[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987957: marked as done (unblock: pypy/7.3.3+dfsg-2 pypy3/7.3.3+dfsg-4)

Your message dated Tue, 04 May 2021 09:38:30 +0000
with message-id <E1ldrVe-0004RO-OK@respighi.debian.org>
and subject line unblock pypy
has caused the Debian Bug report #987957,
regarding unblock: pypy/7.3.3+dfsg-2 pypy3/7.3.3+dfsg-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987957
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock packages pypy & pypy3:

 pypy (7.3.3+dfsg-2) unstable; urgency=medium
 .
   * Move pypy dependencies to Pre-Depends, as the pypy binary is used in
     package maintainer scripts. (Closes: #987213)

 pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
 .
   * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
     package maintainer scripts. (Closes: #987908)
   * Remove pydoc getfile feature. (CVE-2021-3426)
   * security: Restrict ftplib PASV hosts (no CVE assigned).

[ Reason ]

Promoting pypy dependencies from Depends to Pre-Depends, so that
reverse-dependencies maintainer script execution is delayed until pypy's
dependencies are in in place. (See: #987213)

pypy3 (not a key package) gets the same patch, and a couple of security
updates from upstream hg.

[ Impact ]
Upgrades of pypy libraries from buster to bullseye may fail, without
this patch.

[ Tests ]
autopkgtests verify the broad functionality of the language. piuparts
testing will be the best way to see that upgrading is now reliable.

[ Risks ]
Increasing Pre-Depends isn't ideal, and some of these libraries aren't
needed for pypycompile/pypy3compile to run. But manually splitting the
Pre-Depends and Depends risks more complexity and mistakes in the
future.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

unblock pypy/7.3.3+dfsg-2
unblock pypy3/7.3.3+dfsg-4

SR

diff -Nru pypy3-7.3.3+dfsg/debian/changelog pypy3-7.3.3+dfsg/debian/changelog
--- pypy3-7.3.3+dfsg/debian/changelog	2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/changelog	2021-05-02 12:34:45.000000000 -0400
@@ -1,3 +1,12 @@
+pypy3 (7.3.3+dfsg-4) unstable; urgency=medium
+
+  * Move pypy3 dependencies to Pre-Depends, as the pypy3 binary is used in
+    package maintainer scripts. (Closes: #987908)
+  * Remove pydoc getfile feature. (CVE-2021-3426)
+  * security: Restrict ftplib PASV hosts (no CVE assigned).
+
+ -- Stefano Rivera <stefanor@debian.org>  Sun, 02 May 2021 12:34:45 -0400
+
 pypy3 (7.3.3+dfsg-3) unstable; urgency=medium
 
   * Patch: CVE-2021-23336: Only use '&' as a query string separator.
diff -Nru pypy3-7.3.3+dfsg/debian/control pypy3-7.3.3+dfsg/debian/control
--- pypy3-7.3.3+dfsg/debian/control	2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/control	2021-05-02 12:34:45.000000000 -0400
@@ -36,11 +36,15 @@
 
 Package: pypy3
 Architecture: any
-Depends: pypy3-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Depends: ${misc:Depends}
 Breaks: pypy3-dev (<< ${source:Version})
 Provides: ${pypy3-abi}
 Suggests: pypy3-doc, pypy3-tk (= ${binary:Version})
-Pre-Depends: dpkg (>= 1.15.6~), ${misc:Pre-Depends}
+Pre-Depends:
+ dpkg (>= 1.15.6~),
+ pypy3-lib (= ${binary:Version}),
+ ${misc:Pre-Depends},
+ ${shlibs:Pre-Depends}
 Description: fast alternative implementation of Python 3.x - PyPy interpreter
  PyPy is a fast, compliant alternative implementation of the Python language
  (3.x). It has several advantages and distinct features:
diff -Nru pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426 pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426
--- pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426	1969-12-31 20:00:00.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/cve-2021-3426	2021-05-02 12:34:45.000000000 -0400
@@ -0,0 +1,77 @@
+From: Matti Picus <matti.picus@gmail.com>
+Date: Sun, 2 May 2021 10:57:58 -0400
+Subject: Stdlib: Remove the pydoc getfile feature (bpo 42988) (CVE-2021-3426)
+
+Bug-cPython: https://bugs.python.org/issue42988
+Origin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/f66a96388f8a0ba125005d5d524a31dfd3878a18
+---
+ lib-python/3/pydoc.py           | 18 ------------------
+ lib-python/3/test/test_pydoc.py |  6 ------
+ 2 files changed, 24 deletions(-)
+
+diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py
+index b521a55..5247ef9 100644
+--- a/lib-python/3/pydoc.py
++++ b/lib-python/3/pydoc.py
+@@ -2312,9 +2312,6 @@ def _url_handler(url, content_type="text/html"):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2400,19 +2397,6 @@ def _url_handler(url, content_type="text/html"):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2504,8 +2488,6 @@ def _url_handler(url, content_type="text/html"):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/lib-python/3/test/test_pydoc.py b/lib-python/3/test/test_pydoc.py
+index ff903d6..2d18217 100644
+--- a/lib-python/3/test/test_pydoc.py
++++ b/lib-python/3/test/test_pydoc.py
+@@ -1070,18 +1070,12 @@ class PydocUrlHandlerTest(PydocBaseTest):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
diff -Nru pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout
--- pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout	2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/distutils-install-layout	2021-05-02 12:34:45.000000000 -0400
@@ -190,7 +190,7 @@
  
