From 5d988670ce3f932d977f82827f7adc4191689bc3 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Sat, 17 Oct 2020 00:39:17 +0800 Subject: [PATCH] python3: Update to 3.6.12, remove backported patches Signed-off-by: Jeffery To --- lang/python/python3-version.mk | 2 +- lang/python/python3/Makefile | 4 +- ...-and-IPv6Interface-GH-21033-GH-21232.patch | 74 ------------ ...-invalid-NEWOBJ_EX-GH-21458-GH-21462.patch | 111 ------------------ ...the-tarfile-module-GH-21454-GH-21485.patch | 59 ---------- ...on-in-http-methods-GH-18485-GH-21539.patch | 99 ---------------- 6 files changed, 3 insertions(+), 346 deletions(-) delete mode 100644 lang/python/python3/patches/025-bpo-41004-Resolve-hash-collisions-for-IPv4Interface-and-IPv6Interface-GH-21033-GH-21232.patch delete mode 100644 lang/python/python3/patches/026-bpo-41288-Fix-a-crash-in-unpickling-invalid-NEWOBJ_EX-GH-21458-GH-21462.patch delete mode 100644 lang/python/python3/patches/027-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-GH-21454-GH-21485.patch delete mode 100644 lang/python/python3/patches/028-bpo-39603-Prevent-header-injection-in-http-methods-GH-18485-GH-21539.patch diff --git a/lang/python/python3-version.mk b/lang/python/python3-version.mk index 0332b5b4df..f970263f90 100644 --- a/lang/python/python3-version.mk +++ b/lang/python/python3-version.mk @@ -8,7 +8,7 @@ # Note: keep in sync with setuptools & pip PYTHON3_VERSION_MAJOR:=3 PYTHON3_VERSION_MINOR:=6 -PYTHON3_VERSION_MICRO:=11 +PYTHON3_VERSION_MICRO:=12 PYTHON3_VERSION:=$(PYTHON3_VERSION_MAJOR).$(PYTHON3_VERSION_MINOR) diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index b46199eacf..c2d86f5f18 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -14,12 +14,12 @@ PYTHON_VERSION:=$(PYTHON3_VERSION) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PKG_NAME:=python3 -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION) -PKG_HASH:=741ebdcbc4e3937a5ff23517dd455ebf7d543ea9fef6f5cf6f46e575d6c4fda4 +PKG_HASH:=70953a9b5d6891d92e65d184c3512126a15814bee15e1eff2ddcce04334e9a99 PKG_LICENSE:=PSF PKG_LICENSE_FILES:=LICENSE Modules/_ctypes/libffi_msvc/LICENSE Modules/_ctypes/darwin/LICENSE Modules/_ctypes/libffi/LICENSE Modules/_ctypes/libffi_osx/LICENSE Tools/pybench/LICENSE diff --git a/lang/python/python3/patches/025-bpo-41004-Resolve-hash-collisions-for-IPv4Interface-and-IPv6Interface-GH-21033-GH-21232.patch b/lang/python/python3/patches/025-bpo-41004-Resolve-hash-collisions-for-IPv4Interface-and-IPv6Interface-GH-21033-GH-21232.patch deleted file mode 100644 index 28fdff66f4..0000000000 --- a/lang/python/python3/patches/025-bpo-41004-Resolve-hash-collisions-for-IPv4Interface-and-IPv6Interface-GH-21033-GH-21232.patch +++ /dev/null @@ -1,74 +0,0 @@ -From cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9 Mon Sep 17 00:00:00 2001 -From: Tapas Kundu <39723251+tapakund@users.noreply.github.com> -Date: Wed, 1 Jul 2020 01:00:22 +0530 -Subject: [PATCH] [3.6] bpo-41004: Resolve hash collisions for IPv4Interface - and IPv6Interface (GH-21033) (GH-21232) - -CVE-2020-14422 -The __hash__() methods of classes IPv4Interface and IPv6Interface had issue -of generating constant hash values of 32 and 128 respectively causing hash collisions. -The fix uses the hash() function to generate hash values for the objects -instead of XOR operation -(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) - -Co-authored-by: Ravi Teja P - -Signed-off-by: Tapas Kundu ---- - Lib/ipaddress.py | 4 ++-- - Lib/test/test_ipaddress.py | 11 +++++++++++ - .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst | 1 + - 3 files changed, 14 insertions(+), 2 deletions(-) - create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst - -diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py -index 583f02ad54275..98492136ca5f4 100644 ---- a/Lib/ipaddress.py -+++ b/Lib/ipaddress.py -@@ -1418,7 +1418,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -@@ -2092,7 +2092,7 @@ def __lt__(self, other): - return False - - def __hash__(self): -- return self._ip ^ self._prefixlen ^ int(self.network.network_address) -+ return hash((self._ip, self._prefixlen, int(self.network.network_address))) - - __reduce__ = _IPAddressBase.