Bug#987957: unblock: pypy/7.3.3+dfsg-2 pypy3/7.3.3+dfsg-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock packages pypy & pypy3:
pypy (7.3.3+dfsg-2) unstable; urgency=medium
.
* Move pypy dependencies to Pre-Depends, as the pypy binary is used in
package maintainer scripts. (Closes: #987213)
pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
.
* Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
package maintainer scripts. (Closes: #987908)
* Remove pydoc getfile feature. (CVE-2021-3426)
* security: Restrict ftplib PASV hosts (no CVE assigned).
[ Reason ]
Promoting pypy dependencies from Depends to Pre-Depends, so that
reverse-dependencies maintainer script execution is delayed until pypy's
dependencies are in in place. (See: #987213)
pypy3 (not a key package) gets the same patch, and a couple of security
updates from upstream hg.
[ Impact ]
Upgrades of pypy libraries from buster to bullseye may fail, without
this patch.
[ Tests ]
autopkgtests verify the broad functionality of the language. piuparts
testing will be the best way to see that upgrading is now reliable.
[ Risks ]
Increasing Pre-Depends isn't ideal, and some of these libraries aren't
needed for pypycompile/pypy3compile to run. But manually splitting the
Pre-Depends and Depends risks more complexity and mistakes in the
future.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
unblock pypy/7.3.3+dfsg-2
unblock pypy3/7.3.3+dfsg-4
SR
diff -Nru pypy3-7.3.3+dfsg/debian/changelog pypy3-7.3.3+dfsg/debian/changelog
--- pypy3-7.3.3+dfsg/debian/changelog 2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/changelog 2021-05-02 12:34:45.000000000 -0400
@@ -1,3 +1,12 @@
+pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
+
+ * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
+ package maintainer scripts. (Closes: #987908)
+ * Remove pydoc getfile feature. (CVE-2021-3426)
+ * security: Restrict ftplib PASV hosts (no CVE assigned).
+
+ -- Stefano Rivera <stefanor@debian.org> Sun, 02 May 2021 12:34:45 -0400
+
pypy3 (7.3.3+dfsg-3) unstable; urgency=medium
* Patch: CVE-2021-23336: Only use '&' as a query string separator.
diff -Nru pypy3-7.3.3+dfsg/debian/control pypy3-7.3.3+dfsg/debian/control
--- pypy3-7.3.3+dfsg/debian/control 2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/control 2021-05-02 12:34:45.000000000 -0400
@@ -36,11 +36,15 @@
Package: pypy3
Architecture: any
-Depends: pypy3-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Depends: ${misc:Depends}
Breaks: pypy3-dev (<< ${source:Version})
Provides: ${pypy3-abi}
Suggests: pypy3-doc, pypy3-tk (= ${binary:Version})
-Pre-Depends: dpkg (>= 1.15.6~), ${misc:Pre-Depends}
+Pre-Depends:
+ dpkg (>= 1.15.6~),
+ pypy3-lib (= ${binary:Version}),
+ ${misc:Pre-Depends},
+ ${shlibs:Pre-Depends}
Description: fast alternative implementation of Python 3.x - PyPy interpreter
PyPy is a fast, compliant alternative implementation of the Python language
(3.x). It has several advantages and distinct features:
diff -Nru pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426
--- pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 1969-12-31 20:00:00.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 2021-05-02 12:34:45.000000000 -0400
@@ -0,0 +1,77 @@
+From: Matti Picus <matti.picus@gmail.com>
+Date: Sun, 2 May 2021 10:57:58 -0400
+Subject: Stdlib: Remove the pydoc getfile feature (bpo 42988) (CVE-2021-3426)
+
+Bug-cPython: https://bugs.python.org/issue42988
+Origin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/f66a96388f8a0ba125005d5d524a31dfd3878a18
+---
+ lib-python/3/pydoc.py | 18 ------------------
+ lib-python/3/test/test_pydoc.py | 6 ------
+ 2 files changed, 24 deletions(-)
+
+diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py
+index b521a55..5247ef9 100644
+--- a/lib-python/3/pydoc.py
++++ b/lib-python/3/pydoc.py
+@@ -2312,9 +2312,6 @@ def _url_handler(url, content_type="text/html"):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+
+- def filelink(self, url, path):
+- return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+
+ html = _HTMLDoc()
+
+@@ -2400,19 +2397,6 @@ def _url_handler(url, content_type="text/html"):
+ 'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+ return 'Search Results', contents
+
+- def html_getfile(path):
+- """Get and display a source file listing safely."""