  _config_vars = None
 diff --git a/lib-python/3/pydoc.py b/lib-python/3/pydoc.py
-index b521a55..d528ffa 100644
+index 5247ef9..2ec5b96 100644
 --- a/lib-python/3/pydoc.py
 +++ b/lib-python/3/pydoc.py
 @@ -413,6 +413,7 @@ class Doc:
diff -Nru pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv
--- pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv	1969-12-31 20:00:00.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/ftplib-restrict-pasv	2021-05-02 12:34:45.000000000 -0400
@@ -0,0 +1,91 @@
+From: Matti Picus <matti.picus@gmail.com>
+Date: Sun, 2 May 2021 11:01:59 -0400
+Subject: Stdlib: make ftplib not trust the PASV response (bpo 43285)
+
+Bug-cPython: https://bugs.python.org/issue43285
+Orgin: upstream, https://foss.heptapod.net/pypy/pypy/-/commit/2a9ed841f7acf38718bafe61e571b1b9a2d8b353
+---
+ lib-python/3/ftplib.py           |  9 ++++++++-
+ lib-python/3/test/test_ftplib.py | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/lib-python/3/ftplib.py b/lib-python/3/ftplib.py
+index 2ff251a..385e432 100644
+--- a/lib-python/3/ftplib.py
++++ b/lib-python/3/ftplib.py
+@@ -104,6 +104,8 @@ class FTP:
+     welcome = None
+     passiveserver = 1
+     encoding = "latin-1"
++    # Disables https://bugs.python.org/issue43285 security if set to True.
++    trust_server_pasv_ipv4_address = False
+ 
+     # Initialization method (called by class instantiation).
+     # Initialize host to localhost, port to standard ftp port
+@@ -333,8 +335,13 @@ class FTP:
+         return sock
+ 
+     def makepasv(self):
++        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
+         if self.af == socket.AF_INET:
+-            host, port = parse227(self.sendcmd('PASV'))
++            untrusted_host, port = parse227(self.sendcmd('PASV'))
++            if self.trust_server_pasv_ipv4_address:
++                host = untrusted_host
++            else:
++                host = self.sock.getpeername()[0]
+         else:
+             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
+         return host, port
+diff --git a/lib-python/3/test/test_ftplib.py b/lib-python/3/test/test_ftplib.py
+index 4ff2f71..3ca7cc1 100644
+--- a/lib-python/3/test/test_ftplib.py
++++ b/lib-python/3/test/test_ftplib.py
+@@ -94,6 +94,10 @@ class DummyFTPHandler(asynchat.async_chat):
+         self.rest = None
+         self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
++        # We use this as the string IPv4 address to direct the client
++        # to in response to a PASV command.  To test security behavior.
++        # https://bugs.python.org/issue43285/.
++        self.fake_pasv_server_ip = '252.253.254.255'
+ 
+     def collect_incoming_data(self, data):
+         self.in_buffer.append(data)
+@@ -136,7 +140,8 @@ class DummyFTPHandler(asynchat.async_chat):
+             sock.bind((self.socket.getsockname()[0], 0))
+             sock.listen()
+             sock.settimeout(TIMEOUT)
+-            ip, port = sock.getsockname()[:2]
++            port = sock.getsockname()[1]
++            ip = self.fake_pasv_server_ip
+             ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256
+             self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
+             conn, addr = sock.accept()
+@@ -694,6 +699,26 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
+ 
++    def test_makepasv_issue43285_security_disabled(self):
++        """Test the opt-in to the old vulnerable behavior."""
++        self.client.trust_server_pasv_ipv4_address = True
++        bad_host, port = self.client.makepasv()
++        self.assertEqual(
++                bad_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((self.client.sock.getpeername()[0], port),
++                                 timeout=TIMEOUT).close()
++
++    def test_makepasv_issue43285_security_enabled_default(self):
++        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
++        trusted_host, port = self.client.makepasv()
++        self.assertNotEqual(
++                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
++        # Opening and closing a connection keeps the dummy server happy
++        # instead of timing out on accept.
++        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
++
+     def test_with_statement(self):
+         self.client.quit()
+ 
diff -Nru pypy3-7.3.3+dfsg/debian/patches/series pypy3-7.3.3+dfsg/debian/patches/series
--- pypy3-7.3.3+dfsg/debian/patches/series	2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/patches/series	2021-05-02 12:34:45.000000000 -0400
@@ -12,6 +12,8 @@
 platform-lsbrelease
 rlcompleter-invalidterminal
 fix-_crypt-imports
+cve-2021-3426
+ftplib-restrict-pasv
 core-utf8-errors-ignore
 core-type-annotation-scoping
 fcntl-segfault
diff -Nru pypy3-7.3.3+dfsg/debian/rules pypy3-7.3.3+dfsg/debian/rules
--- pypy3-7.3.3+dfsg/debian/rules	2021-02-25 14:55:51.000000000 -0400
+++ pypy3-7.3.3+dfsg/debian/rules	2021-05-02 12:34:45.000000000 -0400
@@ -83,6 +83,10 @@
 override_dh_compress:
 	dh_compress -X.inv -X.txt
 
