From 93fe450a4f9d6976f4a63b1f4690a29805e1941c Mon Sep 17 00:00:00 2001 From: Thomas Crain Date: Tue, 10 Nov 2020 13:16:00 -0800 Subject: [PATCH] Python 3: Upgrade to fix CVE-2019-20907, CVE-2020-26116, CVE-2019-18348, CVE-2020-14422, Patch CVE-2020-27619 (#358) --- SPECS/python3/CVE-2020-27619.patch | 64 ++++++ SPECS/python3/python3.signatures.json | 2 +- SPECS/python3/python3.spec | 286 +++++++++++++++----------- cgmanifest.json | 4 +- 4 files changed, 233 insertions(+), 123 deletions(-) create mode 100644 SPECS/python3/CVE-2020-27619.patch diff --git a/SPECS/python3/CVE-2020-27619.patch b/SPECS/python3/CVE-2020-27619.patch new file mode 100644 index 0000000000..1eeaf5d688 --- /dev/null +++ b/SPECS/python3/CVE-2020-27619.patch @@ -0,0 +1,64 @@ +From 43e523103886af66d6c27cd72431b5d9d14cd2a9 Mon Sep 17 00:00:00 2001 +From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 19 Oct 2020 19:38:40 -0700 +Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP + in the CJK codec tests (GH-22566) (GH-22578) + +(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) + +Co-authored-by: Serhiy Storchaka +--- + Lib/test/multibytecodec_support.py | 22 +++++++------------ + .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 + + 2 files changed, 9 insertions(+), 14 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst + +diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py +index cca8af67d6d1d..f76c0153f5ecf 100644 +--- a/Lib/test/multibytecodec_support.py ++++ b/Lib/test/multibytecodec_support.py +@@ -305,29 +305,23 @@ def test_mapping_file(self): + self._test_mapping_file_plain() + + def _test_mapping_file_plain(self): +- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+')))) ++ def unichrs(s): ++ return ''.join(chr(int(x, 16)) for x in s.split('+')) ++ + urt_wa = {} + + with self.open_mapping_file() as f: + for line in f: + if not line: + break +- data = line.split('#')[0].strip().split() ++ data = line.split('#')[0].split() + if len(data) != 2: + continue + +- csetval = eval(data[0]) +- if csetval <= 0x7F: +- csetch = bytes([csetval & 0xff]) +- elif csetval >= 0x1000000: +- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff), +- ((csetval >> 8) & 0xff), (csetval & 0xff)]) +- elif csetval >= 0x10000: +- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff), +- (csetval & 0xff)]) +- elif csetval >= 0x100: +- csetch = bytes([(csetval >> 8), (csetval & 0xff)]) +- else: ++ if data[0][:2] != '0x': ++ self.fail(f"Invalid line: {line!r}") ++ csetch = bytes.fromhex(data[0][2:]) ++ if len(csetch) == 1 and 0x80 <= csetch[0]: + continue + + unich = unichrs(data[1]) +diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +new file mode 100644 +index 0000000000000..4f9782f1c85af +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +@@ -0,0 +1 @@ ++Tests for CJK codecs no longer call ``eval()`` on content received via HTTP. diff --git a/SPECS/python3/python3.signatures.json b/SPECS/python3/python3.signatures.json index 6b9b1469ca..8a1f634e35 100644 --- a/SPECS/python3/python3.signatures.json +++ b/SPECS/python3/python3.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "Python-3.7.7.tar.xz": "06a0a9f1bf0d8cd1e4121194d666c4e28ddae4dd54346de6c343206599f02136" + "Python-3.7.9.tar.xz": "91923007b05005b5f9bd46f3b9172248aea5abc1543e8a636d59e629c3331b01" } } \ No newline at end of file diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 865d715f1e..5c1533fe82 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -1,27 +1,28 @@ %global openssl_flags -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 - Summary: A high-level scripting language Name: python3 -Version: 3.7.7 +Version: 3.7.9 Release: 2%{?dist} License: PSF -URL: http://www.python.org/ -Group: System Environment/Programming Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Programming +URL: https://www.python.org/ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.tar.xz Patch0: cgi3.patch Patch1: python3-support-mariner-platform.patch Patch2: Replace-unsupported-TLS-methods.patch -BuildRequires: pkg-config >= 0.28 +# CVE-2020-27619 patch is pulled from upstream commit +Patch3: CVE-2020-27619.patch BuildRequires: bzip2-devel -BuildRequires: ncurses-devel -BuildRequires: openssl-devel -BuildRequires: readline-devel -BuildRequires: xz-devel BuildRequires: expat-devel >= 2.1.0 BuildRequires: libffi-devel >= 3.0.13 +BuildRequires: ncurses-devel +BuildRequires: openssl-devel +BuildRequires: pkg-config >= 0.28 +BuildRequires: readline-devel BuildRequires: sqlite-devel +BuildRequires: xz-devel Requires: ncurses Requires: openssl Requires: python3-libs = %{version}-%{release} @@ -29,10 +30,9 @@ Requires: readline Requires: xz Provides: python-sqlite Provides: python(abi) -Provides: /usr/bin/python +Provides: %{_bindir}/python Provides: /bin/python Provides: /bin/python3 - %if %{with_check} BuildRequires: iana-etc BuildRequires: tzdata @@ -45,15 +45,14 @@ strings support, easier and more intuitive syntax, and removes the deprecated code. It is incompatible with Python 2.x releases. %package libs -Summary: The libraries for python runtime -Group: Applications/System +Summary: The libraries for python runtime +Group: Applications/System +Requires: bzip2-libs Requires: coreutils Requires: expat >= 2.1.0 Requires: libffi >= 3.0.13 Requires: ncurses Requires: sqlite-libs -Requires: bzip2-libs - %description libs The python interpreter can be embedded into applications wanting to @@ -63,8 +62,8 @@ provides the libraries needed for python 3 applications. %package xml Summary: XML libraries for python3 runtime Group: Applications/System -Requires: python3-libs = %{version}-%{release} Requires: python3 = %{version}-%{release} +Requires: python3-libs = %{version}-%{release} %description xml The python3-xml package provides the libraries needed for XML manipulation. @@ -72,20 +71,20 @@ The python3-xml package provides the libraries needed for XML manipulation. %package curses Summary: Python module interface for NCurses Library Group: Applications/System -Requires: python3-libs = %{version}-%{release} Requires: ncurses +Requires: python3-libs = %{version}-%{release} %description curses The python3-curses package provides interface for ncurses library. %package devel -Summary: The libraries and header files needed for Python development. +Summary: The libraries and header files needed for Python development. Group: Development/Libraries -Requires: python3 = %{version}-%{release} Requires: expat-devel >= 2.1.0 +Requires: python3 = %{version}-%{release} # Needed here because of the migration of Makefile from -devel to the main # package -Conflicts: python3 < %{version}-%{release} +Conflicts: python3 < %{version}-%{release} %description devel The Python programming language's interpreter can be extended with @@ -110,9 +109,9 @@ to build python programs. %package pip Summary: The PyPA recommended tool for installing Python packages. Group: Development/Tools -BuildArch: noarch Requires: python3 = %{version}-%{release} Requires: python3-xml = %{version}-%{release} +BuildArch: noarch %description pip The PyPA recommended tool for installing Python packages. @@ -120,16 +119,16 @@ The PyPA recommended tool for installing Python packages. %package setuptools Summary: Download, build, install, upgrade, and uninstall Python packages. Group: Development/Tools -BuildArch: noarch Requires: python3 = %{version}-%{release} +BuildArch: noarch %description setuptools setuptools is a collection of enhancements to the Python distutils that allow you to more easily build and distribute Python packages, especially ones that have dependencies on other packages. %package test -Summary: Regression tests package for Python. -Group: Development/Tools -Requires: python3 = %{version}-%{release} +Summary: Regression tests package for Python. +Group: Development/Tools +Requires: python3 = %{version}-%{release} %description test The test package contains all regression tests for Python as well as the modules test.support and test.regrtest. test.support is used to enhance your tests while test.regrtest drives the testing suite. @@ -139,6 +138,7 @@ The test package contains all regression tests for Python as well as the modules %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build export OPT="%{optflags} %{openssl_flags}" @@ -173,10 +173,10 @@ make %{?_smp_mflags} test %clean rm -rf %{buildroot}/* + %files %defattr(-, root, root) %license LICENSE -%doc LICENSE README.rst %{_bindir}/pydoc* %{_bindir}/pyvenv* %{_bindir}/python3 @@ -191,7 +191,6 @@ rm -rf %{buildroot}/* %{_libdir}/libpython3.7.so %{_libdir}/libpython3.7m.so.1.0 - %exclude %{_libdir}/python3.7/ctypes/test %exclude %{_libdir}/python3.7/distutils/tests %exclude %{_libdir}/python3.7/sqlite3/test @@ -201,7 +200,6 @@ rm -rf %{buildroot}/* %files libs %defattr(-,root,root) -%doc LICENSE README.rst %{_libdir}/python3.7 %{_libdir}/python3.7/site-packages/easy_install.py %{_libdir}/python3.7/site-packages/README.txt @@ -218,11 +216,11 @@ rm -rf %{buildroot}/* %exclude %{_libdir}/python3.7/lib-dynload/_curses*.so %exclude %{_libdir}/python3.7/distutils/command/wininst-*.exe -%files xml +%files xml %{_libdir}/python3.7/xml/* %{_libdir}/python3.7/lib-dynload/pyexpat*.so -%files curses +%files curses %{_libdir}/python3.7/curses/* %{_libdir}/python3.7/lib-dynload/_curses*.so @@ -251,105 +249,153 @@ rm -rf %{buildroot}/* %files pip %defattr(-,root,root,755) %{_libdir}/python3.7/site-packages/pip/* -%{_libdir}/python3.7/site-packages/pip-19.2.3.dist-info/* +%{_libdir}/python3.7/site-packages/pip-20.1.1.dist-info/* %{_bindir}/pip* %files setuptools %defattr(-,root,root,755) %{_libdir}/python3.7/site-packages/pkg_resources/* %{_libdir}/python3.7/site-packages/setuptools/* -%{_libdir}/python3.7/site-packages/setuptools-41.2.0.dist-info/* +%{_libdir}/python3.7/site-packages/setuptools-47.1.0.dist-info/* %{_bindir}/easy_install-3.7 %files test %{_libdir}/python3.7/test/* %changelog -* Mon Jul 06 2020 Henry Beberman 3.7.7-2 -- Add BuildRequires for iana-etc and tzdata for check section. -* Wed Jun 10 2020 Paul Monson 3.7.7-1 -- Update to Python 3.7.7 to fix CVEs -* Thu May 21 2020 Suresh Babu Chalamalasetty 3.7.3-10 -- Fix CVE-2019-16056. -* Wed May 20 2020 Nicolas Ontiveros 3.7.3-9 -- Fix CVE-2020-8492. -* Wed May 20 2020 Paul Monson 3.7.3-8 -- Fix variable use. -* Sat May 09 00:20:54 PST 2020 Nick