+- path = urllib.parse.unquote(path)
+- with tokenize.open(path) as fp:
+- lines = html.escape(fp.read())
+- body = '<pre>%s</pre>' % lines
+- heading = html.heading(
+- '<big><big><strong>File Listing</strong></big></big>',
+- '#ffffff', '#7799ee')
+- contents = heading + html.bigsection(
+- 'File: %s' % path, '#ffffff', '#ee77aa', body)
+- return 'getfile %s' % path, contents
+-
+ def html_topics():
+ """Index of topic texts available."""
+
+@@ -2504,8 +2488,6 @@ def _url_handler(url, content_type="text/html"):
+ op, _, url = url.partition('=')
+ if op == "search?key":
+ title, content = html_search(url)
+- elif op == "getfile?key":
+- title, content = html_getfile(url)
+ elif op == "topic?key":
+ # try topics first, then objects.
+ try:
+diff --git a/lib-python/3/test/test_pydoc.py b/lib-python/3/test/test_pydoc.py
+index ff903d6..2d18217 100644
+--- a/lib-python/3/test/test_pydoc.py
++++ b/lib-python/3/test/test_pydoc.py
+@@ -1070,18 +1070,12 @@ class PydocUrlHandlerTest(PydocBaseTest):
+ ("topic?key=def", "Pydoc: KEYWORD def"),
+ ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+ ("foobar", "Pydoc: Error - foobar"),
+- ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+ ]
+
+ with self.restrict_walk_packages():
+ for url, title in requests:
+ self.call_url_handler(url, title)
+
+- path = string.__file__
+- title = "Pydoc: getfile " + path
+- url = "getfile?key=" + path
+- self.call_url_handler(url, title)
+-
+
+ class TestHelper(unittest.TestCase):
+ def test_keywords(self):
diff -Nru pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout
--- pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout 2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout 2021-05-02 12:34:45.000000000 -0400
@@ -190,7 +190,7 @@
_config_vars = None
diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py
-index b521a55..d528ffa 100644
+index 5247ef9..2ec5b96 100644
--- a/lib-python/3/pydoc.py
+++ b/lib-python/3/pydoc.py
@@ -413,6 +413,7 @@ class Doc:
diff -Nru pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv
--- pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv 1969-12-31 20:00:00.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv 2021-05-02 12:34:45.000000000 -0400
@@ -0,0 +1,91 @@
+From: Matti Picus <matti.picus@gmail.com>
+Date: Sun, 2 May 2021 11:01:59 -0400
+Subject: Stdlib: make ftplib not trust the PASV response (bpo 43285)
+
+Bug-cPython: https://bugs.python.org/issue43285
+Orgin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/2a9ed841f7acf38718bafe61e571b1b9a2d8b353
+---
+ lib-python/3/ftplib.py | 9 ++++++++-
+ lib-python/3/test/test_ftplib.py | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/lib-python/3/ftplib.py b/lib-python/3/ftplib.py
+index 2ff251a..385e432 100644
+--- a/lib-python/3/ftplib.py
++++ b/lib-python/3/ftplib.py
+@@ -104,6 +104,8 @@ class FTP:
+ welcome = None
+ passiveserver = 1
+ encoding = "latin-1"
++ # Disables https://bugs.python.org/issue43285 security if set to True.
++ trust_server_pasv_ipv4_address = False
+
+ # Initialization method (called by class instantiation).
+ # Initialize host to localhost, port to standard ftp port
+@@ -333,8 +335,13 @@ class FTP:
+ return sock
+
+ def makepasv(self):
++ """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+ if self.af == socket.AF_INET:
+- host, port = parse227(self.sendcmd('PASV'))
++ untrusted_host, port = parse227(self.sendcmd('PASV'))
++ if self.trust_server_pasv_ipv4_address:
++ host = untrusted_host
++ else:
++ host = self.sock.getpeername()[0]
+ else:
+ host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+ return host, port
+diff --git a/lib-python/3/test/test_ftplib.py b/lib-python/3/test/test_ftplib.py
+index 4ff2f71..3ca7cc1 100644
+--- a/lib-python/3/test/test_ftplib.py
++++ b/lib-python/3/test/test_ftplib.py
+@@ -94,6 +94,10 @@ class DummyFTPHandler(asynchat.async_chat):
+ self.rest = None
+ self.next_retr_data = RETR_DATA
+ self.push('220 welcome')
++ # We use this as the string IPv4 address to direct the client
++ # to in response to a PASV command. To test security behavior.
++ # https://bugs.python.org/issue43285/.
