Patch CVE-2024-6923 in python3 (#10276)

2024-09-05 11:59:52 +05:30 · 2024-09-05 11:59:52 +05:30 · 9a52483013
--- a/SPECS/python3/CVE-2024-6923.patch
+++ b/SPECS/python3/CVE-2024-6923.patch
@ -0,0 +1,339 @@
+From e58aec9cbfdebf45ee863eded142358e9e98531d Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 31 Jul 2024 00:19:48 +0200
+Subject: [PATCH 1/2] gh-121650: Encode newlines in headers, and verify headers
+ are sound (GH-122233)
+
+- Encode header parts that contain newlines
+
+Per RFC 2047:
+
+> [...] these encoding schemes allow the
+> encoding of arbitrary octet values, mail readers that implement this
+> decoding should also ensure that display of the decoded data on the
+> recipient's terminal will not cause unwanted side-effects
+
+It seems that the "quoted-word" scheme is a valid way to include
+a newline character in a header value, just like we already allow
+undecodable bytes or control characters.
+They do need to be properly quoted when serialized to text, though.
+
+- Verify that email headers are well-formed
+
+This should fail for custom fold() implementations that aren't careful
+about newlines.
+
+Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
+---
+ Doc/library/email.errors.rst                  |  7 +++
+ Doc/library/email.policy.rst                  | 18 ++++++
+ Lib/email/_header_value_parser.py             | 12 +++-
+ Lib/email/_policybase.py                      |  8 +++
+ Lib/email/errors.py                           |  4 ++
+ Lib/email/generator.py                        | 13 +++-
+ Lib/test/test_email/test_generator.py         | 62 +++++++++++++++++++
+ Lib/test/test_email/test_policy.py            | 26 ++++++++
+ ...-07-27-16-10-41.gh-issue-121650.nf6oc9.rst |  5 ++
+ 9 files changed, 151 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+
+diff --git a/Doc/library/email.errors.rst b/Doc/library/email.errors.rst
+index 33ab4265116178..f8f43d82a3df2e 100644
+--- a/Doc/library/email.errors.rst
+++ b/Doc/library/email.errors.rst
+@@ -58,6 +58,13 @@ The following exception classes are defined in the :mod:`email.errors` module:
+    :class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g.
+    :class:`~email.mime.image.MIMEImage`).
+ 
+
+.. exception:: HeaderWriteError()
+
+   Raised when an error occurs when the :mod:`~email.generator` outputs
+   headers.
+
+
+ .. exception:: MessageDefect()
+ 
+    This is the base class for all defects found when parsing email messages.
+diff --git a/Doc/library/email.policy.rst b/Doc/library/email.policy.rst
+index 83feedf728351e..314767d0802a08 100644
+--- a/Doc/library/email.policy.rst
+++ b/Doc/library/email.policy.rst
+@@ -229,6 +229,24 @@ added matters.  To illustrate::
+ 
+       .. versionadded:: 3.6
+ 
+
+   .. attribute:: verify_generated_headers
+
+      If ``True`` (the default), the generator will raise
+      :exc:`~email.errors.HeaderWriteError` instead of writing a header
+      that is improperly folded or delimited, such that it would
+      be parsed as multiple headers or joined with adjacent data.
+      Such headers can be generated by custom header classes or bugs
+      in the ``email`` module.
+
+      As it's a security feature, this defaults to ``True`` even in the
+      :class:`~email.policy.Compat32` policy.
+      For backwards compatible, but unsafe, behavior, it must be set to
+      ``False`` explicitly.
+
+      .. versionadded:: 3.13
+
+
+    The following :class:`Policy` method is intended to be called by code using
+    the email library to create policy instances with custom settings:
+ 
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
+index 7da1bbaf8a80d7..ec2215a5e5f33c 100644
+--- a/Lib/email/_header_value_parser.py
+++ b/Lib/email/_header_value_parser.py
+@@ -92,6 +92,8 @@
+ ASPECIALS = TSPECIALS | set("*'%")
+ ATTRIBUTE_ENDS = ASPECIALS | WSP
+ EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%')
+NLSET = {'\n', '\r'}
+SPECIALSNL = SPECIALS | NLSET
+ 
+ def quote_string(value):
+     return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"'
+@@ -2778,9 +2780,13 @@ def _refold_parse_tree(parse_tree, *, policy):
+             wrap_as_ew_blocked -= 1
+             continue
+         tstr = str(part)
+-        if part.token_type == 'ptext' and set(tstr) & SPECIALS:
+-            # Encode if tstr contains special characters.