Samson - 3.7.3-7 -- Added %%license line automatically -* Wed May 06 2020 Paul Monson 3.7.3-6 -- Replace unsupported TLS methods with a patch. -* Thu Apr 09 2020 Nicolas Ontiveros 3.7.3-5 -- Remove toybox and only use coreutils for requires. -* Mon Nov 25 2019 Andrew Phelps 3.7.3-4 -- Remove duplicate libpython3.so from devel package -* Tue Sep 03 2019 Mateusz Malisz 3.7.3-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Jun 17 2019 Tapas Kundu 3.7.3-2 -- Fix for CVE-2019-10160 -* Mon Jun 10 2019 Tapas Kundu 3.7.3-1 -- Update to Python 3.7.3 release -* Thu May 23 2019 Tapas Kundu 3.7.0-6 -- Fix for CVE-2019-5010 -- Fix for CVE-2019-9740 -* Tue Mar 12 2019 Tapas Kundu 3.7.0-5 -- Fix for CVE-2019-9636 -* Mon Feb 11 2019 Taps Kundu 3.7.0-4 -- Fix for CVE-2018-20406 -* Fri Dec 21 2018 Tapas Kundu 3.7.0-3 -- Fix for CVE-2018-14647 -* Tue Dec 04 2018 Tapas Kundu 3.7.0-2 -- Excluded windows installer from python3 libs packaging. -* Wed Sep 26 2018 Tapas Kundu 3.7.0-1 -- Updated to version 3.7.0 -* Mon Sep 18 2017 Alexey Makhalov 3.6.1-9 -- Requires coreutils or toybox -- Requires bzip2-libs -* Fri Sep 15 2017 Bo Gan 3.6.1-8 -- Remove devpts mount in check -* Mon Aug 28 2017 Dheeraj Shetty 3.6.1-7 -- Add pty for tests to pass -* Wed Jul 12 2017 Xiaolin Li 3.6.1-6 -- Add python3-test package. -* Fri Jun 30 2017 Dheeraj Shetty 3.6.1-5 -- Remove the imaplib tests. -* Mon Jun 05 2017 Xiaolin Li 3.6.1-4 -- Added pip, setuptools, xml, and curses sub packages. -* Sun Jun 04 2017 Bo Gan 3.6.1-3 -- Fix symlink and script -* Wed May 10 2017 Harish Udaiya Kumar 3.6.1-2 -- Exclude idle3. -* Wed Apr 26 2017 Siju Maliakkal 3.6.1-1 -- Updating to latest -* Fri Apr 14 2017 Alexey Makhalov 3.5.3-3 -- Python3-devel requires expat-devel. -* Thu Mar 23 2017 Xiaolin Li 3.5.3-2 -- Provides /bin/python3. -* Tue Feb 28 2017 Xiaolin Li 3.5.3-1 -- Updated to version 3.5.3. -* Fri Jan 20 2017 Dheeraj Shetty 3.5.1-10 -- Added patch to support Photon OS -* Tue Dec 20 2016 Xiaolin Li 3.5.1-9 -- Move easy_install-3.5 to devel subpackage. -* Wed Nov 16 2016 Alexey Makhalov 3.5.1-8 -- Use sqlite-{devel,libs} -* Thu Oct 27 2016 Anish Swaminathan 3.5.1-7 -- Patch for CVE-2016-5636 -* Mon Oct 10 2016 ChangLee 3.5.1-6 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 3.5.1-5 -- GA - Bump release of all rpms -* Wed May 04 2016 Anish Swaminathan 3.5.1-4 -- Edit scriptlets. -* Wed Apr 13 2016 Priyesh Padmavilasom 3.5.1-3 -- update python to require python-libs -* Thu Apr 07 2016 Mahmoud Bassiouny 3.5.1-2 -- Providing python3 binaries instead of the minor versions. -* Tue Feb 23 2016 Harish Udaiya Kumar 3.5.1-1 -- Updated to version 3.5.1 -* Wed Dec 09 2015 Anish Swaminathan 3.4.3-3 -- Edit post script. -* Mon Aug 17 2015 Vinay Kulkarni 3.4.3-2 -- Remove python.o file, and minor cleanups. -* Wed Jul 1 2015 Vinay Kulkarni 3.4.3 -- Add Python3 package to Photon. +* Fri Nov 06 2020 Thomas Crain - 3.7.9-2 +- Patch CVE-2020-27619 + +* Fri Nov 06 2020 Thomas Crain - 3.7.9-1 +- Update to 3.7.9, the latest security release for 3.7 + +* Mon Jul 06 2020 Henry Beberman - 3.7.7-2 +- Add BuildRequires for iana-etc and tzdata for check section. + +* Wed Jun 10 2020 Paul Monson - 3.7.7-1 +- Update to Python 3.7.7 to fix CVEs + +* Thu May 21 2020 Suresh Babu Chalamalasetty - 3.7.3-10 +- Fix CVE-2019-16056. + +* Wed May 20 2020 Nicolas Ontiveros - 3.7.3-9 +- Fix CVE-2020-8492. + +* Wed May 20 2020 Paul Monson - 3.7.3-8 +- Fix variable use. + +* Sat May 09 00:20:54 PST 2020 Nick Samson - 3.7.3-7 +- Added %%license line automatically + +* Wed May 06 2020 Paul Monson - 3.7.3-6 +- Replace unsupported TLS methods with a patch. + +* Thu Apr 09 2020 Nicolas Ontiveros - 3.7.3-5 +- Remove toybox and only use coreutils for requires. + +* Mon Nov 25 2019 Andrew Phelps - 3.7.3-4 +- Remove duplicate libpython3.so from devel package + +* Tue Sep 03 2019 Mateusz Malisz - 3.7.3-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Jun 17 2019 Tapas Kundu - 3.7.3-2 +- Fix for CVE-2019-10160 + +* Mon Jun 10 2019 Tapas Kundu - 3.7.3-1 +- Update to Python 3.7.3 release + +* Thu May 23 2019 Tapas Kundu - 3.7.0-6 +- Fix for CVE-2019-5010 +- Fix for CVE-2019-9740 + +* Tue Mar 12 2019 Tapas Kundu - 3.7.0-5 +- Fix for CVE-2019-9636 + +* Mon Feb 11 2019 Taps Kundu - 3.7.0-4 +- Fix for CVE-2018-20406 + +* Fri Dec 21 2018 Tapas Kundu - 3.7.0-3 +- Fix for CVE-2018-14647 + +* Tue Dec 04 2018 Tapas Kundu - 3.7.0-2 +- Excluded windows installer from python3 libs packaging. + +* Wed Sep 26 2018 Tapas Kundu - 3.7.0-1 +- Updated to version 3.7.0 + +* Mon Sep 18 2017 Alexey Makhalov - 3.6.1-9 +- Requires coreutils or toybox +- Requires bzip2-libs + +* Fri Sep 15 2017 Bo Gan - 3.6.1-8 +- Remove devpts mount in check + +* Mon Aug 28 2017 Dheeraj Shetty - 3.6.1-7 +- Add pty for tests to pass + +* Wed Jul 12 2017 Xiaolin Li - 3.6.1-6 +- Add python3-test package. + +* Fri Jun 30 2017 Dheeraj Shetty - 3.6.1-5 +- Remove the imaplib tests. + +* Mon Jun 05 2017 Xiaolin Li - 3.6.1-4 +- Added pip, setuptools, xml, and curses sub packages. + +* Sun Jun 04 2017 Bo Gan - 3.6.1-3 +- Fix symlink and script + +* Wed May 10 2017 Harish Udaiya Kumar - 3.6.1-2 +- Exclude idle3. + +* Wed Apr 26 2017 Siju Maliakkal - 3.6.1-1 +- Updating to latest + +* Fri Apr 14 2017 Alexey Makhalov - 3.5.3-3 +- Python3-devel requires expat-devel. + +* Thu Mar 23 2017 Xiaolin Li - 3.5.3-2 +- Provides /bin/python3. + +* Tue Feb 28 2017 Xiaolin Li - 3.5.3-1 +- Updated to version 3.5.3. + +* Fri Jan 20 2017 Dheeraj Shetty - 3.5.1-10 +- Added patch to support Photon OS + +* Tue Dec 20 2016 Xiaolin Li - 3.5.1-9 +- Move easy_install-3.5 to devel subpackage. + +* Wed Nov 16 2016 Alexey Makhalov - 3.5.1-8 +- Use sqlite-{devel,libs} + +* Thu Oct 27 2016 Anish Swaminathan - 3.5.1-7 +- Patch for CVE-2016-5636 + +* Mon Oct 10 2016 ChangLee - 3.5.1-6 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom - 3.5.1-5 +- GA - Bump release of all rpms + +* Wed May 04 2016 Anish Swaminathan - 3.5.1-4 +- Edit scriptlets. + +* Wed Apr 13 2016 Priyesh Padmavilasom - 3.5.1-3 +- update python to require python-libs + +* Thu Apr 07 2016 Mahmoud Bassiouny - 3.5.1-2 +- Providing python3 binaries instead of the minor versions. + +* Tue Feb 23 2016 Harish Udaiya Kumar - 3.5.1-1 +- Updated to version 3.5.1 + +* Wed Dec 09 2015 Anish Swaminathan - 3.4.3-3 +- Edit post script. + +* Mon Aug 17 2015 Vinay Kulkarni - 3.4.3-2 +- Remove python.o file, and minor cleanups. + +* Wed Jul 1 2015 Vinay Kulkarni - 3.4.3 +- Add Python3 package to Photon. diff --git a/cgmanifest.json b/cgmanifest.json index c747471205..a71ff3a187 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4226,8 +4226,8 @@ "type": "other", "other": { "name": "python3", - "version": "3.7.7", - "downloadUrl": "https://www.python.org/ftp/python/3.7.7/Python-3.7.7.tar.xz" + "version": "3.7.9", + "downloadUrl": "https://www.python.org/ftp/python/3.7.9/Python-3.7.9.tar.xz" } } },