Made `python-certifi` stop using its bundled certificates to fix CVE-2023-37920. (#5939)

SPECS/python-certifi/certifi-2022.12.07-use-system-cert.patch

@@ -0,0 +1,128 @@
+From c8704810b3e82a7d38bc0de7dd007b8755b83e39 Mon Sep 17 00:00:00 2001
+From: Karolina Surma <ksurma@redhat.com>
+Date: Mon, 14 Nov 2022 13:30:48 +0100
+Subject: [PATCH] certifi-2022.9.24-use-system-cert
+
+---
+ certifi/core.py | 105 +++---------------------------------------------
+ 1 file changed, 6 insertions(+), 99 deletions(-)
+
+diff --git a/certifi/core.py b/certifi/core.py
+index de02898..207116f 100644
+--- a/certifi/core.py
++++ b/certifi/core.py
+@@ -4,105 +4,12 @@ certifi.py
+ 
+ This module returns the installation location of cacert.pem or its contents.
+ """
+-import sys
+ 
++# The RPM-packaged certifi always uses the system certificates
++def where() -> str:
++    return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+-if sys.version_info >= (3, 11):
++def contents() -> str:
++    with open(where(), encoding='utf=8') as data:
++        return data.read()
+ 
+-    from importlib.resources import as_file, files
+-
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the file
+-        # in cases where we're inside of a zipimport situation until someone
+-        # actually calls where(), but we don't want to re-extract the file
+-        # on every call of where(), so we'll do it once then store it in a
+-        # global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you to
+-            # manage the cleanup of this file, so it doesn't actually return a
+-            # path, it returns a context manager that will give you the path
+-            # when you enter it and will do any cleanup when you leave it. In
+-            # the common case of not needing a temporary file, it will just
+-            # return the file system location and the __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = as_file(files("certifi").joinpath("cacert.pem"))
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")
+-
+-elif sys.version_info >= (3, 7):
+-
+-    from importlib.resources import path as get_path, read_text
+-
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the
+-        # file in cases where we're inside of a zipimport situation until
+-        # someone actually calls where(), but we don't want to re-extract
+-        # the file on every call of where(), so we'll do it once then store
+-        # it in a global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you
+-            # to manage the cleanup of this file, so it doesn't actually
+-            # return a path, it returns a context manager that will give
+-            # you the path when you enter it and will do any cleanup when
+-            # you leave it. In the common case of not needing a temporary
+-            # file, it will just return the file system location and the
+-            # __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = get_path("certifi", "cacert.pem")
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
+-
+-else:
+-    import os
+-    import types
+-    from typing import Union
+-
+-    Package = Union[types.ModuleType, str]
+-    Resource = Union[str, "os.PathLike"]
+-
+-    # This fallback will work for Python versions prior to 3.7 that lack the
+-    # importlib.resources module but relies on the existing `where` function
+-    # so won't address issues with environments like PyOxidizer that don't set
+-    # __file__ on modules.
+-    def read_text(
+-        package: Package,
+-        resource: Resource,
+-        encoding: str = 'utf-8',
+-        errors: str = 'strict'
+-    ) -> str:
+-        with open(where(), encoding=encoding) as data:
+-            return data.read()
+-
+-    # If we don't have importlib.resources, then we will just do the old logic
+-    # of assuming we're on the filesystem and munge the path directly.
+-    def where() -> str:
+-        f = os.path.dirname(__file__)
+-
+-        return os.path.join(f, "cacert.pem")
+-
+-    def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
+-- 
+2.37.3
+

SPECS/python-certifi/python-certifi.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "certifi-2022.12.07.tar.gz": "48d30258d28d0d04b9220492bca614cc596be8f14c94b96ea8298d9284a5e3dd"
+  "python-certifi-2023.05.07.tar.gz": "3ee59191c133d4c3c921c075fe4e8bec7c25a16d02143f0ee7de47f7f22cfd0f"
  }
 }

SPECS/python-certifi/python-certifi.spec

@@ -1,51 +1,69 @@
 Summary:        Python package for providing Mozilla's CA Bundle
 Name:           python-certifi
-Version:        2022.12.07
+Version:        2023.05.07
 Release:        1%{?dist}
 License:        MPL-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Group:          Development/Languages/Python
-URL:            https://github.com/certifi
-#Source0:       https://github.com/certifi/python-certifi/archive/refs/tags/%{version}.tar.gz
-Source0:        certifi-%{version}.tar.gz
+URL:            https://certifi.io/
+Source:         https://github.com/certifi/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Patch0:         certifi-2022.12.07-use-system-cert.patch
+
 BuildArch:      noarch
 
-%description
-Python package for providing Mozilla's CA Bundle
-
-%package -n     python3-certifi
-Summary:        Python package for providing Mozilla's CA Bundle
 BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-%if %{with_check}
 BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
+
+%if %{with_check}
+BuildRequires:  ca-certificates-base
+BuildRequires:  python3-pytest
 %endif
 
+%description
+This Azure Linux package does not include its own certificate
+collection. It reads the system shared certificate trust collection
+instead. For more details on this system, see the 'ca-certificates' package.
+
+%package -n python3-certifi
+Summary:        %{summary}
+
+Requires:       %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
+
 %description -n python3-certifi
-Certifi is a carefully curated collection of
-Root Certificates for validating the trustworthiness of
-SSL certificates while verifying the identity of TLS hosts
+This Azure Linux package does not include its own certificate
+collection. It reads the system shared certificate trust collection
+instead. For more details on this system, see the 'ca-certificates' package.
+
+This package provides the Python 3 certifi library.
 
 %prep
-%autosetup -n python-certifi-%{version}
+%autosetup -p1
+
+# Remove bundled root certificates collection
+rm -rf certifi/*.pem
+
+%generate_buildrequires
+%pyproject_buildrequires
 
 %build
-%py3_build
+%pyproject_wheel
 
 %install
-%py3_install
+%pyproject_install
+%pyproject_save_files certifi
 
 %check
-pip3 install pytest
-%pytest
+%pytest -v
 
-%files -n python3-certifi
-%defattr(-,root,root,-)
-%license LICENSE
-%{python3_sitelib}/*
+%files -n python3-certifi -f %{pyproject_files}
+%doc README.rst
 
 %changelog
+* Fri Aug 04 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 2023.05.07-1
+- Removing bundled certificates.
+- Switching to Fedora 39 implementation of the spec (license: MIT).
+
 * Tue Jan 24 2023 Muhammad Falak <mwani@microsoft.com> - 2022.12.07-1
 - Bump version to 2022.12.07 to address CVE-2022-23491
 

cgmanifest.json

@@ -21874,8 +21874,8 @@
         "type": "other",
         "other": {
           "name": "python-certifi",
-          "version": "2022.12.07",
-          "downloadUrl": "https://github.com/certifi/python-certifi/archive/refs/tags/2022.12.07.tar.gz"
+          "version": "2023.05.07",
+          "downloadUrl": "https://github.com/certifi/python-certifi/archive/2023.05.07/python-certifi-2023.05.07.tar.gz"
         }
       }
     },