From bab10b3a2f1dc1066506d1fe3f0db8bca3a0c4ce Mon Sep 17 00:00:00 2001 From: yinyongkang Date: Wed, 4 Sep 2024 18:43:33 +0800 Subject: [PATCH] fix CVE-2024-6232 and CVE-2024-3219 --- ...emove-backtracking-when-parsing-tarf.patch | 247 ++++++++++++++++++ ...uthenticate-socket-connection-for-so.patch | 211 +++++++++++++++ ...ework-pure-Python-socketpair-tests-t.patch | 202 ++++++++++++++ python3.spec | 14 +- 4 files changed, 673 insertions(+), 1 deletion(-) create mode 100644 backport-3.11-gh-121285-Remove-backtracking-when-parsing-tarf.patch create mode 100644 backport-3.11-gh-122133-Authenticate-socket-connection-for-so.patch create mode 100644 backport-3.11-gh-122133-Rework-pure-Python-socketpair-tests-t.patch diff --git a/backport-3.11-gh-121285-Remove-backtracking-when-parsing-tarf.patch b/backport-3.11-gh-121285-Remove-backtracking-when-parsing-tarf.patch new file mode 100644 index 0000000..b0aabf1 --- /dev/null +++ b/backport-3.11-gh-121285-Remove-backtracking-when-parsing-tarf.patch @@ -0,0 +1,247 @@ +From d449caf8a179e3b954268b3a88eb9170be3c8fbf Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson +Date: Tue, 3 Sep 2024 10:07:13 -0500 +Subject: [PATCH] [3.11] gh-121285: Remove backtracking when parsing tarfile + headers (GH-121286) (#123639) + +* Remove backtracking when parsing tarfile headers +* Rewrite PAX header parsing to be stricter +* Optimize parsing of GNU extended sparse headers v0.0 + +(cherry picked from commit 34ddb64d088dd7ccc321f6103d23153256caa5d4) + +Co-authored-by: Kirill Podoprigora +Co-authored-by: Gregory P. Smith +--- + Lib/tarfile.py | 106 +++++++++++------- + Lib/test/test_tarfile.py | 42 +++++++ + ...-07-02-13-39-20.gh-issue-121285.hrl-yI.rst | 2 + + 3 files changed, 112 insertions(+), 38 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 2808e7e..4d26f05 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -841,6 +841,9 @@ _NAMED_FILTERS = { + # Sentinel for replace() defaults, meaning "don't change the attribute" + _KEEP = object() + ++# Header length is digits followed by a space. ++_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ") ++ + class TarInfo(object): + """Informational class which holds the details about an + archive member given by a tar header block. +@@ -1410,40 +1413,59 @@ class TarInfo(object): + else: + pax_headers = tarfile.pax_headers.copy() + +- # Check if the pax header contains a hdrcharset field. This tells us +- # the encoding of the path, linkpath, uname and gname fields. Normally, +- # these fields are UTF-8 encoded but since POSIX.1-2008 tar +- # implementations are allowed to store them as raw binary strings if +- # the translation to UTF-8 fails. +- match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf) +- if match is not None: +- pax_headers["hdrcharset"] = match.group(1).decode("utf-8") +- +- # For the time being, we don't care about anything other than "BINARY". +- # The only other value that is currently allowed by the standard is +- # "ISO-IR 10646 2000 UTF-8" in other words UTF-8. +- hdrcharset = pax_headers.get("hdrcharset") +- if hdrcharset == "BINARY": +- encoding = tarfile.encoding +- else: +- encoding = "utf-8" +- + # Parse pax header information. A record looks like that: + # "%d %s=%s\n" % (length, keyword, value). length is the size + # of the complete record including the length field itself and +- # the newline. keyword and value are both UTF-8 encoded strings. +- regex = re.compile(br"(\d+) ([^=]+)=") ++ # the newline. + pos = 0 +- while True: +- match = regex.match(buf, pos) +- if not match: +- break ++ encoding = None ++ raw_headers = [] ++ while len(buf) > pos and buf[pos] != 0x00: ++ if not (match := _header_length_prefix_re.match(buf, pos)): ++ raise InvalidHeaderError("invalid header") ++ try: ++ length = int(match.group(1)) ++ except ValueError: ++ raise InvalidHeaderError("invalid header") ++ # Headers must be at least 5 bytes, shortest being '5 x=\n'. ++ # Value is allowed to be empty. ++ if length < 5: ++ raise InvalidHeaderError("invalid header") ++ if pos + length > len(buf): ++ raise InvalidHeaderError("invalid header") ++ ++ header_value_end_offset = match.start(1) + length - 1 # Last byte of the header ++ keyword_and_value = buf[match.end(1) + 1:header_value_end_offset] ++ raw_keyword, equals, raw_value = keyword_and_value.partition(b"=") + +- length, keyword = match.groups() +- length = int(length) +- if length == 0: ++ # Check the framing of the header. The last character must be '\n' (0x0A) ++ if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A: + raise InvalidHeaderError("invalid header") +- value = buf[match.end(2) + 1:match.start(1) + length - 1] ++ raw_headers.append((length, raw_keyword, raw_value)) ++ ++ # Check if the pax header contains a hdrcharset field. This tells us ++ # the encoding of the path, linkpath, uname and gname fields. Normally, ++ # these fields are UTF-8 encoded but since POSIX.1-2008 tar ++ # implementations are allowed to store them as raw binary strings if ++ # the translation to UTF-8 fails. For the time being, we don't care about ++ # anything other than "BINARY". The only other value that is currently ++ # allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8. ++ # Note that we only follow the initial 'hdrcharset' setting to preserve ++ # the initial behavior of the 'tarfile' module. ++ if raw_keyword == b"hdrcharset" and encoding is None: ++ if raw_value == b"BINARY": ++ encoding = tarfile.encoding ++ else: # This branch ensures only the first 'hdrcharset' header is used. ++ encoding = "utf-8" ++ ++ pos += length ++ ++ # If no explicit hdrcharset is set, we use UTF-8 as a default. ++ if encoding is None: ++ encoding = "utf-8" ++ ++ # After parsing the raw headers we can decode them to text. ++ for length, raw_keyword, raw_value in raw_headers: + + # Normally, we could just use "utf-8" as the encoding and "strict" + # as the error handler, but we better not take the risk. For +@@ -1452,17 +1474,16 @@ class TarInfo(object): + # hdrcharset=BINARY header). + # We first try the strict standard encoding, and if that fails we + # fall back on the user's encoding and error handler. +- keyword = self._decode_pax_field(keyword, "utf-8", "utf-8", ++ keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8", + tarfile.errors) + if keyword in PAX_NAME_FIELDS: +- value = self._decode_pax_field(value, encoding, tarfile.encoding, ++ value = self._decode_pax_field(raw_value, encoding, tarfile.encoding, + tarfile.errors) + else: +- value = self._decode_pax_field(value, "utf-8", "utf-8", ++ value = self._decode_pax_field(raw_value, "utf-8", "utf-8", + tarfile.errors) + + pax_headers[keyword] = value +- pos += length + + # Fetch the next header. + try: +@@ -1477,7 +1498,7 @@ class TarInfo(object): + + elif "GNU.sparse.size" in pax_headers: + # GNU extended sparse format version 0.0. +- self._proc_gnusparse_00(next, pax_headers, buf) ++ self._proc_gnusparse_00(next, raw_headers) + + elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0": + # GNU extended sparse format version 1.0. +@@ -1499,15 +1520,24 @@ class TarInfo(object): + + return next + +- def _proc_gnusparse_00(self, next, pax_headers, buf): ++ def _proc_gnusparse_00(self, next, raw_headers): + """Process a GNU tar extended sparse header, version 0.0. + """ + offsets = [] +- for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf): +- offsets.append(int(match.group(1))) + numbytes = [] +- for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf): +- numbytes.append(int(match.group(1))) ++ for _, keyword, value in raw_headers: ++ if keyword == b"GNU.sparse.offset": ++ try: ++ offsets.append(int(value.decode())) ++ except ValueError: ++ raise InvalidHeaderError("invalid header") ++ ++ elif keyword == b"GNU.sparse.numbytes": ++ try: ++ numbytes.append(int(value.decode())) ++ except ValueError: ++ raise InvalidHeaderError("invalid header") ++ + next.sparse = list(zip(offsets, numbytes)) + + def _proc_gnusparse_01(self, next, pax_headers): +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index cad13a9..d473708 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -1183,6 +1183,48 @@ class PaxReadTest(LongnameTest, ReadTest, unittest.TestCase): + finally: + tar.close() + ++ def test_pax_header_bad_formats(self): ++ # The fields from the pax header have priority over the ++ # TarInfo. ++ pax_header_replacements = ( ++ b" foo=bar\n", ++ b"0 \n", ++ b"1 \n", ++ b"2 \n", ++ b"3 =\n", ++ b"4 =a\n", ++ b"1000000 foo=bar\n", ++ b"0 foo=bar\n", ++ b"-12 foo=bar\n", ++ b"000000000000000000000000036 foo=bar\n", ++ ) ++ pax_headers = {"foo": "bar"} ++ ++ for replacement in pax_header_replacements: ++ with self.subTest(header=replacement): ++ tar = tarfile.open(tmpname, "w", format=tarfile.PAX_FORMAT, ++ encoding="iso8859-1") ++ try: ++ t = tarfile.TarInfo() ++ t.name = "pax" # non-ASCII ++ t.uid = 1 ++ t.pax_headers = pax_headers ++ tar.addfile(t) ++ finally: ++ tar.close() ++ ++ with open(tmpname, "rb") as f: ++ data = f.read() ++ self.assertIn(b"11 foo=bar\n", data) ++ data = data.replace(b"11 foo=bar\n", replacement) ++ ++ with open(tmpname, "wb") as f: ++ f.truncate() ++ f.write(data) ++ ++ with self.assertRaisesRegex(tarfile.ReadError, r"method tar: ReadError\('invalid header'\)"): ++ tarfile.open(tmpname, encoding="iso8859-1") ++ + + class WriteTestBase(TarTest): + # Put all write tests in here that are supposed to be tested +diff --git a/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst +new file mode 100644 +index 0000000..81f918b +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2024-07-02-13-39-20.gh-issue-121285.hrl-yI.rst +@@ -0,0 +1,2 @@ ++Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and ++GNU sparse headers. +-- +2.43.0 + diff --git a/backport-3.11-gh-122133-Authenticate-socket-connection-for-so.patch b/backport-3.11-gh-122133-Authenticate-socket-connection-for-so.patch new file mode 100644 index 0000000..ac9452d --- /dev/null +++ b/backport-3.11-gh-122133-Authenticate-socket-connection-for-so.patch @@ -0,0 +1,211 @@ +From 4133aba4f98bd19d2b77c9f01375d795204eef6e Mon Sep 17 00:00:00 2001 +From: yinyongkang +Date: Wed, 4 Sep 2024 16:30:12 +0800 +Subject: [PATCH 1/2] backport 3.11 gh-122133: Authenticate socket connection + for + +--- + Lib/socket.py | 17 +++ + Lib/test/test_socket.py | 127 +++++++++++++++++- + ...-07-22-13-11-28.gh-issue-122133.0mPeta.rst | 5 + + 3 files changed, 147 insertions(+), 2 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst + +diff --git a/Lib/socket.py b/Lib/socket.py +index b5d46eb..d8abf56 100644 +--- a/Lib/socket.py ++++ b/Lib/socket.py +@@ -648,6 +648,23 @@ else: + raise + finally: + lsock.close() ++ ++ # Authenticating avoids using a connection from something else ++ # able to connect to {host}:{port} instead of us. ++ # We expect only AF_INET and AF_INET6 families. ++ try: ++ if ( ++ ssock.getsockname() != csock.getpeername() ++ or csock.getsockname() != ssock.getpeername() ++ ): ++ raise ConnectionError("Unexpected peer connection") ++ except: ++ # getsockname() and getpeername() can fail ++ # if either socket isn't connected. ++ ssock.close() ++ csock.close() ++ raise ++ + return (ssock, csock) + __all__.append("socketpair") + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +index af0d2a4..b554867 100644 +--- a/Lib/test/test_socket.py ++++ b/Lib/test/test_socket.py +@@ -557,19 +557,28 @@ class SocketPairTest(unittest.TestCase, ThreadableTest): + def __init__(self, methodName='runTest'): + unittest.TestCase.__init__(self, methodName=methodName) + ThreadableTest.