+override_dh_shlibdeps-arch:
+	dh_shlibdeps --package=pypy3 -- -dPre-Depends
+	dh_shlibdeps --arch --remaining-packages
+
 override_dh_installdeb:
 	set -e; for maintscript in preinst postinst prerm; do \
 		sed -e 's/#VERSION#/$(VER)/g' \

diff -Nru pypy-7.3.3+dfsg/debian/changelog pypy-7.3.3+dfsg/debian/changelog
--- pypy-7.3.3+dfsg/debian/changelog	2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/changelog	2021-05-02 10:44:17.000000000 -0400
@@ -1,3 +1,10 @@
+pypy (7.3.3+dfsg-2) unstable; urgency=medium
+
+  * Move pypy dependencies to Pre-Depends, as the pypy binary is used in
+    package maintainer scripts. (Closes: #987213)
+
+ -- Stefano Rivera <stefanor@debian.org>  Sun, 02 May 2021 10:44:17 -0400
+
 pypy (7.3.3+dfsg-1) unstable; urgency=medium
 
   * New upstream release (identical to RC1).
diff -Nru pypy-7.3.3+dfsg/debian/control pypy-7.3.3+dfsg/debian/control
--- pypy-7.3.3+dfsg/debian/control	2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/control	2021-05-02 10:44:17.000000000 -0400
@@ -34,7 +34,8 @@
 
 Package: pypy
 Architecture: any
-Depends: pypy-lib (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: pypy-lib (= ${binary:Version}), ${shlibs:Pre-Depends}
+Depends: ${misc:Depends}
 Breaks:
  pypy-backports.functools-lru-cache (<< 1.5-3~),
  pypy-dev (<< ${source:Version})
diff -Nru pypy-7.3.3+dfsg/debian/rules pypy-7.3.3+dfsg/debian/rules
--- pypy-7.3.3+dfsg/debian/rules	2020-11-21 13:14:19.000000000 -0400
+++ pypy-7.3.3+dfsg/debian/rules	2021-05-02 10:44:17.000000000 -0400
@@ -73,6 +73,10 @@
 override_dh_compress:
 	dh_compress -X.inv -X.txt
 
+override_dh_shlibdeps-arch:
+	dh_shlibdeps --package=pypy -- -dPre-Depends
+	dh_shlibdeps --arch --remaining-packages
+
 override_dh_installdeb:
 	set -e; for maintscript in preinst postinst prerm; do \
 		sed -e 's/#VERSION#/$(VER)/g' \

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: