Browse code
python2- Fix for CVE-2019-9948
Change-Id: I697ed090a5432be5acd1e97383a3bdd902afe0b0
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6946
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tapas Kundu authored on 2019/03/29 03:48:26Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,40 @@ |
| 0 |
+From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: push0ebp <push0ebp@shl-MacBook-Pro.local> |
|
| 2 |
+Date: Thu, 14 Feb 2019 02:05:46 +0900 |
|
| 3 |
+Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary |
|
| 4 |
+ URL scheme in urllib |
|
| 5 |
+ |
|
| 6 |
+--- a/Lib/test/test_urllib.py 2019-03-28 23:50:14.379076156 +0530 |
|
| 7 |
+@@ -1023,6 +1023,18 @@ class URLopener_Tests(unittest.TestCase) |
|
| 8 |
+ "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"), |
|
| 9 |
+ "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/") |
|
| 10 |
+ |
|
| 11 |
++def test_local_file_open(self): |
|
| 12 |
++ class DummyURLopener(urllib.URLopener): |
|
| 13 |
++ def open_local_file(self, url): |
|
| 14 |
++ return url |
|
| 15 |
++ self.assertEqual(DummyURLopener().open( |
|
| 16 |
++ 'local-file://example'), '//example') |
|
| 17 |
++ self.assertEqual(DummyURLopener().open( |
|
| 18 |
++ 'local_file://example'), '//example') |
|
| 19 |
++ self.assertRaises(IOError, urllib.urlopen, |
|
| 20 |
++ 'local-file://example') |
|
| 21 |
++ self.assertRaises(IOError, urllib.urlopen, |
|
| 22 |
++ 'local_file://example') |
|
| 23 |
+ |
|
| 24 |
+ # Just commented them out. |
|
| 25 |
+ # Can't really tell why keep failing in windows and sparc. |
|
| 26 |
+--- a/Lib/urllib.py 2019-03-28 23:47:22.563068712 +0530 |
|
| 27 |
+@@ -203,7 +203,9 @@ class URLopener: |
|
| 28 |
+ name = 'open_' + urltype |
|
| 29 |
+ self.type = urltype |
|
| 30 |
+ name = name.replace('-', '_')
|
|
| 31 |
+- if not hasattr(self, name): |
|
| 32 |
++ # bpo-35907: # disallow the file reading with the type not allowed |
|
| 33 |
++ if not hasattr(self, name) or \ |
|
| 34 |
++ (self == _urlopener and name == 'open_local_file'): |
|
| 35 |
+ if proxy: |
|
| 36 |
+ return self.open_unknown_proxy(proxy, fullurl, data) |
|
| 37 |
+ else: |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: A high-level scripting language |
| 2 | 2 |
Name: python2 |
| 3 | 3 |
Version: 2.7.15 |
| 4 |
-Release: 4%{?dist}
|
|
| 4 |
+Release: 5%{?dist}
|
|
| 5 | 5 |
License: PSF |
| 6 | 6 |
URL: http://www.python.org/ |
| 7 | 7 |
Group: System Environment/Programming |
| ... | ... |
@@ -14,6 +14,7 @@ Patch1: added-pyopenssl-ipaddress-certificate-validation.patch |
| 14 | 14 |
Patch2: python2-support-photon-platform.patch |
| 15 | 15 |
Patch3: CVE-2018-14647.patch |
| 16 | 16 |
Patch4: CVE-2019-9636.patch |
| 17 |
+Patch5: CVE-2019-9948.patch |
|
| 17 | 18 |
BuildRequires: pkg-config >= 0.28 |
| 18 | 19 |
BuildRequires: bzip2-devel |
| 19 | 20 |
BuildRequires: openssl-devel |
| ... | ... |
@@ -116,6 +117,7 @@ The test package contains all regression tests for Python as well as the modules |
| 116 | 116 |
%patch2 -p1 |
| 117 | 117 |
%patch3 -p1 |
| 118 | 118 |
%patch4 -p1 |
| 119 |
+%patch5 -p1 |
|
| 119 | 120 |
|
| 120 | 121 |
%build |
| 121 | 122 |
export OPT="${CFLAGS}"
|
| ... | ... |
@@ -238,6 +240,8 @@ make test |
| 238 | 238 |
%{_libdir}/python2.7/test/*
|
| 239 | 239 |
|
| 240 | 240 |
%changelog |
| 241 |
+* Thu Mar 28 2019 Tapas Kundu <tkundu@vmware.com> 2.7.15-5 |
|
| 242 |
+- Fix for CVE-2019-9948 |
|
| 241 | 243 |
* Tue Mar 12 2019 Tapas Kundu <tkundu@vmware.com> 2.7.15-4 |
| 242 | 244 |
- Added fix for CVE-2019-9636 |
| 243 | 245 |
* Fri Dec 21 2018 Tapas Kundu <tkundu@vmware.com> 2.7.15-3 |