__init__(self) ++ self.cli = None ++ self.serv = None ++ ++ def socketpair(self): ++ # To be overridden by some child classes. ++ return socket.socketpair() + + def setUp(self): +- self.serv, self.cli = socket.socketpair() ++ self.serv, self.cli = self.socketpair() + + def tearDown(self): + self.serv.close() ++ if self.serv: ++ self.serv.close() + self.serv = None + + def clientSetUp(self): + pass + + def clientTearDown(self): +- self.cli.close() ++ if self.cli: ++ self.cli.close() + self.cli = None + ThreadableTest.clientTearDown(self) + +@@ -4671,6 +4680,120 @@ class BasicSocketPairTest(SocketPairTest): + self.assertEqual(msg, MSG) + + ++class PurePythonSocketPairTest(SocketPairTest): ++ ++ # Explicitly use socketpair AF_INET or AF_INET6 to ensure that is the ++ # code path we're using regardless platform is the pure python one where ++ # `_socket.socketpair` does not exist. (AF_INET does not work with ++ # _socket.socketpair on many platforms). ++ def socketpair(self): ++ # called by super().setUp(). ++ try: ++ return socket.socketpair(socket.AF_INET6) ++ except OSError: ++ return socket.socketpair(socket.AF_INET) ++ ++ # Local imports in this class make for easy security fix backporting. ++ ++ def setUp(self): ++ import _socket ++ self._orig_sp = getattr(_socket, 'socketpair', None) ++ if self._orig_sp is not None: ++ # This forces the version using the non-OS provided socketpair ++ # emulation via an AF_INET socket in Lib/socket.py. ++ del _socket.socketpair ++ import importlib ++ global socket ++ socket = importlib.reload(socket) ++ else: ++ pass # This platform already uses the non-OS provided version. ++ super().setUp() ++ ++ def tearDown(self): ++ super().tearDown() ++ import _socket ++ if self._orig_sp is not None: ++ # Restore the default socket.socketpair definition. ++ _socket.socketpair = self._orig_sp ++ import importlib ++ global socket ++ socket = importlib.reload(socket) ++ ++ def test_recv(self): ++ msg = self.serv.recv(1024) ++ self.assertEqual(msg, MSG) ++ ++ def _test_recv(self): ++ self.cli.send(MSG) ++ ++ def test_send(self): ++ self.serv.send(MSG) ++ ++ def _test_send(self): ++ msg = self.cli.recv(1024) ++ self.assertEqual(msg, MSG) ++ ++ def test_ipv4(self): ++ cli, srv = socket.socketpair(socket.AF_INET) ++ cli.close() ++ srv.close() ++ ++ def _test_ipv4(self): ++ pass ++ ++ @unittest.skipIf(not hasattr(_socket, 'IPPROTO_IPV6') or ++ not hasattr(_socket, 'IPV6_V6ONLY'), ++ "IPV6_V6ONLY option not supported") ++ @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'IPv6 required for this test') ++ def test_ipv6(self): ++ cli, srv = socket.socketpair(socket.AF_INET6) ++ cli.close() ++ srv.close() ++ ++ def _test_ipv6(self): ++ pass ++ ++ def test_injected_authentication_failure(self): ++ orig_getsockname = socket.socket.getsockname ++ inject_sock = None ++ ++ def inject_getsocketname(self): ++ nonlocal inject_sock ++ sockname = orig_getsockname(self) ++ # Connect to the listening socket ahead of the ++ # client socket. ++ if inject_sock is None: ++ inject_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ++ inject_sock.setblocking(False) ++ try: ++ inject_sock.connect(sockname[:2]) ++ except (BlockingIOError, InterruptedError): ++ pass ++ inject_sock.setblocking(True) ++ return sockname ++ ++ sock1 = sock2 = None ++ try: ++ socket.socket.getsockname = inject_getsocketname ++ with self.assertRaises(OSError): ++ sock1, sock2 = socket.socketpair() ++ finally: ++ socket.socket.getsockname = orig_getsockname ++ if inject_sock: ++ inject_sock.close() ++ if sock1: # This cleanup isn't needed on a successful test. ++ sock1.close() ++ if sock2: ++ sock2.close() ++ ++ def _test_injected_authentication_failure(self): ++ # No-op. Exists for base class threading infrastructure to call. ++ # We could refactor this test into its own lesser class along with the ++ # setUp and tearDown code to construct an ideal; it is simpler to keep ++ # it here and live with extra overhead one this _one_ failure test. ++ pass ++ ++ + class NonBlockingTCPTests(ThreadedTCPSocketTest): + + def __init__(self, methodName='runTest'): +diff --git a/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst b/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst +new file mode 100644 +index 0000000..3544eb3 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2024-07-22-13-11-28.gh-issue-122133.0mPeta.rst +@@ -0,0 +1,5 @@ ++Authenticate the socket connection for the ``socket.socketpair()`` fallback ++on platforms where ``AF_UNIX`` is not available like Windows. ++ ++Patch by Gregory P. Smith and Seth Larson . Reported by Ellie ++ +-- +2.43.0 + diff --git a/backport-3.11-gh-122133-Rework-pure-Python-socketpair-tests-t.patch b/backport-3.11-gh-122133-Rework-pure-Python-socketpair-tests-t.patch new file mode 100644 index 0000000..9a1333a --- /dev/null +++ b/backport-3.11-gh-122133-Rework-pure-Python-socketpair-tests-t.patch @@ -0,0 +1,202 @@ +From af48af9d3a93f5d6f68eae0db5a51605a18b24e7 Mon Sep 17 00:00:00 2001 +From: yinyongkang +Date: Wed, 4 Sep 2024 16:34:54 +0800 +Subject: [PATCH 2/2] backport 3.11 gh-122133: Rework pure Python socketpair + tests to avoid use + +--- + Lib/socket.py | 121 +++++++++++++++++++--------------------- + Lib/test/test_socket.py | 20 ++----- + 2 files changed, 64 insertions(+), 77 deletions(-) + +diff --git a/Lib/socket.py b/Lib/socket.py +index d8abf56..7625bb2 100644 +--- a/Lib/socket.py ++++ b/Lib/socket.py +@@ -590,16 +590,65 @@ if hasattr(_socket.socket, "share"): + return socket(0, 0, 0, info) + __all__.append("fromshare") + +-if hasattr(_socket, "socketpair"): ++# Origin: https://gist.github.com/4325783, by Geert Jansen. Public domain. ++# This is used if _socket doesn't natively provide socketpair. It's ++# always defined so that it can be patched in for testing purposes. ++def _fallback_socketpair(family=AF_INET, type=SOCK_STREAM, proto=0): ++ if family == AF_INET: ++ host = _LOCALHOST ++ elif family == AF_INET6: ++ host = _LOCALHOST_V6 ++ else: ++ raise ValueError("Only AF_INET and AF_INET6 socket address families " ++ "are supported") ++ if type != SOCK_STREAM: ++ raise ValueError("Only SOCK_STREAM socket type is supported") ++ if proto != 0: ++ raise ValueError("Only protocol zero is supported") ++ ++ # We create a connected TCP socket. Note the trick with ++ # setblocking(False) that prevents us from having to create a thread. ++ lsock = socket(family, type, proto) ++ try: ++ lsock.bind((host, 0)) ++ lsock.listen() ++ # On IPv6, ignore flow_info and scope_id ++ addr, port = lsock.getsockname()[:2] ++ csock = socket(family, type, proto) ++ try: ++ csock.setblocking(False) ++ try: ++ csock.connect((addr, port)) ++ except (BlockingIOError, InterruptedError): ++ pass ++ csock.setblocking(True) ++ ssock, _ = lsock.accept() ++ except: ++ csock.close() ++ raise ++ finally: ++ lsock.close() + +- def socketpair(family=None, type=SOCK_STREAM, proto=0): +- """socketpair([family[, type[, proto]]]) -> (socket object, socket object) ++ # Authenticating avoids using a connection from something else ++ # able to connect to {host}:{port} instead of us. ++ # We expect only AF_INET and AF_INET6 families. ++ try: ++ if ( ++ ssock.getsockname() != csock.getpeername() ++ or csock.getsockname() != ssock.getpeername() ++ ): ++ raise ConnectionError("Unexpected peer connection") ++ except: ++ # getsockname() and getpeername() can fail ++ # if either socket isn't connected. ++ ssock.close() ++ csock.close() ++ raise + +- Create a pair of socket objects from the sockets returned by the platform +- socketpair() function. +- The arguments are the same as for socket() except the default family is +- AF_UNIX if defined on the platform; otherwise, the default is AF_INET. +- """ ++ return (ssock, csock) ++ ++if hasattr(_socket, "socketpair"): ++ def socketpair(family=None, type=SOCK_STREAM, proto=0): + if family is None: + try: + family = AF_UNIX +@@ -611,61 +660,7 @@ if hasattr(_socket, "socketpair"): + return a, b + + else: +- +- # Origin: https://gist.github.com/4325783, by Geert Jansen. Public domain. +- def socketpair(family=AF_INET, type=SOCK_STREAM, proto=0): +- if family == AF_INET: +- host = _LOCALHOST +- elif family == AF_INET6: +- host = _LOCALHOST_V6 +- else: +- raise ValueError("Only AF_INET and AF_INET6 socket address families " +- "are supported") +- if type != SOCK_STREAM: +- raise ValueError("Only SOCK_STREAM socket type is supported") +- if proto != 0: +- raise ValueError("Only protocol zero is supported") +- +- # We create a connected TCP socket. Note the trick with +- # setblocking(False) that prevents us from having to create a thread. +- lsock = socket(family, type, proto) +- try: +- lsock.bind((host, 