[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#829135: marked as done (jessie-pu: package python2.7/2.7.9-2+deb8u1)

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #829135,
regarding jessie-pu: package python2.7/2.7.9-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
829135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829135
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Attached debdiff fixes a few non-severe security issues in python2.7
and has been tested for a few days on a live system.

Cheers,
        Moritz

diff -u python2.7-2.7.9/debian/changelog python2.7-2.7.9/debian/changelog
--- python2.7-2.7.9/debian/changelog
+++ python2.7-2.7.9/debian/changelog
@@ -1,3 +1,14 @@
+python2.7 (2.7.9-2+deb8u1) jessie; urgency=medium
+
+  * Backport upstream commit b3ce713fb9beebfff9848cefa0acbd59acc68fe9
+    to address StartTLS stripping attack in smtplib (CVE-2016-0772)
+  * Backport upstream commit 985fc64c60d6adffd1138b6cc46df388ca91ca5d
+    to address integer overflow in zipimporter (CVE-2016-5636)
+  * Backport upstream commit 1c45047c51020d46246385949d5c02e026d47320
+    to address HTTP header injection (CVE-2016-5699)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 29 Jun 2016 00:02:23 +0200
+
 python2.7 (2.7.9-2) unstable; urgency=medium
 
   * python2.7-minimal: Make Pre-Depends mangling more robust. Closes: #779294.
diff -u python2.7-2.7.9/debian/patches/series.in python2.7-2.7.9/debian/patches/series.in
--- python2.7-2.7.9/debian/patches/series.in
+++ python2.7-2.7.9/debian/patches/series.in
@@ -66,0 +67,4 @@
+CVE-2016-0772.diff
+CVE-2016-5636.diff
+CVE-2016-5699.diff
+
only in patch2:
unchanged:
--- python2.7-2.7.9.orig/debian/patches/CVE-2016-0772.diff
+++ python2.7-2.7.9/debian/patches/CVE-2016-0772.diff
@@ -0,0 +1,25 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1465676202 25200
+# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
+# Parent  3017e41b0c99d24e88faf1de447f230e2f64d122
+raise an error when STARTTLS fails
+
+diff --git a/Lib/smtplib.py b/Lib/smtplib.py
+--- a/Lib/smtplib.py
++++ b/Lib/smtplib.py
+@@ -656,7 +656,12 @@ class SMTP:
+             self.ehlo_resp = None
+             self.esmtp_features = {}
+             self.does_esmtp = 0
++        else:
++            # RFC 3207:
++            # 501 Syntax error (no parameters allowed)
++            # 454 TLS not available due to temporary reason
++            raise SMTPResponseException(resp, reply)
+         return (resp, reply)
+ 
+     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+ 
+
only in patch2:
unchanged:
--- python2.7-2.7.9.orig/debian/patches/CVE-2016-5636.diff
+++ python2.7-2.7.9/debian/patches/CVE-2016-5636.diff
@@ -0,0 +1,24 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1453357424 28800
+# Node ID 985fc64c60d6adffd1138b6cc46df388ca91ca5d
+# Parent  7ec954b9fc54448a35b56d271340ba109eb381b9
+prevent buffer overflow in get_data (closes #26171)
+
+diff --git a/Modules/zipimport.c b/Modules/zipimport.c
+--- a/Modules/zipimport.c
++++ b/Modules/zipimport.c
+@@ -895,6 +895,11 @@ get_data(char *archive, PyObject *toc_en
+         PyMarshal_ReadShortFromFile(fp);        /* local header size */
+     file_offset += l;           /* Start of file data */
+ 
++    if (data_size > LONG_MAX - 1) {
++        fclose(fp);
++        PyErr_NoMemory();
++        return NULL;
++    }
+     raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
+                                           data_size : data_size + 1);
+     if (raw_data == NULL) {
+
only in patch2:
unchanged:
--- python2.7-2.7.9.orig/debian/patches/CVE-2016-5699.diff
+++ python2.7-2.7.9/debian/patches/CVE-2016-5699.diff
@@ -0,0 +1,147 @@
+
+# HG changeset patch
+# User Serhiy Storchaka <storchaka@gmail.com>
+# Date 1426151571 -7200
+# Node ID 1c45047c51020d46246385949d5c02e026d47320
+# Parent  36bd5add973285cce9d3ec7e068bbb20c9080565
+Issue #22928: Disabled HTTP header injections in httplib.
+Original patch by Demian Brecht.
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -68,6 +68,7 @@ Req-sent-unread-response       _CS_REQ_S
+ 
+ from array import array
+ import os
++import re
+ import socket
+ from sys import py3kwarning
+ from urlparse import urlsplit
+@@ -218,6 +219,34 @@ MAXAMOUNT = 1048576
+ # maximum amount of headers accepted
+ _MAXHEADERS = 100
+ 
++# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
++#
++# VCHAR          = %x21-7E
++# obs-text       = %x80-FF
++# header-field   = field-name ":" OWS field-value OWS
++# field-name     = token
++# field-value    = *( field-content / obs-fold )
++# field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
++# field-vchar    = VCHAR / obs-text
++#
++# obs-fold       = CRLF 1*( SP / HTAB )
++#                ; obsolete line folding
++#                ; see Section 3.2.4
++
