diff --git a/CVE-2020-8492.patch b/CVE-2020-8492.patch new file mode 100644 index 0000000000000000000000000000000000000000..1397ebfd17d9b47393e9cfd5af8073a00eaf2c5e --- /dev/null +++ b/CVE-2020-8492.patch @@ -0,0 +1,45 @@ +From dbcfc664ee7ae6e9e97ca0d69ad6581a36871836 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 16:13:03 +0100 +Subject: [PATCH] bpo-39503: Fix urllib basic auth regex + +The AbstractBasicAuthHandler class of the urllib.request module uses +an inefficient regular expression which can be exploited by an +attacker to cause a denial of service. Fix the regex to prevent the +catastrophic backtracking. + +Vulnerability reported by Matt Schwager. + +Signed-off-by: hanxinke +--- + Lib/urllib2.py | 2 +- + .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst + +diff --git a/Lib/urllib2.py b/Lib/urllib2.py +index fd19e1a..1596a51 100644 +--- a/Lib/urllib2.py ++++ b/Lib/urllib2.py +@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, +diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +new file mode 100644 +index 0000000..92f186d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. +-- +2.23.0 + diff --git a/python2.spec b/python2.spec index 8935f60d5e42f7b8acb5d61e273dec581005cb30..460d522c6471138f555d8a42bfad25a7ff114d34 100644 --- a/python2.spec +++ b/python2.spec @@ -15,7 +15,7 @@ %undefine _debuginfo_subpackages Name: python2 Version: 2.7.16 -Release: 14 +Release: 15 Summary: Python is an interpreted, interactive object-oriented programming language suitable License: Python URL: https://www.python.org/ @@ -73,33 +73,33 @@ Patch189: 00189-use-rpm-wheels.patch Patch191: 00191-disable-NOOP.patch Patch193: 00193-enable-loading-sqlite-extensions.patch Patch289: 00289-disable-nis-detection.patch -Patch04000: 04000-modularity-disable-tk.patch -Patch5000: 05000-autotool-intermediates.patch -#upstream patches -Patch6035: 0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch -Patch6036: 0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch -Patch6037: 0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch -Patch6038: 0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch -Patch6039: 0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch -Patch6040: 0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch -Patch6041: 0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch -Patch6042: 0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch -Patch6044: python2-CVE-2019-9948-1.patch -Patch6045: python2-CVE-2019-9948-2.patch -Patch6047: CVE-2019-9740.patch -Patch9000: python2-add-generic-os-supportr.patch -Patch6048: bugfix-linux_distribution-skip-link-file.patch -Patch6049: bugfix-test_locale-and-test_codecs.patch -Patch6050: CVE-2019-9636-bpo-36216-Add-check-for-characters.patch -Patch6051: CVE-2019-10160-1.patch -Patch6052: CVE-2019-10160-2.patch -Patch6053: CVE-2019-10160-3.patch -Patch6054: CVE-2019-16056.patch -Patch6055: CVE-2018-20852.patch -Patch6056: CVE-2019-16935.patch -Patch6057: CVE-2019-17514.patch -Patch6058: CVE-2017-18207.patch -Patch6059: bugfix-excessive-memory-usage-when-using-regular-expressions.patch +Patch290: 04000-modularity-disable-tk.patch +Patch291: 05000-autotool-intermediates.patch +Patch342: 0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch +Patch349: 0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch +Patch350: 0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch +Patch351: 0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch +Patch353: 0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch +Patch354: 0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch +Patch357: 0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch +Patch358: 0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch +Patch359: python2-CVE-2019-9948-1.patch +Patch360: python2-CVE-2019-9948-2.patch +Patch361: CVE-2019-9740.patch +Patch362: python2-add-generic-os-supportr.patch +Patch363: bugfix-linux_distribution-skip-link-file.patch +Patch364: bugfix-test_locale-and-test_codecs.patch +Patch365: CVE-2019-9636-bpo-36216-Add-check-for-characters.patch +Patch366: CVE-2019-10160-1.patch +Patch367: CVE-2019-10160-2.patch +Patch368: CVE-2019-10160-3.patch +Patch369: CVE-2019-16056.patch +Patch370: CVE-2018-20852.patch +Patch371: CVE-2019-16935.patch +Patch372: CVE-2019-17514.patch +Patch373: CVE-2017-18207.patch +Patch374: bugfix-excessive-memory-usage-when-using-regular-expressions.patch +Patch375: CVE-2020-8492.patch BuildRequires: libdb-devel libffi-devel valgrind-devel ncurses-devel expat-devel readline-devel BuildRequires: openssl-devel libtirpc-devel tcl-devel tk-devel glibc-devel libnsl2-devel @@ -634,6 +634,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \ %{dynload_dir}/_testcapimodule_d.so %changelog +* Fri Mar 6 2020 hanxinke - 2.7.16-15 +- Type:cves +- ID:CVE-2020-8492 +- SUG:NA +- DESC:fix CVE-2020-8492 + * Sat Feb 29 2020 hanxinke - 2.7.16-14 - Type:bugfix - ID:NA