--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package python3.7/3.7.3-2+deb10u2
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Sat, 25 Jul 2020 20:22:21 +0200
- Message-id: <159570134121.240253.14761409430707552935.reportbug@hullmann.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes three minor security issues, debdiff attached.
Cheers,
Moritz
diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog 2019-12-20 18:01:46.000000000 +0100
+++ python3.7-3.7.3/debian/changelog 2020-07-25 15:00:39.000000000 +0200
@@ -1,3 +1,11 @@
+python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
+
+ * CVE-2019-20907
+ * CVE-2020-14422
+ * CVE-2020-8492
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Sat, 25 Jul 2020 15:03:44 +0200
+
python3.7 (3.7.3-2+deb10u1) buster; urgency=medium
* CVE-2019-9740
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-20907.diff python3.7-3.7.3/debian/patches/CVE-2019-20907.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 2020-07-22 18:02:59.000000000 +0200
@@ -0,0 +1,26 @@
+From 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 15 Jul 2020 05:35:08 -0700
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454) (GH-21484)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi <rishi_devan@mail.com>
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3b596cbf49d27..3be5188c8b0a2 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1233,6 +1233,8 @@ def _proc_pax(self, tarfile):
+
+ length, keyword = match.groups()
+ length = int(length)
++ if length == 0:
++ raise InvalidHeaderError("invalid header")
+ value = buf[match.end(2) + 1:match.start(1) + length - 1]
+
+ # Normally, we could just use "utf-8" as the encoding and "strict"
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-14422.diff python3.7-3.7.3/debian/patches/CVE-2020-14422.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 2020-07-22 18:02:59.000000000 +0200
@@ -0,0 +1,62 @@
+From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21231)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
+
+Signed-off-by: Tapas Kundu <tkundu@vmware.com>
+---
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d73ab..54882934c3dc1 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+@@ -2088,7 +2088,7 @@ def __lt__(self, other):
+ return False
+
+ def __hash__(self):
+- return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++ return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+
+ __reduce__ = _IPAddressBase.__reduce__
+
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb126f..1fb6a929dc2d9 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ def testsixtofour(self):
+ sixtofouraddr.sixtofour)
+ self.assertFalse(bad_addr.sixtofour)
+
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV4HashIsNotConstant(self):
++ ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++ ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++ self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++ # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++ def testV6HashIsNotConstant(self):
++ ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++ ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++ self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+
+ if __name__ == '__main__':
+ unittest.main()
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-8492.diff python3.7-3.7.3/debian/patches/CVE-2020-8492.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-8492.diff 1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-8492.diff 2020-07-25 14:59:50.000000000 +0200
@@ -0,0 +1,25 @@
+Backport of b57a73694e26e8b2391731b5ee0b1be59437388e to only cover
+the CVE-2020-8492 fix without the AbstractBasicAuthHandler change
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 0d3f9670fef40..4f42919b09eae 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -944,8 +944,15 @@ class AbstractBasicAuthHandler:
+
+ # allow for double- and single-quoted realm values
+ # (single quotes are a violation of the RFC, but appear in the wild)
+- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+- 'realm=(["\']?)([^"\']*)\\2', re.I)
++ rx = re.compile('(?:^|,)' # start of the string or ','
++ '[ \t]*' # optional whitespaces
++ '([^ \t]+)' # scheme like "Basic"
++ '[ \t]+' # mandatory whitespaces
++ # realm=xxx
++ # realm='xxx'
++ # realm="xxx"
++ 'realm=(["\']?)([^"\']*)\\2',
++ re.I)
+
+ # XXX could pre-emptively send auth info already accepted (RFC 2617,
+ # end of section 2, and section 1.2 immediately after "credentials"
diff -Nru python3.7-3.7.3/debian/patches/series python3.7-3.7.3/debian/patches/series
--- python3.7-3.7.3/debian/patches/series 2019-12-20 17:58:50.000000000 +0100
+++ python3.7-3.7.3/debian/patches/series 2020-07-22 18:03:39.000000000 +0200
@@ -43,3 +43,7 @@
CVE-2019-10160-2.diff
CVE-2019-16056.diff
CVE-2019-16935.diff
+CVE-2019-20907.diff
+CVE-2020-14422.diff
+CVE-2020-8492.diff
+
--- End Message ---