+-            want_encoding = True
+        if not want_encoding:
+            if part.token_type == 'ptext':
+                # Encode if tstr contains special characters.
+                want_encoding = not SPECIALSNL.isdisjoint(tstr)
+            else:
+                # Encode if tstr contains newlines.
+                want_encoding = not NLSET.isdisjoint(tstr)
+         try:
+             tstr.encode(encoding)
+             charset = encoding
+diff --git a/Lib/email/_policybase.py b/Lib/email/_policybase.py
+index 2ec54fbabae83c..5f9aa9fb091fa2 100644
+--- a/Lib/email/_policybase.py
+++ b/Lib/email/_policybase.py
+@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
+     message_factory     -- the class to use to create new message objects.
+                            If the value is None, the default is Message.
+ 
+    verify_generated_headers
+                        -- if true, the generator verifies that each header
+                           they are properly folded, so that a parser won't
+                           treat it as multiple headers, start-of-body, or
+                           part of another header.
+                           This is a check against custom Header & fold()
+                           implementations.
+     """
+ 
+     raise_on_defect = False
+@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
+     max_line_length = 78
+     mangle_from_ = False
+     message_factory = None
+    verify_generated_headers = True
+ 
+     def handle_defect(self, obj, defect):
+         """Based on policy, either raise defect or call register_defect.
+diff --git a/Lib/email/errors.py b/Lib/email/errors.py
+index 3ad00565549968..02aa5eced6ae46 100644
+--- a/Lib/email/errors.py
+++ b/Lib/email/errors.py
+@@ -29,6 +29,10 @@ class CharsetError(MessageError):
+     """An illegal charset was given."""
+ 
+ 
+class HeaderWriteError(MessageError):
+    """Error while writing headers."""
+
+
+ # These are parsing defects which the parser was able to work around.
+ class MessageDefect(ValueError):
+     """Base class for a message defect."""
+diff --git a/Lib/email/generator.py b/Lib/email/generator.py
+index c8056ad47baa0f..47b9df8f4e6090 100644
+--- a/Lib/email/generator.py
+++ b/Lib/email/generator.py
+@@ -14,12 +14,14 @@
+ from copy import deepcopy
+ from io import StringIO, BytesIO
+ from email.utils import _has_surrogates
+from email.errors import HeaderWriteError
+ 
+ UNDERSCORE = '_'
+ NL = '\n'  # XXX: no longer used by the code below.
+ 
+ NLCRE = re.compile(r'\r\n|\r|\n')
+ fcre = re.compile(r'^From ', re.MULTILINE)
+NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+ 
+ 
+ class Generator:
+@@ -222,7 +224,16 @@ def _dispatch(self, msg):
+ 
+     def _write_headers(self, msg):
+         for h, v in msg.raw_items():
+-            self.write(self.policy.fold(h, v))
+            folded = self.policy.fold(h, v)
+            if self.policy.verify_generated_headers:
+                linesep = self.policy.linesep
+                if not folded.endswith(self.policy.linesep):
+                    raise HeaderWriteError(
+                        f'folded header does not end with {linesep!r}: {folded!r}')
+                if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)):
+                    raise HeaderWriteError(
+                        f'folded header contains newline: {folded!r}')
+            self.write(folded)
+         # A blank line always separates headers from body
+         self.write(self._NL)
+ 
+diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
+index bc6f734d4fd0a9..c75a842c33578e 100644
+--- a/Lib/test/test_email/test_generator.py
+++ b/Lib/test/test_email/test_generator.py
+@@ -6,6 +6,7 @@
+ from email.generator import Generator, BytesGenerator
+ from email.headerregistry import Address
+ from email import policy
+import email.errors
+ from test.test_email import TestEmailBase, parameterize
+ 
+ 
+@@ -216,6 +217,44 @@ def test_rfc2231_wrapping_switches_to_default_len_if_too_narrow(self):
+         g.flatten(msg)
+         self.assertEqual(s.getvalue(), self.typ(expected))
+ 
+    def test_keep_encoded_newlines(self):
+        msg = self.msgmaker(self.typ(textwrap.dedent("""\
+            To: nobody
+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+            None
+            """)))
