diff --git a/avoid-usage-of-md5-in-multiprocessing.patch b/avoid-usage-of-md5-in-multiprocessing.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a56d08e20b28dccf8bfed7e6c1f5ff4d609efab --- /dev/null +++ b/avoid-usage-of-md5-in-multiprocessing.patch @@ -0,0 +1,57 @@ +From 17198bd8ac7eac7320bf22828cc9b22a26d62ae2 Mon Sep 17 00:00:00 2001 +From: liyuanyuan +Date: Thu, 15 Dec 2022 19:32:29 +0800 +Subject: [PATCH] avoid usage of md5 in multiprocessing + +--- + Lib/multiprocessing/connection.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py +index 8e2facf..4ef15bf 100644 +--- a/Lib/multiprocessing/connection.py ++++ b/Lib/multiprocessing/connection.py +@@ -42,6 +42,10 @@ BUFSIZE = 8192 + # A very generous timeout when it comes to local connections... + CONNECTION_TIMEOUT = 20. + ++# The hmac module implicitly defaults to using MD5. ++# Support using a stronger algorithm for the challenge/response code: ++HMAC_DIGEST_NAME='sha256' ++ + _mmap_counter = itertools.count() + + default_family = 'AF_INET' +@@ -729,6 +733,10 @@ CHALLENGE = b'#CHALLENGE#' + WELCOME = b'#WELCOME#' + FAILURE = b'#FAILURE#' + ++def get_digestmod_for_hmac(): ++ import hashlib ++ return getattr(hashlib, HMAC_DIGEST_NAME) ++ + def deliver_challenge(connection, authkey): + import hmac + if not isinstance(authkey, bytes): +@@ -736,7 +744,7 @@ def deliver_challenge(connection, authkey): + "Authkey must be bytes, not {0!s}".format(type(authkey))) + message = os.urandom(MESSAGE_LENGTH) + connection.send_bytes(CHALLENGE + message) +- digest = hmac.new(authkey, message, 'md5').digest() ++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() + response = connection.recv_bytes(256) # reject large message + if response == digest: + connection.send_bytes(WELCOME) +@@ -752,7 +760,7 @@ def answer_challenge(connection, authkey): + message = connection.recv_bytes(256) # reject large message + assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message + message = message[len(CHALLENGE):] +- digest = hmac.new(authkey, message, 'md5').digest() ++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() + connection.send_bytes(digest) + response = connection.recv_bytes(256) # reject large message + if response != WELCOME: +-- +2.27.0 + + diff --git a/python3.spec b/python3.spec index 72291693f4a30f4f164bb14bd7462498423a6759..9e13f3693dd07b02f4024480863ffce02edaa0f0 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.9.9 -Release: 21 +Release: 22 License: Python-2.0 %global branchversion 3.9 @@ -107,6 +107,7 @@ Patch6012: backport-CVE-2022-37454.patch Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9001: python3-Add-sw64-architecture.patch Patch9002: Add-loongarch-support.patch +Patch9003: avoid-usage-of-md5-in-multiprocessing.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -207,6 +208,7 @@ rm -r Modules/expat %patch9000 -p1 %patch9001 -p1 %patch9002 -p1 +%patch9003 -p1 rm Lib/ensurepip/_bundled/*.whl rm configure pyconfig.h.in @@ -829,6 +831,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Fri Dec 23 yaoguangzhong - 3.9.9-22 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: avoid usage of md5 in multiprocessing + * Fri Dec 02 zhuofeng - 3.9.9-21 - Type:bugfix - CVE:NA