__reduce__ - -diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py -index 1cef4217bc883..7de444af4aa57 100644 ---- a/Lib/test/test_ipaddress.py -+++ b/Lib/test/test_ipaddress.py -@@ -1990,6 +1990,17 @@ def testsixtofour(self): - sixtofouraddr.sixtofour) - self.assertFalse(bad_addr.sixtofour) - -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV4HashIsNotConstant(self): -+ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4") -+ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5") -+ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__()) -+ -+ # issue41004 Hash collisions in IPv4Interface and IPv6Interface -+ def testV6HashIsNotConstant(self): -+ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1") -+ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2") -+ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__()) - - if __name__ == '__main__': - unittest.main() -diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -new file mode 100644 -index 0000000000000..f5a9db52fff52 ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst -@@ -0,0 +1 @@ -+CVE-2020-14422: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). diff --git a/lang/python/python3/patches/026-bpo-41288-Fix-a-crash-in-unpickling-invalid-NEWOBJ_EX-GH-21458-GH-21462.patch b/lang/python/python3/patches/026-bpo-41288-Fix-a-crash-in-unpickling-invalid-NEWOBJ_EX-GH-21458-GH-21462.patch deleted file mode 100644 index f2ba40b036..0000000000 --- a/lang/python/python3/patches/026-bpo-41288-Fix-a-crash-in-unpickling-invalid-NEWOBJ_EX-GH-21458-GH-21462.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 6463cf07fef7a923a743fcaf312150c45fd81b64 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Mon, 13 Jul 2020 11:18:04 -0700 -Subject: [PATCH] bpo-41288: Fix a crash in unpickling invalid NEWOBJ_EX. - (GH-21458) (GH-21462) - -Automerge-Triggered-By: @tiran -(cherry picked from commit 4f309abf55f0e6f8950ac13d6ec83c22b8d47bf8) - -Co-authored-by: Serhiy Storchaka ---- - Lib/test/pickletester.py | 18 ++++++++++++ - .../2020-07-13-15-06-35.bpo-41288.8mn5P-.rst | 2 ++ - Modules/_pickle.c | 29 ++++++++++++++----- - 3 files changed, 41 insertions(+), 8 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2020-07-13-15-06-35.bpo-41288.8mn5P-.rst - -diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py -index 764057a866411..c2648a3c44115 100644 ---- a/Lib/test/pickletester.py -+++ b/Lib/test/pickletester.py -@@ -994,6 +994,24 @@ def test_compat_unpickle(self): - self.assertIs(type(unpickled), collections.UserDict) - self.assertEqual(unpickled, collections.UserDict({1: 2})) - -+ def test_bad_reduce(self): -+ self.assertEqual(self.loads(b'cbuiltins\nint\n)R.'), 0) -+ self.check_unpickling_error(TypeError, b'N)R.') -+ self.check_unpickling_error(TypeError, b'cbuiltins\nint\nNR.') -+ -+ def test_bad_newobj(self): -+ error = (pickle.UnpicklingError, TypeError) -+ self.assertEqual(self.loads(b'cbuiltins\nint\n)\x81.'), 0) -+ self.check_unpickling_error(error, b'cbuiltins\nlen\n)\x81.') -+ self.check_unpickling_error(error, b'cbuiltins\nint\nN\x81.') -+ -+ def test_bad_newobj_ex(self): -+ error = (pickle.UnpicklingError, TypeError) -+ self.assertEqual(self.loads(b'cbuiltins\nint\n)}\x92.'), 0) -+ self.check_unpickling_error(error, b'cbuiltins\nlen\n)}\x92.') -+ self.check_unpickling_error(error, b'cbuiltins\nint\nN}\x92.') -+ self.check_unpickling_error(error, b'cbuiltins\nint\n)N\x92.') -+ - def test_bad_stack(self): - badpickles = [ - b'.', # STOP -diff --git a/Misc/NEWS.d/next/Library/2020-07-13-15-06-35.bpo-41288.8mn5P-.rst b/Misc/NEWS.d/next/Library/2020-07-13-15-06-35.bpo-41288.8mn5P-.rst -new file mode 100644 -index 0000000000000..3c3adbabf16ff ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-07-13-15-06-35.bpo-41288.8mn5P-.rst -@@ -0,0 +1,2 @@ -+Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now -+UnpicklingError instead of crashing. -diff --git a/Modules/_pickle.c b/Modules/_pickle.c -index 41b8fa7b3c290..bcf98e2f52648 100644 ---- a/Modules/_pickle.c -+++ b/Modules/_pickle.c -@@ -5423,23 +5423,30 @@ load_newobj_ex(UnpicklerObject *self) - } - - if (!PyType_Check(cls)) { -- Py_DECREF(kwargs); -- Py_DECREF(args); - PyErr_Format(st->UnpicklingError, - "NEWOBJ_EX class argument must be a type, not %.200s", - Py_TYPE(cls)->tp_name); -- Py_DECREF(cls); -- return -1; -+ goto error; - } - - if (((PyTypeObject *)cls)->tp_new == NULL) { -- Py_DECREF(kwargs); -- Py_DECREF(args); -- Py_DECREF(cls); - PyErr_SetString(st->UnpicklingError, - "NEWOBJ_EX class argument doesn't have __new__"); -- return -1; -+ goto error; -+ } -+ if (!PyTuple_Check(args)) { -+ PyErr_Format(st->UnpicklingError, -+ "NEWOBJ_EX args argument must be a tuple, not %.200s", -+ Py_TYPE(args)->tp_name); -+ goto error; -+ } -+ if (!PyDict_Check(kwargs)) { -+ PyErr_Format(st->UnpicklingError, -+ "NEWOBJ_EX kwargs argument must be a dict, not %.200s", -+ Py_TYPE(kwargs)->tp_name); -+ goto error; - } -+ - obj = ((PyTypeObject *)cls)->tp_new((PyTypeObject *)cls, args, kwargs); - Py_DECREF(kwargs); - Py_DECREF(args); -@@ -5449,6 +5456,12 @@ load_newobj_ex(UnpicklerObject *self) - } - PDATA_PUSH(self->stack, obj, -1); - return 0; -+ -+error: -+ Py_DECREF(kwargs); -+ Py_DECREF(args); -+ Py_DECREF(cls); -+ return -1; - } - - static int diff --git a/lang/python/python3/patches/027-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-GH-21454-GH-21485.patch b/lang/python/python3/patches/027-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-GH-21454-GH-21485.patch deleted file mode 100644 index b9a5951f1f..0000000000 --- a/lang/python/python3/patches/027-bpo-39017-Avoid-infinite-loop-in-the-tarfile-module-GH-21454-GH-21485.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 15 Jul 2020 05:36:36 -0700 -Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module - (GH-21454) (#21485) - -Avoid infinite loop when reading specially crafted TAR files using the tarfile module -(CVE-2019-20907). -(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) - -Co-authored-by: Rishi ---- - Lib/tarfile.py | 2 ++ - Lib/test/recursion.tar | Bin 0 -> 516 bytes - Lib/test/test_tarfile.py | 7 +++++++ - .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + - 4 files changed, 10 insertions(+) - create mode 100644 Lib/test/recursion.tar - create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst - -diff --git a/Lib/tarfile.py b/Lib/tarfile.py -index 62d22150f50da..2ea47978ff6f1 100755 ---- a/Lib/tarfile.py -+++ b/Lib/tarfile.py -@@ -1231,6 +1231,8 @@ def _proc_pax(self, tarfile): - - length, keyword = match.groups() - length = int(length) -+ if length == 0: -+ raise InvalidHeaderError("invalid header") - value = buf[match.end(2) + 1:match.start(1) + length - 1] - - # Normally, we could just use "utf-8" as the encoding and "strict" -diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py -index 4cd7d5370f58d..573be812eaa17 100644 ---- a/Lib/test/test_tarfile.py -+++ b/Lib/test/test_tarfile.py -@@ -395,6 +395,13 @@ def test_premature_end_of_archive(self): - with self.assertRaisesRegex(tarfile.ReadError, "unexpected end of data"): - tar.extractfile(t).read() - -+ def test_length_zero_header(self): -+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail -+ # with an exception -+ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): -+ with tarfile.open(support.findfile('recursion.tar')) as tar: -+ pass -+ - class MiscReadTestBase(CommonReadTest): - def requires_name_attribute(self): - pass -diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst -new file mode 100644 -index 0000000000000..ad26676f8b856 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst -@@ -0,0 +1 @@ -+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). diff --git a/lang/python/python3/patches/028-bpo-39603-Prevent-header-injection-in-http-methods-GH-18485-GH-21539.patch b/lang/python/python3/patches/028-bpo-39603-Prevent-header-injection-in-http-methods-GH-18485-GH-21539.patch deleted file mode 100644 index 160c6f16a0..0000000000 --- a/lang/python/python3/patches/028-bpo-39603-Prevent-header-injection-in-http-methods-GH-18485-GH-21539.patch +++ /dev/null @@ -1,99 +0,0 @@ -From f02de961b9f19a5db0ead56305fe0057a78787ae Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Sun, 19 Jul 2020 02:28:45 -0700 -Subject: [PATCH] bpo-39603: Prevent header injection in http methods - (GH-18485) (GH-21539) - -reject control chars in http method in http.client.putrequest to prevent http header injection -(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) - -Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> ---- - Lib/http/client.py | 15 +++++++++++++ - Lib/test/test_httplib.py | 22 +++++++++++++++++++ - .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++ - 3 files changed, 39 insertions(+) - create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst - -diff --git a/Lib/http/client.py b/Lib/http/client.py -index c0ac7db6f40a0..53581eca20587 100644 ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -151,6 +151,10 @@ - # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") - # We are more lenient for assumed real world compatibility purposes. - -+# These characters are not allowed within HTTP method names -+# to prevent http header injection. -+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') -+ - # We always set the Content-Length header for these methods because some - # servers will otherwise respond with a 411 - _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} -@@ -1119,6 +1123,8 @@ def putrequest(self, method, url, skip_host=False, - else: - raise CannotSendRequest(self.__state) - -+ self._validate_method(method) -+ - # Save the method for use later in the response phase - self._method = method - -@@ -1209,6 +1215,15 @@ def _encode_request(self, request): - # ASCII also helps prevent CVE-2019-9740. - return request.encode('ascii') - -+ def _validate_method(self, method): -+ """Validate a method name for putrequest.""" -+ # prevent http header injection -+ match = _contains_disallowed_method_pchar_re.search(method) -+ if match: -+ raise ValueError( -+ f"method can't contain control characters. {method!r} " -+ f"(found at least {match.group()!r})") -+ - def _validate_path(self, url): - """Validate a url for putrequest.""" - # Prevent CVE-2019-9740. -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index fcd9231666ede..03e049b13fd21 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -359,6 +359,28 @@ def test_headers_debuglevel(self): - self.assertEqual(lines[2], "header: Second: val") - - -+class HttpMethodTests(TestCase): -+ def test_invalid_method_names(self): -+ methods = ( -+ 'GET\r', -+ 'POST\n', -+ 'PUT\n\r', -+ 'POST\nValue', -+ 'POST\nHOST:abc', -+ 'GET\nrHost:abc\n', -+ 'POST\rRemainder:\r', -+ 'GET\rHOST:\n', -+ '\nPUT' -+ ) -+ -+ for method in methods: -+ with self.assertRaisesRegex( -+ ValueError, "method can't contain control characters"): -+ conn = client.HTTPConnection('example.com') -+ conn.sock = FakeSocket(None) -+ conn.request(method=method, url="/") -+ -+ - class TransferEncodingTest(TestCase): - expected_body = b"It's just a flesh wound" - -diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst -new file mode 100644 -index 0000000000000..990affc3edd9d ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst -@@ -0,0 +1,2 @@ -+Prevent http header injection by rejecting control characters in -+http.client.putrequest(...). -- 2.30.2