From ba32313e296dd929be9ede748f016c5c6304d168 Mon Sep 17 00:00:00 2001 From: lipengyu Date: Fri, 31 Oct 2025 04:02:53 +0800 Subject: [PATCH] fix cve-2025-6075 --- backport-CVE-2025-6075.patch | 384 +++++++++++++++++++++++++++++++++++ python3.spec | 7 +- 2 files changed, 390 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-6075.patch diff --git a/backport-CVE-2025-6075.patch b/backport-CVE-2025-6075.patch new file mode 100644 index 0000000..a8bca18 --- /dev/null +++ b/backport-CVE-2025-6075.patch @@ -0,0 +1,384 @@ +From 2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Langa?= +Date: Fri, 31 Oct 2025 17:05:53 +0100 +Subject: [PATCH] [3.9] gh-136065: Fix quadratic complexity in + os.path.expandvars() (GH-134952) (GH-140839) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit f029e8db626ddc6e3a3beea4eff511a71aaceb5c) + +--- + Lib/ntpath.py | 126 ++++++------------ + Lib/posixpath.py | 43 +++--- + Lib/test/test_genericpath.py | 19 ++- + Lib/test/test_ntpath.py | 22 ++- + ...-05-30-22-33-27.gh-issue-136065.bu337o.rst | 1 + + 5 files changed, 96 insertions(+), 115 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst + +diff --git a/Lib/ntpath.py b/Lib/ntpath.py +index 3c820b5..7f5985a 100644 +--- a/Lib/ntpath.py ++++ b/Lib/ntpath.py +@@ -334,17 +334,23 @@ def expanduser(path): + # XXX With COMMAND.COM you can use any characters in a variable name, + # XXX except '^|<>='. + ++_varpattern = r"'[^']*'?|%(%|[^%]*%?)|\$(\$|[-\w]+|\{[^}]*\}?)" ++_varsub = None ++_varsubb = None ++ + def expandvars(path): + """Expand shell variables of the forms $var, ${var} and %var%. + + Unknown variables are left unchanged.""" + path = os.fspath(path) ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path and b'%' not in path: + return path +- import string +- varchars = bytes(string.ascii_letters + string.digits + '_-', 'ascii') +- quote = b'\'' ++ if not _varsubb: ++ import re ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + percent = b'%' + brace = b'{' + rbrace = b'}' +@@ -353,94 +359,44 @@ def expandvars(path): + else: + if '$' not in path and '%' not in path: + return path +- import string +- varchars = string.ascii_letters + string.digits + '_-' +- quote = '\'' ++ if not _varsub: ++ import re ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + percent = '%' + brace = '{' + rbrace = '}' + dollar = '$' + environ = os.environ +- res = path[:0] +- index = 0 +- pathlen = len(path) +- while index < pathlen: +- c = path[index:index+1] +- if c == quote: # no expansion within single quotes +- path = path[index + 1:] +- pathlen = len(path) +- try: +- index = path.index(c) +- res += c + path[:index + 1] +- except ValueError: +- res += c + path +- index = pathlen - 1 +- elif c == percent: # variable or '%' +- if path[index + 1:index + 2] == percent: +- res += c +- index += 1 +- else: +- path = path[index+1:] +- pathlen = len(path) +- try: +- index = path.index(percent) +- except ValueError: +- res += percent + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = percent + var + percent +- res += value +- elif c == dollar: # variable or '$$' +- if path[index + 1:index + 2] == dollar: +- res += c +- index += 1 +- elif path[index + 1:index + 2] == brace: +- path = path[index+2:] +- pathlen = len(path) +- try: +- index = path.index(rbrace) +- except ValueError: +- res += dollar + brace + path +- index = pathlen - 1 +- else: +- var = path[:index] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + brace + var + rbrace +- res += value +- else: +- var = path[:0] +- index += 1 +- c = path[index:index + 1] +- while c and c in varchars: +- var += c +- index += 1 +- c = path[index:index + 1] +- try: +- if environ is None: +- value = os.fsencode(os.environ[os.fsdecode(var)]) +- else: +- value = environ[var] +- except KeyError: +- value = dollar + var +- res += value +- if c: +- index -= 1 ++ ++ def repl(m): ++ lastindex = m.lastindex ++ if lastindex is None: ++ return m[0] ++ name = m[lastindex] ++ if lastindex == 1: ++ if name == percent: ++ return name ++ if not name.endswith(percent): ++ return m[0] ++ name = name[:-1] + else: +- res += c +- index += 1 +- return res ++ if name == dollar: ++ return name ++ if name.startswith(brace): ++ if not name.endswith(rbrace): ++ return m[0] ++ name = name[1:-1] ++ ++ try: ++ if environ is None: ++ return os.fsencode(os.environ[os.fsdecode(name)]) ++ else: ++ return environ[name] ++ except KeyError: ++ return m[0] ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A\B. +diff --git a/Lib/posixpath.py b/Lib/posixpath.py +index 99f0742..5d00e1c 100644 +--- a/Lib/posixpath.py ++++ b/Lib/posixpath.py +@@ -279,42 +279,41 @@ def expanduser(path): + # This expands the forms $variable and ${variable} only. + # Non-existent variables are left unchanged. + +-_varprog = None +-_varprogb = None ++_varpattern = r'\$(\w+|\{[^}]*\}?)' ++_varsub = None ++_varsubb = None + + def expandvars(path): + """Expand shell variables of form $var and ${var}. Unknown variables + are left unchanged.""" + path = os.fspath(path) +- global _varprog, _varprogb ++ global _varsub, _varsubb + if isinstance(path, bytes): + if b'$' not in path: + return path +- if not _varprogb: ++ if not _varsubb: + import re +- _varprogb = re.compile(br'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprogb.search ++ _varsubb = re.compile(_varpattern.encode(), re.ASCII).sub ++ sub = _varsubb + start = b'{' + end = b'}' + environ = getattr(os, 'environb', None) + else: + if '$' not in path: + return path +- if not _varprog: ++ if not _varsub: + import re +- _varprog = re.compile(r'\$(\w+|\{[^}]*\})', re.ASCII) +- search = _varprog.search ++ _varsub = re.compile(_varpattern, re.ASCII).sub ++ sub = _varsub + start = '{' + end = '}' + environ = os.environ +- i = 0 +- while True: +- m = search(path, i) +- if not m: +- break +- i, j = m.span(0) +- name = m.group(1) +- if name.startswith(start) and name.endswith(end): ++ ++ def repl(m): ++ name = m[1] ++ if name.startswith(start): ++ if not name.endswith(end): ++ return m[0] + name = name[1:-1] + try: + if environ is None: +@@ -322,13 +321,11 @@ def expandvars(path): + else: + value = environ[name] + except KeyError: +- i = j ++ return m[0] + else: +- tail = path[j:] +- path = path[:i] + value +- i = len(path) +- path += tail +- return path ++ return value ++ ++ return sub(repl, path) + + + # Normalize a path, e.g. A//B, A/./B and A/foo/../B all become A/B. +diff --git a/Lib/test/test_genericpath.py b/Lib/test/test_genericpath.py +index 8b291cd..f5d42c1 100644 +--- a/Lib/test/test_genericpath.py ++++ b/Lib/test/test_genericpath.py +@@ -9,7 +9,7 @@ import unittest + import warnings + from test import support + from test.support.script_helper import assert_python_ok +-from test.support import FakePath ++from test.support import FakePath, EnvironmentVarGuard + + + def create_file(filename, data=b'foo'): +@@ -354,7 +354,7 @@ class CommonTest(GenericTest): + if self.pathmodule.__name__ == 'macpath': + self.skipTest('macpath.expandvars is a stub') + expandvars = self.pathmodule.expandvars +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["foo"] = "bar" + env["{foo"] = "baz1" +@@ -390,7 +390,7 @@ class CommonTest(GenericTest): + expandvars = self.pathmodule.expandvars + def check(value, expected): + self.assertEqual(expandvars(value), expected) +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + nonascii = support.FS_NONASCII + env['spam'] = nonascii +@@ -411,6 +411,19 @@ class CommonTest(GenericTest): + os.fsencode('$bar%s bar' % nonascii)) + check(b'$spam}bar', os.fsencode('%s}bar' % nonascii)) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = self.pathmodule.expandvars ++ with EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('$A'*n), 'B'*n) ++ self.assertEqual(expandvars('${A}'*n), 'B'*n) ++ self.assertEqual(expandvars('$A!'