+        expected = textwrap.dedent("""\
+            To: nobody
+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+            None
+            """)
+        s = self.ioclass()
+        g = self.genclass(s, policy=self.policy.clone(max_line_length=80))
+        g.flatten(msg)
+        self.assertEqual(s.getvalue(), self.typ(expected))
+
+    def test_keep_long_encoded_newlines(self):
+        msg = self.msgmaker(self.typ(textwrap.dedent("""\
+            To: nobody
+            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
+
+            None
+            """)))
+        expected = textwrap.dedent("""\
+            To: nobody
+            Subject: Bad subject
+             =?utf-8?q?=0A?=Bcc:
+             injection@example.com
+
+            None
+            """)
+        s = self.ioclass()
+        g = self.genclass(s, policy=self.policy.clone(max_line_length=30))
+        g.flatten(msg)
+        self.assertEqual(s.getvalue(), self.typ(expected))
+
+ 
+ class TestGenerator(TestGeneratorBase, TestEmailBase):
+ 
+@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+     ioclass = io.StringIO
+     typ = str
+ 
+    def test_verify_generated_headers(self):
+        """gh-121650: by default the generator prevents header injection"""
+        class LiteralHeader(str):
+            name = 'Header'
+            def fold(self, **kwargs):
+                return self
+
+        for text in (
+            'Value\r\nBad Injection\r\n',
+            'NoNewLine'
+        ):
+            with self.subTest(text=text):
+                message = message_from_string(
+                    "Header: Value\r\n\r\nBody",
+                    policy=self.policy,
+                )
+
+                del message['Header']
+                message['Header'] = LiteralHeader(text)
+
+                with self.assertRaises(email.errors.HeaderWriteError):
+                    message.as_string()
+
+ 
+ class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
+ 
+diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
+index c6b9c80efe1b54..baa35fd68e49c5 100644
+--- a/Lib/test/test_email/test_policy.py
+++ b/Lib/test/test_email/test_policy.py
+@@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase):
+         'raise_on_defect':          False,
+         'mangle_from_':             True,
+         'message_factory':          None,
+        'verify_generated_headers': True,
+         }
+     # These default values are the ones set on email.policy.default.
+     # If any of these defaults change, the docs must be updated.
+@@ -294,6 +295,31 @@ def test_short_maxlen_error(self):
+                 with self.assertRaises(email.errors.HeaderParseError):
+                     policy.fold("Subject", subject)
+ 
+    def test_verify_generated_headers(self):
+        """Turning protection off allows header injection"""
+        policy = email.policy.default.clone(verify_generated_headers=False)
+        for text in (
+            'Header: Value\r\nBad: Injection\r\n',
+            'Header: NoNewLine'
+        ):
+            with self.subTest(text=text):
+                message = email.message_from_string(
+                    "Header: Value\r\n\r\nBody",
+                    policy=policy,
+                )
+                class LiteralHeader(str):
+                    name = 'Header'
+                    def fold(self, **kwargs):
+                        return self
+
+                del message['Header']
+                message['Header'] = LiteralHeader(text)
+
+                self.assertEqual(
+                    message.as_string(),
+                    f"{text}\nBody",
+                )
+
+     # XXX: Need subclassing tests.
+     # For adding subclassed objects, make sure the usual rules apply (subclass
+     # wins), but that the order still works (right overrides left).
+diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+new file mode 100644
+index 00000000000000..83dd28d4ac575b
+--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+@@ -0,0 +1,5 @@
+:mod:`email` headers with embedded newlines are now quoted on output. The
+:mod:`~email.generator` will now refuse to serialize (write) headers that
+are unsafely folded or delimited; see
+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
+Bloemsaat and Petr Viktorin in :gh:`121650`.)
