From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) by mx.groups.io with SMTP id smtpd.web12.137.1614272606483242483 for ; Thu, 25 Feb 2021 09:03:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tuhd+zO0; spf=pass (domain: gmail.com, ip: 209.85.218.45, mailfrom: martin.jansa@gmail.com) Received: by mail-ej1-f45.google.com with SMTP id d8so10074662ejc.4 for ; Thu, 25 Feb 2021 09:03:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4q5T9X2c183+kAOWPprGFLzaMG5X5eNBGvlRkyaQuyI=; b=tuhd+zO0FUq6bd/UU6uDKoFIQj8ifDuWHK9V7PO5WS+iHBtRhDz+X+gPecmu0F+tR2 vzQhmNVylVk0CZ4u6SuYDH5Cal6D2XtLL8FCJAzKKMy21Pg80M4iFpDu3kklciA4abU7 lUDdJBtzY8jAzOebEwC84rpkbfFZofBhV4BAWjrRVUnXMhixlkeCMiNR1F0n5i9cLOnK WuKehJFbVkW1zsMOMg99jXYiuB6JxJh4ucLccYQql8N7xLX4Z0o7tGjJrHXnYidwcp5O abdv7BPDWJ3U+6741NpnHBrXR6SMDyucaBMQlfngbDLXse08E46bGBDS14SxZGP6PGa/ katw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4q5T9X2c183+kAOWPprGFLzaMG5X5eNBGvlRkyaQuyI=; b=nC4KYC+AJ8Gufwtjjc+xyGhU+CLtkwEIp0eOxhiLYpIEq443I9oYpkhOUR5GVCbZuy 9T98MiuqjBgLP4xMdZjTEJn5hwAk683RjXElrKBXX4e2l2rvP0cyamSHwHRKhr/6/L5o RM+UXGUMjTQV7URLWGzrvdSy/dLJRGpJYzaLVtYFzWhxBMuotVjbwj7fkdybhlduq5t6 Xna/OeG1hypnXwEP95WWN+5EJbBEaxOTcs4TNELhlYO9nMJuxAX2TPSm3DkeDL/PWl1J oGlkmmQSMqqv0aLMglLf348J/YH+r2csa84hmxQ4H6RQOIld8rvzqf4g9pMcUeeN41mJ Y2bA== X-Gm-Message-State: AOAM5334Mn+gD8oVT+2kLZFms7siIcnh5nusaN5Q1Ky/rhziMYpk+iyS Ii8qQ8yR6DS7B/apZp4tlrx8QjFnRe04TJPiVi0= X-Google-Smtp-Source: ABdhPJweANkVydboRcFAwlZgxxJiiAlFFiYlSW+DyJ1WsDHOwHvawsRjc+exdlsf5zafNk+mARW6pq5z/O2iPRysmH4= X-Received: by 2002:a17:906:4349:: with SMTP id z9mr3523083ejm.471.1614272604865; Thu, 25 Feb 2021 09:03:24 -0800 (PST) MIME-Version: 1.0 References: <20210216152349.30824-1-Rahul.Taya@kpit.com> In-Reply-To: From: "Martin Jansa" Date: Thu, 25 Feb 2021 18:03:13 +0100 Message-ID: Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674 To: Rahul Taya Cc: openembedded-devel Content-Type: multipart/alternative; boundary="0000000000002f070705bc2c218e" --0000000000002f070705bc2c218e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Rahul, you probably don't have patch-fuzz in ERROR_QA and overlooked the warning generated by this QA check which is by default only in WARN_QA. Or you weren't testing it with master branch as the subject says it's for dunfell, but it the python version is the same in master and dunfell, so the warning should be triggered in both. On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya wrote: > Hi Martin, > > I have tested my changes before sending to you or ML i don=E2=80=99t kno= w why it > is failing now at your side. > > Thanks and Regards, > Rahul > > Get Outlook for iOS > ------------------------------ > *From:* Martin Jansa > *Sent:* Thursday, February 25, 2021 8:25:50 PM > *To:* Rahul Taya > *Cc:* openembedded-devel > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > Hi, > > normally you should fork meta-python2 and send a link to meta-python2 > change I can cherry-pick, not the blob in otherwise empty repo. > > But as I've said in previous reply, I've already manually applied your > change in meta-python2 master-next where it's now failing: > > ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected: > > Applying patch CVE-2019-9674.patch > patching file Doc/library/zipfile.rst > Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines). > > > The context lines in the patches can be updated with devtool: > > devtool modify python-native > devtool finish --force-patch-refresh python-native > > Don't forget to review changes done by devtool! > > ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates t= hat patches do not apply cleanly. [patch-fuzz] > > > so I'll fix this as well, but next time please better test your changes = (nghttp2 patch also didn't apply, see my reply there, not sure if you have = fixed that in v2) > > > Regards, > > > > > On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya wrote: > > Hi Martin, > > I removed the emoticons and uploaded the patch to my git repo pls access > below link: > > https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch > > > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* Martin Jansa > *Sent:* Thursday, February 18, 2021 10:58 PM > *To:* Rahul Taya > *Cc:* openembedded-devel ; > Khem Raj ; Nisha Parrakat ; > Harpritkaur Bhandari > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > "git am" doesn't like those emoticons in the .patch file.. > > git am ~/py2/cur/16136689* > error: cannot convert from 8bit to UTF-8 > fatal: could not parse patch > > either drop them or upload it to some git repo so I can cherry-pick it > from there. > > On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya wrote: > > For python and python-native added patch to fix > CVE-2019-9674 > > Signed-off-by: Rahul Taya > --- > recipes-devtools/python/python.inc | 1 + > .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch > > diff --git a/recipes-devtools/python/python.inc > b/recipes-devtools/python/python.inc > index a4ba0c5..787f23e 100644 > --- a/recipes-devtools/python/python.inc > +++ b/recipes-devtools/python/python.inc > @@ -8,6 +8,7 @@ INC_PR =3D "r1" > LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3D203a6dbc802ee896020a47161e75= 9642" > > SRC_URI =3D "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz > > \ > + file://CVE-2019-9674.patch \ > " > > SRC_URI[sha256sum] =3D > "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch > b/recipes-devtools/python/python/CVE-2019-9674.patch > new file mode 100644 > index 0000000..647d9da > --- /dev/null > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch > @@ -0,0 +1,83 @@ > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 > +From: JunWei Song > +Date: Wed, 11 Sep 2019 23:04:12 +0800 > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentatio= n > + (#13378) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=3DUTF-8 > +Content-Transfer-Encoding: 8bit > + > +* bpo-36260: Add pitfalls to zipfile module documentation > + > +We saw vulnerability warning description (including zip bomb) in > Doc/library/xml.rst file. > +This gave us the idea of documentation improvement. > + > +So, we moved a little bit forward :P > +And the doc patch can be found (pr). > + > +* fix trailing whitespace > + > +* =F0=9F=93=9C=F0=9F=A4=96 Added by blurb_it. > + > +* Reformat text for consistency. > + > +Upstream-Status: Backport[ > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2= ubuntu0~16.04.12.debian.tar.xz > > ] > +CVE: CVE-2019-9674 > +Link: > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2= ubuntu0~16.04.12.debian.tar.xz > > +Comment: From the original patch skipped changes for file > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst > +as this file is not present in our source code. > +--- > + Doc/library/zipfile.rst | 41 +++++++++++++++++++ > + 1 files changed, 41 insertions(+) > + > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst > +index b421ea5..2e0a91d 100644 > +--- a/Doc/library/zipfile.rst > ++++ b/Doc/library/zipfile.rst > +@@ -574,4 +574,45 @@ Instances have the following attributes: > + > + Size of the uncompressed file. > + > ++Decompression pitfalls > ++---------------------- > ++ > ++The extraction in zipfile module might fail due to some pitfalls liste= d > below. > ++ > ++From file itself > ++~~~~~~~~~~~~~~~~ > ++ > ++Decompression may fail due to incorrect password / CRC checksum / ZIP > format or > ++unsupported compression method / decryption. > ++ > ++File System limitations > ++~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Exceeding limitations on different file systems can cause decompressio= n > failed. > ++Such as allowable characters in the directory entries, length of the > file name, > ++length of the pathname, size of a single file, and number of files, et= c. > ++ > ++Resources limitations > ++~~~~~~~~~~~~~~~~~~~~~ > ++ > ++The lack of memory or disk volume would lead to decompression > ++failed. For example, decompression bombs (aka `ZIP bomb`_) > ++apply to zipfile library that can cause disk volume exhaustion. > ++ > ++Interruption > ++~~~~~~~~~~~~ > ++ > ++Interruption during the decompression, such as pressing control-C or > killing the > ++decompression process may result in incomplete decompression of the > archive. > ++ > ++Default behaviors of extraction > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Not knowing the default extraction behaviors > ++can cause unexpected decompression results. > ++For example, when extracting the same archive twice, > ++it overwrites files without asking. > ++ > ++ > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb > > + .. _PKZIP Application Note: > https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT > > -- > 2.17.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only fo= r > the person to whom it is addressed. If you are not the intended recipien= t, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > >=20 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only fo= r > the person to whom it is addressed. If you are not the intended recipien= t, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only fo= r > the person to whom it is addressed. If you are not the intended recipien= t, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > --0000000000002f070705bc2c218e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Rahul,

you probably don't have p= atch-fuzz in ERROR_QA and overlooked the warning generated by this QA check= which is by default only in WARN_QA.

Or you weren= 't testing it with master branch as the subject says it's for dunfe= ll, but it the python version is the same in master and dunfell, so the war= ning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahu= l Taya <Rahul.Taya@kpit.com&g= t; wrote:
Hi Martin,

I have tested my changes before sending to you or ML=C2=A0i don=E2=80=99t know why it is failing now at your side.<= /span>

Thanks and Regards,
Rahul

Fro= m: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedde= d.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix fo= r CVE-2019-9674
=C2=A0
Hi,

normally you should fork meta-python2 and send a link to meta-python2= change I can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually app= lied your change in meta-python2 master-next where it's now failing: 

ERROR: python-native-2.7.18-r0 do_patch: =
Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates tha=
t patches do not apply cleanly. [patch-fuzz]

so I'll fix this as well, but next ti=
me please better test your changes (nghttp2 patch also didn't apply, se=
e my reply there, not sure if you have fixed that in v2)

Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <Rahul.Taya@kpit.com> = wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access b= elow link:



Thanks and R= egards,
Rahul Taya
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <Rahul.Taya@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedde= d.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Harpritkaur Bhandari <Harpritkaur.Bhandari@kpit.com>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix fo= r CVE-2019-9674
=C2=A0
"git am" doesn't like those emoticons in th= e .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick i= t from there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <Rahul.Taya@kpit.com> = wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com>
---
=C2=A0recipes-devtools/python/python.inc=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 |=C2=A0 1 +
=C2=A0.../python/python/CVE-2019-9674.patch=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= = =A0| 83 +++++++++++++++++++
=C2=A02 files changed, 84 insertions(+)
=C2=A0create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patc= h

diff --git a/recipes-devtools/python/python.inc b/recipes-devtools/python/= python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR =3D "r1"
=C2=A0LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3D203a6dbc802ee896020a= 47161e759642"

=C2=A0SRC_URI =3D "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0file://CVE-2019-9674.patch \
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "

=C2=A0SRC_URI[sha256sum] =3D "b62c0e7937551d0cc02b8fd5cb0f544f9405baf= c9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch b/recipes-= devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 +From: JunWei Song <sungboss2004@gmail.com>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation<= br> + (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=3DUTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in Doc/libr= ary/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* =F0=9F=93=9C=F0=9F=A4=96 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: Backport[http://archive.ubuntu.com/ubunt= u/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz= ]
+CVE: CVE-2019-9674
+Link: http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ub= untu0~16.04.12.debian.tar.xz
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0| 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+=C2=A0 =C2=A0 Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed = below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP fo= rmat or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression = failed.
++Such as allowable characters in the directory entries, length of the fil= e name,
++length of the pathname, size of a single file, and number of files, etc.=
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or kil= ling the
++decompression process may result in incomplete decompression of the arch= ive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
+ .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
--
2.17.1

This message contains information that may be privileged or confidential a= nd is the property of the KPIT Technologies Ltd. It is intended only for th= e person to whom it is addressed. If you are not the intended recipient, yo= u are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part the= reof. If you receive this message in error, please notify the sender immedi= ately and delete all copies of this message. KPIT Technologies Ltd. does no= t accept any liability for virus infected mails.



This message contains information that may be privileged or confidential a= nd is the property of the KPIT Technologies Ltd. It is intended only for th= e person to whom it is addressed. If you are not the intended recipient, yo= u are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part the= reof. If you receive this message in error, please notify the sender immedi= ately and delete all copies of this message. KPIT Technologies Ltd. does no= t accept any liability for virus infected mails.
This message contains information that may be privileged or confidential a= nd is the property of the KPIT Technologies Ltd. It is intended only for th= e person to whom it is addressed. If you are not the intended recipient, yo= u are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part the= reof. If you receive this message in error, please notify the sender immedi= ately and delete all copies of this message. KPIT Technologies Ltd. does no= t accept any liability for virus infected mails.
--0000000000002f070705bc2c218e--