*n), 'B!'*n) ++ self.assertEqual(expandvars('${A}A'*n), 'BA'*n) ++ self.assertEqual(expandvars('${'*10*n), '${'*10*n) ++ + def test_abspath(self): + self.assertIn("foo", self.pathmodule.abspath("foo")) + with warnings.catch_warnings(): +diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py +index 89b0d53..bc1e954 100644 +--- a/Lib/test/test_ntpath.py ++++ b/Lib/test/test_ntpath.py +@@ -3,7 +3,7 @@ import os + import sys + import unittest + import warnings +-from test.support import TestFailed, FakePath ++from test.support import TestFailed, FakePath,EnvironmentVarGuard + from test import support, test_genericpath + from tempfile import TemporaryFile + +@@ -210,7 +210,7 @@ class TestNtpath(NtpathTestCase): + tester("ntpath.normpath('\\\\?\\D:/XY\\Z')", r'\\?\D:/XY\Z') + + def test_expandvars(self): +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + env["foo"] = "bar" + env["{foo"] = "baz1" +@@ -239,7 +239,7 @@ class TestNtpath(NtpathTestCase): + def test_expandvars_nonascii(self): + def check(value, expected): + tester('ntpath.expandvars(%r)' % value, expected) +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + nonascii = support.FS_NONASCII + env['spam'] = nonascii +@@ -255,10 +255,23 @@ class TestNtpath(NtpathTestCase): + check('%spam%bar', '%sbar' % nonascii) + check('%{}%bar'.format(nonascii), 'ham%sbar' % nonascii) + ++ @support.requires_resource('cpu') ++ def test_expandvars_large(self): ++ expandvars = ntpath.expandvars ++ with EnvironmentVarGuard() as env: ++ env.clear() ++ env["A"] = "B" ++ n = 100_000 ++ self.assertEqual(expandvars('%A%'*n), 'B'*n) ++ self.assertEqual(expandvars('%A%A'*n), 'BA'*n) ++ self.assertEqual(expandvars("''"*n + '%%'), "''"*n + '%') ++ self.assertEqual(expandvars("%%"*n), "%"*n) ++ self.assertEqual(expandvars("$$"*n), "$"*n) ++ + def test_expanduser(self): + tester('ntpath.expanduser("test")', 'test') + +- with support.EnvironmentVarGuard() as env: ++ with EnvironmentVarGuard() as env: + env.clear() + tester('ntpath.expanduser("~test")', '~test') + +@@ -469,6 +482,7 @@ class TestNtpath(NtpathTestCase): + self.assertIsInstance(b_final_path, bytes) + self.assertGreater(len(b_final_path), 0) + ++ + class NtCommonTest(test_genericpath.CommonTest, unittest.TestCase): + pathmodule = ntpath + attributes = ['relpath'] +diff --git a/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +new file mode 100644 +index 0000000..1d152bb +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-05-30-22-33-27.gh-issue-136065.bu337o.rst +@@ -0,0 +1 @@ ++Fix quadratic complexity in :func:`os.path.expandvars`. +-- +2.23.0 + diff --git a/python3.spec b/python3.spec index bdd7e54..e39e597 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.9 -Release: 47 +Release: 48 License: Python-2.0 %global branchversion 3.7 @@ -197,6 +197,7 @@ Patch9012: 0001-expected_algs-list-to-include-TLS_SM4.patch Patch9013: backport-3.7-gh-124651-CVE-2024-9287.patch Patch9014: backport-CVE-2025-4517,CVE-2025-4138,CVE-2024-12718,CVE-2025-4330,CVE-2025-4435.patch Patch9015: backport-CVE-2025-8194.patch +Patch9016: backport-CVE-2025-6075.patch Provides: python%{branchversion} = %{version}-%{release} @@ -375,6 +376,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch9013 -p1 %patch9014 -p1 %patch9015 -p1 +%patch9016 -p1 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py rm configure pyconfig.h.in @@ -980,6 +982,9 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Thu Nov 06 2025 lipengyu - 3.7.9-48 +- fix CVE-2025-6075 + * Wed Oct 22 2025 lipengyu - 3.7.9-47 - fix CVE-2025-8194 -- Gitee