From 084c49c658c5c86bebeafaefa6421f2cb0d1d945 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Sat, 14 Nov 2020 18:34:00 +0800 Subject: [PATCH] fix CVE-2020-27619 --- CVE-2020-27619.patch | 67 ++++++++++++++++++++++++++++++++++++++++++++ python3.spec | 10 ++++++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-27619.patch diff --git a/CVE-2020-27619.patch b/CVE-2020-27619.patch new file mode 100644 index 0000000..1ba9598 --- /dev/null +++ b/CVE-2020-27619.patch @@ -0,0 +1,67 @@ +From 43e523103886af66d6c27cd72431b5d9d14cd2a9 Mon Sep 17 00:00:00 2001 +From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 19 Oct 2020 19:38:40 -0700 +Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP + in the CJK codec tests (GH-22566) (GH-22578) + +(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) + +https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9 +reason:CVE-2020-27619 + +Co-authored-by: Serhiy Storchaka +--- + Lib/test/multibytecodec_support.py | 22 +++++++------------ + .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 + + 2 files changed, 9 insertions(+), 14 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst + +diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py +index cca8af67d6d1d..f76c0153f5ecf 100644 +--- a/Lib/test/multibytecodec_support.py ++++ b/Lib/test/multibytecodec_support.py +@@ -305,29 +305,23 @@ def test_mapping_file(self): + self._test_mapping_file_plain() + + def _test_mapping_file_plain(self): +- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+')))) ++ def unichrs(s): ++ return ''.join(chr(int(x, 16)) for x in s.split('+')) ++ + urt_wa = {} + + with self.open_mapping_file() as f: + for line in f: + if not line: + break +- data = line.split('#')[0].strip().split() ++ data = line.split('#')[0].split() + if len(data) != 2: + continue + +- csetval = eval(data[0]) +- if csetval <= 0x7F: +- csetch = bytes([csetval & 0xff]) +- elif csetval >= 0x1000000: +- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff), +- ((csetval >> 8) & 0xff), (csetval & 0xff)]) +- elif csetval >= 0x10000: +- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff), +- (csetval & 0xff)]) +- elif csetval >= 0x100: +- csetch = bytes([(csetval >> 8), (csetval & 0xff)]) +- else: ++ if data[0][:2] != '0x': ++ self.fail(f"Invalid line: {line!r}") ++ csetch = bytes.fromhex(data[0][2:]) ++ if len(csetch) == 1 and 0x80 <= csetch[0]: + continue + + unich = unichrs(data[1]) +diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +new file mode 100644 +index 0000000000000..4f9782f1c85af +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +@@ -0,0 +1 @@ ++Tests for CJK codecs no longer call ``eval()`` on content received via HTTP. diff --git a/python3.spec b/python3.spec index e1761c1..ceaa493 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.8.5 -Release: 1 +Release: 2 License: Python %global branchversion 3.8 @@ -93,6 +93,7 @@ Patch178: 00178-dont-duplicate-flags-in-sysconfig.patch Patch189: 00189-use-rpm-wheels.patch Patch205: 00205-make-libpl-respect-lib64.patch Patch251: 00251-change-user-install-location.patch +Patch252: CVE-2020-27619.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -185,6 +186,7 @@ rm -r Modules/expat rm Lib/ensurepip/_bundled/*.whl %patch205 -p1 %patch251 -p1 +%patch252 -p1 rm configure pyconfig.h.in @@ -788,6 +790,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Sat Nov 14 2020 shixuantong - 3.8.5-2 +- Type:cves +- ID:CVE-2020-27619 +- SUG:NA +- DESC:fix CVE-2020-27619 + * Sat Aug 1 2020 wenzhanli - 3.8.5-1 - Type:bugfix - ID:NA -- Gitee