From: "Andrej Valek" <andrej.valek@siemens.com>
To: steve@sakoman.com
Cc: openembedded-core@lists.openembedded.org,
Andrej Valek <andrej.valek@siemens.com>
Subject: [OE-core][dunfell][PATCH v3] python3: fix CVE-2019-20907
Date: Wed, 9 Dec 2020 09:09:03 +0100 [thread overview]
Message-ID: <20201209080903.8868-1-andrej.valek@siemens.com> (raw)
In-Reply-To: <20201208083102.3259-1-andrej.valek@siemens.com>
- move fixing patch for CVE-2020-8492 to the right location
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
...VE-2020-8492-Fix-AbstractBasicAuthHandler.patch | 0
.../python/python3/CVE-2019-20907.patch | 44 ++++++++++++++++++++++
meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
3 files changed, 45 insertions(+)
rename meta/recipes-devtools/python/{files => python3}/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch (100%)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch
diff --git a/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
similarity index 100%
rename from meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
rename to meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-20907.patch b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
new file mode 100644
index 0000000000..a2e72372dd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-20907.patch
@@ -0,0 +1,44 @@
+From a06a6bf4e67a50561f6d6fb33534df1d3035ea34 Mon Sep 17 00:00:00 2001
+From: Rishi <rishi_devan@mail.com>
+Date: Wed, 15 Jul 2020 13:51:00 +0200
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi <rishi_devan@mail.com>
+
+Removed testing 'recursion.tar' tar file due to binary data
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/c55479556db015f48fc8bbca17f64d3e65598559]
+CVE: CVE-2019-20907
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+---
+ Lib/tarfile.py | 2 ++
+ .../2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 +
+ 4 files changed, 10 insertions(+)
+ create mode 100644 Lib/test/recursion.tar
+ create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index d31b9cbb51d65..7a69e1b1aa544 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1241,6 +1241,8 @@ def _proc_pax(self, tarfile):
+
+ length, keyword = match.groups()
+ length = int(length)
++ if length == 0:
++ raise InvalidHeaderError("invalid header")
+ value = buf[match.end(2) + 1:match.start(1) + length - 1]
+
+ # Normally, we could just use "utf-8" as the encoding and "strict"
+diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+new file mode 100644
+index 0000000000000..ad26676f8b856
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
+@@ -0,0 +1 @@
++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index b4cce88e87..9eddad4ad4 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \
file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
+ file://CVE-2019-20907.patch \
file://CVE-2020-14422.patch \
file://CVE-2020-26116.patch \
file://CVE-2020-27619.patch \
--
2.11.0
prev parent reply other threads:[~2020-12-09 8:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-08 8:31 [OE-core][dunfell][PATCH] python3: fix CVE-2019-20907 Andrej Valek
2020-12-08 14:23 ` Steve Sakoman
2020-12-08 15:16 ` [OE-core][dunfell][PATCH v2] " Andrej Valek
2020-12-08 19:20 ` Steve Sakoman
2020-12-09 8:09 ` Andrej Valek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209080903.8868-1-andrej.valek@siemens.com \
--to=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.