0)) +- lsock.listen() +- # On IPv6, ignore flow_info and scope_id +- addr, port = lsock.getsockname()[:2] +- csock = socket(family, type, proto) +- try: +- csock.setblocking(False) +- try: +- csock.connect((addr, port)) +- except (BlockingIOError, InterruptedError): +- pass +- csock.setblocking(True) +- ssock, _ = lsock.accept() +- except: +- csock.close() +- raise +- finally: +- lsock.close() +- +- # Authenticating avoids using a connection from something else +- # able to connect to {host}:{port} instead of us. +- # We expect only AF_INET and AF_INET6 families. +- try: +- if ( +- ssock.getsockname() != csock.getpeername() +- or csock.getsockname() != ssock.getpeername() +- ): +- raise ConnectionError("Unexpected peer connection") +- except: +- # getsockname() and getpeername() can fail +- # if either socket isn't connected. +- ssock.close() +- csock.close() +- raise +- +- return (ssock, csock) ++ socketpair = _fallback_socketpair + __all__.append("socketpair") + + socketpair.__doc__ = """socketpair([family[, type[, proto]]]) -> (socket object, socket object) +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +index b554867..197dcfa 100644 +--- a/Lib/test/test_socket.py ++++ b/Lib/test/test_socket.py +@@ -4681,7 +4681,6 @@ class BasicSocketPairTest(SocketPairTest): + + + class PurePythonSocketPairTest(SocketPairTest): +- + # Explicitly use socketpair AF_INET or AF_INET6 to ensure that is the + # code path we're using regardless platform is the pure python one where + # `_socket.socketpair` does not exist. (AF_INET does not work with +@@ -4696,28 +4695,21 @@ class PurePythonSocketPairTest(SocketPairTest): + # Local imports in this class make for easy security fix backporting. + + def setUp(self): +- import _socket +- self._orig_sp = getattr(_socket, 'socketpair', None) +- if self._orig_sp is not None: ++ if hasattr(_socket, "socketpair"): ++ self._orig_sp = socket.socketpair + # This forces the version using the non-OS provided socketpair + # emulation via an AF_INET socket in Lib/socket.py. +- del _socket.socketpair +- import importlib +- global socket +- socket = importlib.reload(socket) ++ socket.socketpair = socket._fallback_socketpair + else: +- pass # This platform already uses the non-OS provided version. ++ # This platform already uses the non-OS provided version. ++ self._orig_sp = None + super().setUp() + + def tearDown(self): + super().tearDown() +- import _socket + if self._orig_sp is not None: + # Restore the default socket.socketpair definition. +- _socket.socketpair = self._orig_sp +- import importlib +- global socket +- socket = importlib.reload(socket) ++ socket.socketpair = self._orig_sp + + def test_recv(self): + msg = self.serv.recv(1024) +-- +2.43.0 + diff --git a/python3.spec b/python3.spec index 4c1852c..cede39f 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.11.6 -Release: 5 +Release: 6 License: Python-2.0 %global branchversion 3.11 @@ -98,6 +98,9 @@ Patch6002: backport-3.11-gh-115133-Fix-tests-for-XMLPullParser-with-Expa.patch Patch6003: backport-gh-121650-Encode-newlines-in-headers-and-verify-head.patch Patch6004: backport-gh-123067-Fix-quadratic-complexity-in-parsing-quoted.patch Patch6005: backport-gh-123270-Replaced-SanitizedNames-with-a-more-surgic.patch +Patch6006: backport-3.11-gh-121285-Remove-backtracking-when-parsing-tarf.patch +Patch6007: backport-3.11-gh-122133-Authenticate-socket-connection-for-so.patch +Patch6008: backport-3.11-gh-122133-Rework-pure-Python-socketpair-tests-t.patch Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9001: 0001-add-loongarch64-support-for-python.patch @@ -203,6 +206,9 @@ rm configure pyconfig.h.in %patch6003 -p1 %patch6004 -p1 %patch6005 -p1 +%patch6006 -p1 +%patch6007 -p1 +%patch6008 -p1 %patch9000 -p1 %patch9001 -p1 @@ -868,6 +874,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Wed Sep 04 2024 yinyongkang - 3.11.6-6 +- Type:CVE +- ID:CVE-2024-6232,CVE-2024-3219 +- SUG:NA +- DESC:fix CVE-2024-6232 and CVE-2024-3219 + * Tue Sep 03 2024 xinsheng - 3.11.6-5 - Type:CVE - CVE:NA -- Gitee