.regrtest drives the testing suite. %prep -%setup -q -n Python-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 +%autosetup -p1 -n Python-%{version} %build export OPT="%{optflags} %{openssl_flags}" @@ -175,6 +172,8 @@ make %{?_smp_mflags} test rm -rf %{buildroot}/* + + %files %defattr(-, root, root) %license LICENSE @@ -264,6 +263,9 @@ rm -rf %{buildroot}/* %{_libdir}/python3.7/test/* %changelog +* Fri Jan 29 2021 Nick Samson - 3.7.9-4 +- Patched CVE-2021-3177 with backported patch. Moved to autosetup. + * Mon Nov 16 2020 Pawel Winogrodzki - 3.7.9-3 - Adding explicit runtime dependency on 'python3-xml' for the 'python3-setuptool' subpackage.