++ self.fake_pasv_server_ip = '252.253.254.255'
+
+ def collect_incoming_data(self, data):
+ self.in_buffer.append(data)
+@@ -136,7 +140,8 @@ class DummyFTPHandler(asynchat.async_chat):
+ sock.bind((self.socket.getsockname()[0], 0))
+ sock.listen()
+ sock.settimeout(TIMEOUT)
+- ip, port = sock.getsockname()[:2]
++ port = sock.getsockname()[1]
++ ip = self.fake_pasv_server_ip
+ ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256
+ self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+ conn, addr = sock.accept()
+@@ -694,6 +699,26 @@ class TestFTPClass(TestCase):
+ # IPv4 is in use, just make sure send_epsv has not been used
+ self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+
++ def test_makepasv_issue43285_security_disabled(self):
++ """Test the opt-in to the old vulnerable behavior."""
++ self.client.trust_server_pasv_ipv4_address = True
++ bad_host, port = self.client.makepasv()
++ self.assertEqual(
++ bad_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((self.client.sock.getpeername()[0], port),
++ timeout=TIMEOUT).close()
++
++ def test_makepasv_issue43285_security_enabled_default(self):
++ self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++ trusted_host, port = self.client.makepasv()
++ self.assertNotEqual(
++ trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++ # Opening and closing a connection keeps the dummy server happy
++ # instead of timing out on accept.
++ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+ def test_with_statement(self):
+ self.client.quit()
+
diff -Nru pypy3-7.3.3+dfsg/debian/patches/series pypy3-7.3.3+dfsg/debian/patches/series
--- pypy3-7.3.3+dfsg/debian/patches/series 2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/series 2021-05-02 12:34:45.000000000 -0400
@@ -12,6 +12,8 @@
platform-lsbrelease
rlcompleter-invalidterminal
fix-_crypt-imports
+cve-2021-3426
+ftplib-restrict-pasv
core-utf8-errors-ignore
core-type-annotation-scoping
fcntl-segfault
diff -Nru pypy3-7.3.3+dfsg/debian/rules pypy3-7.3.3+dfsg/debian/rules
--- pypy3-7.3.3+dfsg/debian/rules 2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/rules 2021-05-02 12:34:45.000000000 -0400
@@ -83,6 +83,10 @@
override_dh_compress:
dh_compress -X.inv -X.txt
+override_dh_shlibdeps-arch:
+ dh_shlibdeps --package=pypy3 -- -dPre-Depends
+ dh_shlibdeps --arch --remaining-packages
+
override_dh_installdeb:
set -e; for maintscript in preinst postinst prerm; do \
sed -e 's/#VERSION#/$(VER)/g' \
diff -Nru pypy-7.3.3+dfsg/debian/changelog pypy-7.3.3+dfsg/debian/changelog
--- pypy-7.3.3+dfsg/debian/changelog 2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/changelog 2021-05-02 10:44:17.000000000 -0400
@@ -1,3 +1,10 @@
+pypy (7.3.3+dfsg-2) unstable; urgency=medium
+
+ * Move pypy dependencies to Pre-Depends, as the pypy binary is used in
+ package maintainer scripts. (Closes: #987213)
+
+ -- Stefano Rivera <stefanor@debian.org> Sun, 02 May 2021 10:44:17 -0400
+
pypy (7.3.3+dfsg-1) unstable; urgency=medium
* New upstream release (identical to RC1).
diff -Nru pypy-7.3.3+dfsg/debian/control pypy-7.3.3+dfsg/debian/control
--- pypy-7.3.3+dfsg/debian/control 2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/control 2021-05-02 10:44:17.000000000 -0400
@@ -34,7 +34,8 @@
Package: pypy
Architecture: any
-Depends: pypy-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: pypy-lib (= ${binary:Version}), ${shlibs:Pre-Depends}
+Depends: ${misc:Depends}
Breaks:
pypy-backports.functools-lru-cache (<< 1.5-3~),
pypy-dev (<< ${source:Version})
diff -Nru pypy-7.3.3+dfsg/debian/rules pypy-7.3.3+dfsg/debian/rules
--- pypy-7.3.3+dfsg/debian/rules 2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/rules 2021-05-02 10:44:17.000000000 -0400
@@ -73,6 +73,10 @@
override_dh_compress:
dh_compress -X.inv -X.txt
+override_dh_shlibdeps-arch:
+ dh_shlibdeps --package=pypy -- -dPre-Depends
+ dh_shlibdeps --arch --remaining-packages
+
override_dh_installdeb:
set -e; for maintscript in preinst postinst prerm; do \
sed -e 's/#VERSION#/$(VER)/g' \
Reply to: