From d004b266e94024f9f59798f2742c370ad48c23c8 Mon Sep 17 00:00:00 2001 From: tong_1001 Date: Mon, 31 May 2021 20:24:09 +0800 Subject: [PATCH] fix CVE-2021-3426 --- backport-CVE-2021-3426.patch | 105 +++++++++++++++++++++++++++++++++++ python3.spec | 10 +++- 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3426.patch diff --git a/backport-CVE-2021-3426.patch b/backport-CVE-2021-3426.patch new file mode 100644 index 0000000..b546c37 --- /dev/null +++ b/backport-CVE-2021-3426.patch @@ -0,0 +1,105 @@ +From 7c2284f97d140c4e4a85382bfb3a42440be2464d Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 29 Mar 2021 08:39:05 -0700 +Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015) + (#25066) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference:https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d + +CVE-2021-3426: Remove the "getfile" feature of the pydoc module which +could be abused to read arbitrary files on the disk (directory +traversal vulnerability). Moreover, even source code of Python +modules can contain sensitive data like passwords. Vulnerability +reported by David Schwörer. +(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048) + +Co-authored-by: Victor Stinner + +Co-authored-by: Victor Stinner +--- + Lib/pydoc.py | 18 ------------------ + Lib/test/test_pydoc.py | 6 ------ + .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst | 4 ++++ + 3 files changed, 4 insertions(+), 24 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst + +diff --git a/Lib/pydoc.py b/Lib/pydoc.py +index 978e4cd0baa5ba..9677c0d0468db0 100644 +--- a/Lib/pydoc.py ++++ b/Lib/pydoc.py +@@ -2348,9 +2348,6 @@ def page(self, title, contents): + %s%s
%s
+ ''' % (title, css_link, html_navbar(), contents) + +- def filelink(self, url, path): +- return '%s' % (url, path) +- + + html = _HTMLDoc() + +@@ -2436,19 +2433,6 @@ def bltinlink(name): + 'key = %s' % key, '#ffffff', '#ee77aa', '
'.join(results)) + return 'Search Results', contents + +- def html_getfile(path): +- """Get and display a source file listing safely.""" +- path = urllib.parse.unquote(path) +- with tokenize.open(path) as fp: +- lines = html.escape(fp.read()) +- body = '
%s
' % lines +- heading = html.heading( +- 'File Listing', +- '#ffffff', '#7799ee') +- contents = heading + html.bigsection( +- 'File: %s' % path, '#ffffff', '#ee77aa', body) +- return 'getfile %s' % path, contents +- + def html_topics(): + """Index of topic texts available.""" + +@@ -2540,8 +2524,6 @@ def get_html_page(url): + op, _, url = url.partition('=') + if op == "search?key": + title, content = html_search(url) +- elif op == "getfile?key": +- title, content = html_getfile(url) + elif op == "topic?key": + # try topics first, then objects. + try: +diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py +index 198cea93eb52d7..baad8212c573dc 100644 +--- a/Lib/test/test_pydoc.py ++++ b/Lib/test/test_pydoc.py +@@ -1049,18 +1049,12 @@ def test_url_requests(self): + ("topic?key=def", "Pydoc: KEYWORD def"), + ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"), + ("foobar", "Pydoc: Error - foobar"), +- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"), + ] + + with self.restrict_walk_packages(): + for url, title in requests: + self.call_url_handler(url, title) + +- path = string.__file__ +- title = "Pydoc: getfile " + path +- url = "getfile?key=" + path +- self.call_url_handler(url, title) +- + + class TestHelper(unittest.TestCase): + def test_keywords(self): +diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +new file mode 100644 +index 00000000000000..4b42dd05305a83 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst +@@ -0,0 +1,4 @@ ++CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which ++could be abused to read arbitrary files on the disk (directory traversal ++vulnerability). Moreover, even source code of Python modules can contain ++sensitive data like passwords. Vulnerability reported by David Schwörer. diff --git a/python3.spec b/python3.spec index 4664d11..d23be70 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.9 -Release: 13 +Release: 14 License: Python %global branchversion 3.7 @@ -141,6 +141,7 @@ Patch6032: backport-35823-Allow-setsid-after-vfork-on-Linux.-GH-2294.patch Patch6033: backport-42146-Fix-memory-leak-in-subprocess.Popen-in-cas.patch Patch6034: backport-42146-Unify-cleanup-in-subprocess_fork_exec-GH-2.patch patch6035: backport-Remove-thread-objects-which-finished-process-its-request.patch +patch6036: backport-CVE-2021-3426.patch Recommends: %{name}-help = %{version}-%{release} Provides: python%{branchversion} = %{version}-%{release} @@ -268,6 +269,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch6033 -p1 %patch6034 -p1 %patch6035 -p1 +%patch6036 -p1 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py rm configure pyconfig.h.in @@ -869,6 +871,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Mon May 31 2021 shixuantong - 3.7.9-14 +- Type:CVE +- CVE:CVE-2021-3426 +- SUG:NA +- DESC:fix CVE-2021-3426 + * Sat May 29 2021 BruceGW -3.7.9-13 - Type:bugfix - ID:NA -- Gitee