[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#966272: marked as done (buster-pu: package python3.7/3.7.3-2+deb10u2)

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #966272,
regarding buster-pu: package python3.7/3.7.3-2+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
966272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966272
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes three minor security issues, debdiff attached.

Cheers,
        Moritz

diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog
--- python3.7-3.7.3/debian/changelog	2019-12-20 18:01:46.000000000 +0100
+++ python3.7-3.7.3/debian/changelog	2020-07-25 15:00:39.000000000 +0200
@@ -1,3 +1,11 @@
+python3.7 (3.7.3-2+deb10u2) buster; urgency=medium
+
+  * CVE-2019-20907
+  * CVE-2020-14422
+  * CVE-2020-8492
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sat, 25 Jul 2020 15:03:44 +0200
+
 python3.7 (3.7.3-2+deb10u1) buster; urgency=medium
 
   * CVE-2019-9740
diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-20907.diff python3.7-3.7.3/debian/patches/CVE-2019-20907.diff
--- python3.7-3.7.3/debian/patches/CVE-2019-20907.diff	1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2019-20907.diff	2020-07-22 18:02:59.000000000 +0200
@@ -0,0 +1,26 @@
+From 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Wed, 15 Jul 2020 05:35:08 -0700
+Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module
+ (GH-21454) (GH-21484)
+
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module
+(CVE-2019-20907).
+(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4)
+
+Co-authored-by: Rishi <rishi_devan@mail.com>
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3b596cbf49d27..3be5188c8b0a2 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1233,6 +1233,8 @@ def _proc_pax(self, tarfile):
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             # Normally, we could just use "utf-8" as the encoding and "strict"
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-14422.diff python3.7-3.7.3/debian/patches/CVE-2020-14422.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-14422.diff	1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-14422.diff	2020-07-22 18:02:59.000000000 +0200
@@ -0,0 +1,62 @@
+From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface
+ and IPv6Interface (GH-21033) (GH-21231)
+
+CVE-2020-14422
+The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation
+(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28)
+
+Co-authored-by: Ravi Teja P <rvteja92@gmail.com>
+
+Signed-off-by: Tapas Kundu <tkundu@vmware.com>
+---
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d73ab..54882934c3dc1 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2088,7 +2088,7 @@ def __lt__(self, other):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb126f..1fb6a929dc2d9 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ def testsixtofour(self):
+                          sixtofouraddr.sixtofour)
+         self.assertFalse(bad_addr.sixtofour)
+ 
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV4HashIsNotConstant(self):
++        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV6HashIsNotConstant(self):
++        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+ 
+ if __name__ == '__main__':
+     unittest.main()
diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-8492.diff python3.7-3.7.3/debian/patches/CVE-2020-8492.diff
--- python3.7-3.7.3/debian/patches/CVE-2020-8492.diff	1970-01-01 01:00:00.000000000 +0100
+++ python3.7-3.7.3/debian/patches/CVE-2020-8492.diff	2020-07-25 14:59:50.000000000 +0200
@@ -0,0 +1,25 @@
+Backport of b57a73694e26e8b2391731b5ee0b1be59437388e to only cover
+the CVE-2020-8492 fix without the AbstractBasicAuthHandler change
+
+diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
+index 0d3f9670fef40..4f42919b09eae 100644
+--- a/Lib/urllib/request.py
++++ b/Lib/urllib/request.py
+@@ -944,8 +944,15 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
+-                    'realm=(["\']?)([^"\']*)\\2', re.I)
++    rx = re.compile('(?:^|,)'   # start of the string or ','
++                    '[ \t]*'    # optional whitespaces
++                    '([^ \t]+)' # scheme like "Basic"
++                    '[ \t]+'    # mandatory whitespaces
++                    # realm=xxx
++                    # realm='xxx'
++                    # realm="xxx"
++                    'realm=(["\']?)([^"\']*)\\2',
++                    re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+     # end of section 2, and section 1.2 immediately after "credentials"
diff -Nru python3.7-3.7.3/debian/patches/series python3.7-3.7.3/debian/patches/series
--- python3.7-3.7.3/debian/patches/series	2019-12-20 17:58:50.000000000 +0100
+++ python3.7-3.7.3/debian/patches/series	2020-07-22 18:03:39.000000000 +0200
@@ -43,3 +43,7 @@
 CVE-2019-10160-2.diff
 CVE-2019-16056.diff
 CVE-2019-16935.diff
+CVE-2019-20907.diff
+CVE-2020-14422.diff
+CVE-2020-8492.diff
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: