1. photon
  2. Commit 234cea5b2e2fc0cb7432edf0a2bc05efc22b02f3
Browse code

python3: Fix for CVE-2019-16056

Change-Id: Id6c0f02ecb53461eaf79a9fb128c51bbc73c3319
Signed-off-by: Tapas Kundu <tkundu@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7983
Tested-by: gerrit-photon <photon-checkins@vmware.com>

Tapas Kundu authored on 2019/09/11 17:23:11
Showing 2 changed files
SPECS/python3/CVE-2019-16056.patch
History View file @ 234cea5
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,130 @@
0 
+From c48d606adcef395e59fd555496c42203b01dd3e8 Mon Sep 17 00:00:00 2001
1 
+From: "Miss Islington (bot)"
2 
+ <31488909+miss-islington@users.noreply.github.com>
3 
+Date: Fri, 9 Aug 2019 01:30:33 -0700
4 
+Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079)
5 
+
6 
+Before:
7 
+
8 
+        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
9 
+        (Address(display_name='', username='a', domain='malicious.org'),)
10 
+
11 
+        >>> parseaddr('a@malicious.org@important.com')
12 
+        ('', 'a@malicious.org')
13 
+
14 
+    After:
15 
+
16 
+        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
17 
+        (Address(display_name='', username='', domain=''),)
18 
+
19 
+        >>> parseaddr('a@malicious.org@important.com')
20 
+        ('', 'a@')
21 
+
22 
+https://bugs.python.org/issue34155
23 
+(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
24 
+
25 
+Co-authored-by: jpic <jpic@users.noreply.github.com>
26 
+---
27 
+ Lib/email/_header_value_parser.py                  |  2 ++
28 
+ Lib/email/_parseaddr.py                            | 11 ++++++++++-
29 
+ Lib/test/test_email/test__header_value_parser.py   | 10 ++++++++++
30 
+ Lib/test/test_email/test_email.py                  | 14 ++++++++++++++
31 
+ .../2019-05-04-13-33-37.bpo-34155.MJll68.rst       |  1 +
32 
+ 5 files changed, 37 insertions(+), 1 deletion(-)
33 
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
34 
+
35 
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
36 
+index 801ae728dd13..c09f4f121ffb 100644
37 
+--- a/Lib/email/_header_value_parser.py
38 
+@@ -1585,6 +1585,8 @@ def get_domain(value):
39 
+         token, value = get_dot_atom(value)
40 
+     except errors.HeaderParseError:
41 
+         token, value = get_atom(value)
42 
++    if value and value[0] == '@':
43 
++        raise errors.HeaderParseError('Invalid Domain')
44 
+     if leader is not None:
45 
+         token[:0] = [leader]
46 
+     domain.append(token)
47 
+diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
48 
+index cdfa3729adc7..41ff6f8c000d 100644
49 
+--- a/Lib/email/_parseaddr.py
50 
+@@ -379,7 +379,12 @@ def getaddrspec(self):
51 
+         aslist.append('@')
52 
+         self.pos += 1
53 
+         self.gotonext()
54 
+-        return EMPTYSTRING.join(aslist) + self.getdomain()
55 
++        domain = self.getdomain()
56 
++        if not domain:
57 
++            # Invalid domain, return an empty address instead of returning a
58 
++            # local part to denote failed parsing.
59 
++            return EMPTYSTRING
60 
++        return EMPTYSTRING.join(aslist) + domain
61 
+
62 
+     def getdomain(self):
63 
+         """Get the complete domain name from an address."""
64 
+@@ -394,6 +399,10 @@ def getdomain(self):
65 
+             elif self.field[self.pos] == '.':
66 
+                 self.pos += 1
67 
+                 sdlist.append('.')
68 
++            elif self.field[self.pos] == '@':
69 
++                # bpo-34155: Don't parse domains with two `@` like
70 
++                # `a@malicious.org@important.com`.
71 
++                return EMPTYSTRING
72 
+             elif self.field[self.pos] in self.atomends:
73 
+                 break
74 
+             else:
75 
+diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
76 
+index 9e862feab10c..0f19f8bcc2e0 100644
77 
+--- a/Lib/test/test_email/test__header_value_parser.py
78 
+@@ -1448,6 +1448,16 @@ def test_get_addr_spec_dot_atom(self):
79 
+         self.assertEqual(addr_spec.domain, 'example.com')
80 
+         self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
81 
+
82 
++    def test_get_addr_spec_multiple_domains(self):
83 
++        with self.assertRaises(errors.HeaderParseError):
84 
++            parser.get_addr_spec('star@a.star@example.com')
85 
++
86 
++        with self.assertRaises(errors.HeaderParseError):
87 
++            parser.get_addr_spec('star@a@example.com')
88 
++
89 
++        with self.assertRaises(errors.HeaderParseError):
90 
++            parser.get_addr_spec('star@172.17.0.1@example.com')
91 
++
92 
+     # get_obs_route
93 
+
94 
+     def test_get_obs_route_simple(self):
95 
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
96 
+index c29cc56203b1..aa775881c552 100644
97 
+--- a/Lib/test/test_email/test_email.py
98 
+@@ -3041,6 +3041,20 @@ def test_parseaddr_empty(self):
99 
+         self.assertEqual(utils.parseaddr('<>'), ('', ''))
100 
+         self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
101 
+
102 
++    def test_parseaddr_multiple_domains(self):
103 
++        self.assertEqual(
104 
++            utils.parseaddr('a@b@c'),
105 
++            ('', '')
106 
++        )
107 
++        self.assertEqual(
108 
++            utils.parseaddr('a@b.c@c'),
109 
++            ('', '')
110 
++        )
111 
++        self.assertEqual(
112 
++            utils.parseaddr('a@172.17.0.1@c'),
113 
++            ('', '')
114 
++        )
115 
++
116 
+     def test_noquote_dump(self):
117 
+         self.assertEqual(
118 
+             utils.formataddr(('A Silly Person', 'person@dom.ain')),
119 
+diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
120 
+new file mode 100644
121 
+index 000000000000..50292e29ed1d
122 
+--- /dev/null
123 
+@@ -0,0 +1 @@
124 
++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
SPECS/python3/python3.spec
History View file @ 234cea5
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        A high-level scripting language
2 2 
 Name:           python3
3 3 
 Version:        3.7.3
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        PSF
6 6 
 URL:            http://www.python.org/
7 7 
 Group:          System Environment/Programming
... ... 
@@ -13,6 +13,7 @@ Patch0:         cgi3.patch
13 13 
 Patch1:         python3-support-photon-platform.patch
14 14 
 Patch2:         CVE-2019-9740.patch
15 15 
 Patch3:         CVE-2019-10160.patch
16 
+Patch4:         CVE-2019-16056.patch
16 17 
 BuildRequires:  pkg-config >= 0.28
17 18 
 BuildRequires:  bzip2-devel
18 19 
 BuildRequires:  ncurses-devel
... ... 
@@ -135,6 +136,7 @@ The test package contains all regression tests for Python as well as the modules
135 135 
 %patch1 -p1
136 136 
 %patch2 -p1
137 137 
 %patch3 -p1
138 
+%patch4 -p1
138 139
139 140 
 %build
140 141 
 export OPT="${CFLAGS}"
... ... 
@@ -261,6 +263,8 @@ rm -rf %{buildroot}/*
261 261 
 %{_libdir}/python3.7/test/*
262 262
263 263 
 %changelog
264 
+*   Wed Sep 11 2019 Tapas Kundu <tkundu@vmware.com> 3.7.3-3
265 
+-   Fix CVE-2019-16056
264 266 
 *   Mon Jun 17 2019 Tapas Kundu <tkundu@vmware.com> 3.7.3-2
265 267 
 -   Fix for CVE-2019-10160
266 268 
 *   Mon Jun 10 2019 Tapas Kundu <tkundu@vmware.com> 3.7.3-1