From 34bd645bcdf20f49c317de0e7d319d0629fa70be Mon Sep 17 00:00:00 2001
From: yeah_wang <1485652911@qq.com>
Date: Tue, 17 Mar 2020 18:30:45 +0800
Subject: [PATCH] cve

---
 CVE-2019-9674.patch | 86 +++++++++++++++++++++++++++++++++++++++++++++
 CVE-2020-8492.patch | 40 +++++++++++++++++++++
 python2.spec        | 10 +++++-
 3 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-9674.patch
 create mode 100644 CVE-2020-8492.patch

diff --git a/CVE-2019-9674.patch b/CVE-2019-9674.patch
new file mode 100644
index 0000000..87de580
--- /dev/null
+++ b/CVE-2019-9674.patch
@@ -0,0 +1,86 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2004@gmail.com>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+---
+ Doc/library/zipfile.rst                       | 40 +++++++++++++++++++
+ .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst  |  1 +
+ 2 files changed, 41 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index 9db9697105d6b..18d2e9a60a7ba 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -816,5 +816,45 @@ Command-line options
+ 
+    Test whether the zipfile is valid or not.
+ 
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression failed.
++Such as allowable characters in the directory entries, length of the file name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
+ 
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
+diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+new file mode 100644
+index 0000000000000..9276516a88239
+--- /dev/null
++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+@@ -0,0 +1 @@
++Add decompression pitfalls to zipfile module documentation.
+\ No newline at end of file
diff --git a/CVE-2020-8492.patch b/CVE-2020-8492.patch
new file mode 100644
index 0000000..897e792
--- /dev/null
+++ b/CVE-2020-8492.patch
@@ -0,0 +1,40 @@
+From 34e25a97709a05f7c804036dd1e16afda6bdfa33 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 30 Jan 2020 16:13:03 +0100
+Subject: [PATCH] bpo-39503: Fix urllib basic auth regex
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking.
+
+Vulnerability reported by Matt Schwager.
+---
+ Lib/urllib/request.py                                         | 2 +-
+ .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst    | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/urllib2.py b/Lib/urllib2.py
+index a6d350a97a452..72de8b2206885 100644
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -937,7 +937,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
++    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000000000..2c2622f4e8d54
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,4 @@
++The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
++:mod:`urllib.request` module uses an inefficient regular expression which can
++be exploited by an attacker to cause a denial of service. Fix the regex to
++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
diff --git a/python2.spec b/python2.spec
index 8935f60..aa6ae50 100644
--- a/python2.spec
+++ b/python2.spec
@@ -15,7 +15,7 @@
 %undefine _debuginfo_subpackages
 Name:      python2
 Version:   2.7.16
-Release:   14
+Release:   15
 Summary:   Python is an interpreted, interactive object-oriented programming language suitable
 License:   Python
 URL:       https://www.python.org/
@@ -100,6 +100,8 @@ Patch6056: CVE-2019-16935.patch
 Patch6057: CVE-2019-17514.patch
 Patch6058: CVE-2017-18207.patch
 Patch6059: bugfix-excessive-memory-usage-when-using-regular-expressions.patch
+Patch6060: CVE-2019-9674.patch
+Patch6061: CVE-2020-8492.patch
 
 BuildRequires: libdb-devel libffi-devel valgrind-devel ncurses-devel expat-devel readline-devel
 BuildRequires: openssl-devel libtirpc-devel tcl-devel tk-devel glibc-devel libnsl2-devel
@@ -634,6 +636,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \
 %{dynload_dir}/_testcapimodule_d.so
 
 %changelog
+* Tue Mar 17 2020 wangye<wangye54@huawei.com> - 2.7.16-15
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:CVE-2020-8492 and CVE-2019-9674
+
 * Sat Feb 29 2020 hanxinke<hanxinke@huawei.com> - 2.7.16-14
 - Type:bugfix
 - ID:NA
-- 
Gitee