+
--- a/SPECS/python3/python3.spec
+++ b/SPECS/python3/python3.spec
@ -6,7 +6,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.12.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -18,6 +18,7 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t
 Source1:        https://github.com/python/cpython/blob/3.9/Tools/scripts/pathfix.py
 Patch0:         cgi3.patch
 Patch1:         CVE-2024-7592.patch
+Patch2:         CVE-2024-6923.patch

 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@ -239,6 +240,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*

 %changelog
+* Wed Aug 28 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.12.3-3
+- Patch CVE-2024-6923
+
 * Wed Aug 21 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 3.12.3-2
 - Patch CVE-2024-7592

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -240,9 +240,9 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-3.0.0-7.azl3.noarch.rpm
 dwz-0.14-2.azl3.aarch64.rpm
 unzip-6.0-20.azl3.aarch64.rpm
-python3-3.12.3-2.azl3.aarch64.rpm
-python3-devel-3.12.3-2.azl3.aarch64.rpm
-python3-libs-3.12.3-2.azl3.aarch64.rpm
+python3-3.12.3-3.azl3.aarch64.rpm
+python3-devel-3.12.3-3.azl3.aarch64.rpm
+python3-libs-3.12.3-3.azl3.aarch64.rpm
 python3-setuptools-69.0.3-3.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -240,9 +240,9 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-3.0.0-7.azl3.noarch.rpm
 dwz-0.14-2.azl3.x86_64.rpm
 unzip-6.0-20.azl3.x86_64.rpm
-python3-3.12.3-2.azl3.x86_64.rpm
-python3-devel-3.12.3-2.azl3.x86_64.rpm
-python3-libs-3.12.3-2.azl3.x86_64.rpm
+python3-3.12.3-3.azl3.x86_64.rpm
+python3-devel-3.12.3-3.azl3.x86_64.rpm
+python3-libs-3.12.3-3.azl3.x86_64.rpm
 python3-setuptools-69.0.3-3.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -529,18 +529,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.3-2.azl3.aarch64.rpm
+python3-3.12.3-3.azl3.aarch64.rpm
 python3-audit-3.1.2-1.azl3.aarch64.rpm
 python3-cracklib-2.9.11-1.azl3.aarch64.rpm
-python3-curses-3.12.3-2.azl3.aarch64.rpm
+python3-curses-3.12.3-3.azl3.aarch64.rpm
 python3-Cython-3.0.5-2.azl3.aarch64.rpm
-python3-debuginfo-3.12.3-2.azl3.aarch64.rpm
-python3-devel-3.12.3-2.azl3.aarch64.rpm
+python3-debuginfo-3.12.3-3.azl3.aarch64.rpm
+python3-devel-3.12.3-3.azl3.aarch64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
-python3-libs-3.12.3-2.azl3.aarch64.rpm
+python3-libs-3.12.3-3.azl3.aarch64.rpm
 python3-libxml2-2.11.5-1.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
@ -552,8 +552,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-3.azl3.noarch.rpm
-python3-test-3.12.3-2.azl3.aarch64.rpm
-python3-tools-3.12.3-2.azl3.aarch64.rpm
+python3-test-3.12.3-3.azl3.aarch64.rpm
+python3-tools-3.12.3-3.azl3.aarch64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-1.azl3.aarch64.rpm
 readline-debuginfo-8.2-1.azl3.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -535,18 +535,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.3-2.azl3.x86_64.rpm
+python3-3.12.3-3.azl3.x86_64.rpm
 python3-audit-3.1.2-1.azl3.x86_64.rpm
 python3-cracklib-2.9.11-1.azl3.x86_64.rpm
-python3-curses-3.12.3-2.azl3.x86_64.rpm
+python3-curses-3.12.3-3.azl3.x86_64.rpm
 python3-Cython-3.0.5-2.azl3.x86_64.rpm
-python3-debuginfo-3.12.3-2.azl3.x86_64.rpm
-python3-devel-3.12.3-2.azl3.x86_64.rpm
+python3-debuginfo-3.12.3-3.azl3.x86_64.rpm
+python3-devel-3.12.3-3.azl3.x86_64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
-python3-libs-3.12.3-2.azl3.x86_64.rpm
+python3-libs-3.12.3-3.azl3.x86_64.rpm
 python3-libxml2-2.11.5-1.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
@ -558,8 +558,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
 python3-setuptools-69.0.3-3.azl3.noarch.rpm
-python3-test-3.12.3-2.azl3.x86_64.rpm
-python3-tools-3.12.3-2.azl3.x86_64.rpm
+python3-test-3.12.3-3.azl3.x86_64.rpm
+python3-tools-3.12.3-3.azl3.x86_64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-1.azl3.x86_64.rpm
 readline-debuginfo-8.2-1.azl3.x86_64.rpm