++# token          = 1*tchar
++#
++# tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
++#                / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
++#                / DIGIT / ALPHA
++#                ; any VCHAR, except delimiters
++#
++# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1
++
++# the patterns for both name and value are more leniant than RFC
++# definitions to allow for backwards compatibility
++_is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
++_is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
++
+ 
+ class HTTPMessage(mimetools.Message):
+ 
+@@ -983,7 +1012,16 @@ class HTTPConnection:
+         if self.__state != _CS_REQ_STARTED:
+             raise CannotSendHeader()
+ 
+-        hdr = '%s: %s' % (header, '\r\n\t'.join([str(v) for v in values]))
++        header = '%s' % header
++        if not _is_legal_header_name(header):
++            raise ValueError('Invalid header name %r' % (header,))
++
++        values = [str(v) for v in values]
++        for one_value in values:
++            if _is_illegal_header_value(one_value):
++                raise ValueError('Invalid header value %r' % (one_value,))
++
++        hdr = '%s: %s' % (header, '\r\n\t'.join(values))
+         self._output(hdr)
+ 
+     def endheaders(self, message_body=None):
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -145,6 +145,33 @@ class HeaderTests(TestCase):
+         conn.putheader('Content-length',42)
+         self.assertIn('Content-length: 42', conn._buffer)
+ 
++        conn.putheader('Foo', ' bar ')
++        self.assertIn(b'Foo:  bar ', conn._buffer)
++        conn.putheader('Bar', '\tbaz\t')
++        self.assertIn(b'Bar: \tbaz\t', conn._buffer)
++        conn.putheader('Authorization', 'Bearer mytoken')
++        self.assertIn(b'Authorization: Bearer mytoken', conn._buffer)
++        conn.putheader('IterHeader', 'IterA', 'IterB')
++        self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer)
++        conn.putheader('LatinHeader', b'\xFF')
++        self.assertIn(b'LatinHeader: \xFF', conn._buffer)
++        conn.putheader('Utf8Header', b'\xc3\x80')
++        self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer)
++        conn.putheader('C1-Control', b'next\x85line')
++        self.assertIn(b'C1-Control: next\x85line', conn._buffer)
++        conn.putheader('Embedded-Fold-Space', 'is\r\n allowed')
++        self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer)
++        conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed')
++        self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer)
++        conn.putheader('Key Space', 'value')
++        self.assertIn(b'Key Space: value', conn._buffer)
++        conn.putheader('KeySpace ', 'value')
++        self.assertIn(b'KeySpace : value', conn._buffer)
++        conn.putheader(b'Nonbreak\xa0Space', 'value')
++        self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer)
++        conn.putheader(b'\xa0NonbreakSpace', 'value')
++        self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer)
++
+     def test_ipv6host_header(self):
+         # Default host header on IPv6 transaction should wrapped by [] if
+         # its actual IPv6 address
+@@ -174,6 +201,35 @@ class HeaderTests(TestCase):
+         self.assertEqual(resp.getheader('First'), 'val')
+         self.assertEqual(resp.getheader('Second'), 'val')
+ 
++    def test_invalid_headers(self):
++        conn = httplib.HTTPConnection('example.com')
++        conn.sock = FakeSocket('')
++        conn.putrequest('GET', '/')
++
++        # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no
++        # longer allowed in header names
++        cases = (
++            (b'Invalid\r\nName', b'ValidValue'),
++            (b'Invalid\rName', b'ValidValue'),
++            (b'Invalid\nName', b'ValidValue'),
++            (b'\r\nInvalidName', b'ValidValue'),
++            (b'\rInvalidName', b'ValidValue'),
++            (b'\nInvalidName', b'ValidValue'),
++            (b' InvalidName', b'ValidValue'),
++            (b'\tInvalidName', b'ValidValue'),
++            (b'Invalid:Name', b'ValidValue'),
++            (b':InvalidName', b'ValidValue'),
++            (b'ValidName', b'Invalid\r\nValue'),
++            (b'ValidName', b'Invalid\rValue'),
++            (b'ValidName', b'Invalid\nValue'),
++            (b'ValidName', b'InvalidValue\r\n'),
++            (b'ValidName', b'InvalidValue\r'),
++            (b'ValidName', b'InvalidValue\n'),
++        )
++        for name, value in cases:
++            with self.assertRaisesRegexp(ValueError, 'Invalid header'):
++                conn.putheader(name, value)
++
+ 
+ class BasicTest(TestCase):
+     def test_status_lines(self):
+

--- End Message ---
--- Begin Message --- 
Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: