From af3998490bedcc57639d4d113f6ee3f39d0a64f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=A2=B3=E7=A2=A7=E6=B9=96=E7=9A=84=E7=A0=8D=E6=9F=B4?= =?UTF-8?q?=E4=BA=BA?= Date: Fri, 13 Mar 2020 16:10:18 +0800 Subject: [PATCH] fix CVE-2020-8492 --- backport-CVE-2020-8492.patch | 45 ++++++++++++++++++++++++++++++++++++ python3.spec | 9 +++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-8492.patch diff --git a/backport-CVE-2020-8492.patch b/backport-CVE-2020-8492.patch new file mode 100644 index 0000000..6696e49 --- /dev/null +++ b/backport-CVE-2020-8492.patch @@ -0,0 +1,45 @@ +From 8d2790861c4f7384d05669e3904c66998b2a3841 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Thu, 30 Jan 2020 16:13:03 +0100 +Subject: [PATCH] bpo-39503: Fix urllib basic auth regex + +The AbstractBasicAuthHandler class of the urllib.request module uses +an inefficient regular expression which can be exploited by an +attacker to cause a denial of service. Fix the regex to prevent the +catastrophic backtracking. + +Vulnerability reported by Matt Schwager. + +Signed-off-by: hanxinke +--- + Lib/urllib/request.py | 2 +- + .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst + +diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py +index 37b2548..2a9b9b7 100644 +--- a/Lib/urllib/request.py ++++ b/Lib/urllib/request.py +@@ -944,7 +944,7 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' ++ rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+' + 'realm=(["\']?)([^"\']*)\\2', re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, +diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +new file mode 100644 +index 0000000..92f186d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst +@@ -0,0 +1,4 @@ ++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the ++:mod:`urllib.request` module uses an inefficient regular expression which can ++be exploited by an attacker to cause a denial of service. Fix the regex to ++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager. +-- +2.23.0 + diff --git a/python3.spec b/python3.spec index 744a950..4ecf71a 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.4 -Release: 7 +Release: 8 License: Python %global branchversion 3.7 @@ -104,6 +104,7 @@ Patch316: 00316-mark-bdist_wininst-unsupported.patch Patch6000: CVE-2019-16056.patch Patch6001: CVE-2019-16935.patch Patch6002: CVE-2019-17514.patch +Patch6003: CVE-2020-8492.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -790,6 +791,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Fri Mar 6 2020 hanxinke - 3.7.4-8 +- Type:cves +- ID:CVE-2020-8492 +- SUG:NA +- DESC:fix CVE-2020-8492 + * Sat Feb 22 2020 openEuler Buildteam - 3.7.4-7 - Type:enhancement - ID:NA -- Gitee