Hi,
First: Could somebody perhaps enlighten me why all these issues show up
as unimportant in [2] but up to medium in the separate pages (e.g. [3])
begin quotation from Michael Gilbert (in <jNk14-84E-21@gated-at.bofh.it>):
> On Mon, Sep 24, 2012 at 4:27 AM, Arne Wichmann wrote:
> > begin quotation from Michael Gilbert (in <jMfPP-2tW-7@gated-at.bofh.it>):
> >> On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote:
> >> > Ok, I just created one more fixed version of python2.6 for my own
> >> > use. Whoever is interested can find it at [1] for the time being.
> >> > If anybody has comments or improvements I am also interested.
> >>
> >> Would you mind attaching a debdiff so we can see what you did? If
> >> your changes look reasonable, I may be willing to work with you to
> >> sponsor a stable-proposed update:
> >> http://www.debian.org/releases/proposed-updates
> >
> > Attached.
>
> Thanks for your work on this. There are a couple easily correctable
> issues. One is that the debdiff is backwards. Second, its better to
Hopefully not this time.
> use cve numbers to name the patches rather than commit ids. Third,
Done.
> the distribution should be stable-proposed-updates rather than stable,
Not done. See other referenced mail.
> and there should only be one new entry in the changelog, and the
> version should be +squeeze1.
Done.
> Finally, there are some other unfixed python2.6 issues. Would you
> mind taking a look at those? It would be good to include them all in
> a new update:
> http://security-tracker.debian.org/tracker/source-package/python2.6
CVE-2011-4940 is unimportant.
CVE-2012-0876 is fixed (tracker updated).
I do not feel comfortable including a solution to CVE-2012-1150, what I
have seen looks quite intusive to me and the impact seems minor. If you
think I should try [4] tell me and I will do so.
A similar argument goes for CVE-2011-1015 - as already mentioned in [5].
I added CVE-2012-0845.
The debdiff is attached.
The packages can be found here: [6]
begin quotation from Adam D. Barratt (in <jNo4G-2L7-3@gated-at.bofh.it>):
> On Mon, 2012-09-24 at 12:39 -0400, Michael Gilbert wrote:
> > the distribution should be stable-proposed-updates rather than stable,
>
> "stable"'s fine. (As would be "proposed-updates" and "squeeze".)
Ok.
[2] http://security-tracker.debian.org/tracker/source-package/python2.6
[3] http://security-tracker.debian.org/tracker/CVE-2012-0876
[4] http://bugs.python.org/file24563/hash-patch-3.1-gb-03.patch
[5] http://security-tracker.debian.org/tracker/CVE-2011-1015
[6] http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1.diff.gz
http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1.dsc
http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.build
http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.changes
http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.deb
http://www.saar.de/~aw/debian/python2.6-dbg_2.6.6-8+squeeze1_amd64.deb
http://www.saar.de/~aw/debian/python2.6-dev_2.6.6-8+squeeze1_amd64.deb
http://www.saar.de/~aw/debian/python2.6-doc_2.6.6-8+squeeze1_all.deb
http://www.saar.de/~aw/debian/python2.6-examples_2.6.6-8+squeeze1_all.deb
http://www.saar.de/~aw/debian/python2.6-minimal_2.6.6-8+squeeze1_amd64.deb
http://www.saar.de/~aw/debian/idle-python2.6_2.6.6-8+squeeze1_all.deb
http://www.saar.de/~aw/debian/libpython2.6_2.6.6-8+squeeze1_amd64.deb
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
diff -u python2.6-2.6.6/debian/changelog python2.6-2.6.6/debian/changelog
--- python2.6-2.6.6/debian/changelog
+++ python2.6-2.6.6/debian/changelog
@@ -1,3 +1,12 @@
+python2.6 (2.6.6-8+squeeze1) stable; urgency=low
+
+ * Non-maintainer upload.
+ * CVE-2011-1521. Closes: #628455
+ * CVE-2011-3389. Closes: #684511
+ * CVE-2012-0845.
+
+ -- Arne Wichmann <aw@linux.de> Mon, 01 Oct 2012 14:38:46 +0200
+
python2.6 (2.6.6-8) unstable; urgency=low
* Disable the profiled builds on m68k and sparc. Closes: #606091.
diff -u python2.6-2.6.6/debian/patches/series.in python2.6-2.6.6/debian/patches/series.in
--- python2.6-2.6.6/debian/patches/series.in
+++ python2.6-2.6.6/debian/patches/series.in
@@ -62,0 +63,3 @@
+CVE-2011-3389.diff
+CVE-2011-1521.diff
+CVE-2012-0845.diff
only in patch2:
unchanged:
--- python2.6-2.6.6.orig/.pbuilderrc
+++ python2.6-2.6.6/.pbuilderrc
@@ -0,0 +1,163 @@
+# Idea stolen at https://wiki.ubuntu.com/PbuilderHowto
+# Enhanced to support experimental, backports and oldstable.
+# Does not build with non-free by default anymore.
+
+unset CCACHEDIR
+
+# DIST NONFREE ARCH CUSTOM should be added to env_keep in your sudoers config.
+OLDSTABLE="lenny"
+OLDSTABLE_ARCHIVED="false"
+STABLE="squeeze"
+TESTING="wheezy"
+UNSTABLE="sid"
+
+# Codenames for Debian suites according to their alias. Update these when
+# needed.
+UNSTABLE_CODENAME="unstable"
+TESTING_CODENAME="testing"
+STABLE_CODENAME="stable"
+OLDSTABLE_CODENAME="oldstable"
+
+
+# List of Debian suites.
+DEBIAN_SUITES=($UNSTABLE_CODENAME $TESTING_CODENAME $STABLE_CODENAME $OLDSTABLE_CODENAME
+ $UNSTABLE $TESTING $STABLE $OLDSTABLE experimental)
+
+# List of Ubuntu suites. Update these when needed.
+UBUNTU_SUITES=("jaunty" "intrepid" "hardy" "gutsy" "lucid" "maverick")
+
+# Mirrors to use. Update these to your preferred mirror.
+DEBIAN_MIRROR="ftp2.de.debian.org"
+UBUNTU_MIRROR="debian.netcologne.de"
+
+# Use Cowbuilder
+PDEBUILD_PBUILDER=cowbuilder
+
+# Optionally use the changelog of a package to determine the suite to use if
+# none set.
+if [ -z "${DIST}" ] && [ -r "debian/changelog" ]; then
+ DIST=$(dpkg-parsechangelog | awk '/^Distribution: / {print $2}')
+fi
+
+# Optionally set a default distribution if none is used. Note that you can set
+# your own default (i.e. ${DIST:="unstable"}).
+: ${DIST:="stable"}
+
+# Optionally change Debian codenames in $DIST to their aliases.
+case "$DIST" in
+ $UNSTABLE_CODENAME|UNRELEASED)
+ DIST="$UNSTABLE"
+ ;;
+ $TESTING_CODENAME|$TESTING_CODENAME-proposed-updates|$TESTING_CODENAME-security)
+ DIST="$TESTING"
+ ;;
+ $STABLE_CODENAME|$STABLE_CODENAME-proposed-updates|$STABLE_CODENAME-security)
+ DIST="$STABLE"
+ ;;
+ $OLDSTABLE_CODENAME|$OLDSTABLE_CODENAME-proposed-updates|$OLDSTABLE_CODENAME-security)
+ DIST="$OLDSTABLE"
+esac
+
+# Optionally set the architecture to the host architecture if none set. Note
+# that you can set your own default (i.e. ${ARCH:="i386"}).
+: ${ARCH:="$(dpkg --print-architecture)"}
+
+DEBOOTSTRAPOPTS=(
+ '--variant=buildd'
+)
+
+
+NAME="$DIST"
+if [ -n "${ARCH}" ]; then
+ NAME="$NAME-$ARCH"
+ DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}")
+fi
+if [ -n "${NONFREE}" ]; then
+ NAME="$NAME-nonfree"
+fi
+
+#CUSTOM allows to create chroots per customer, or for whatever you need it
+if [ -n "${CUSTOM}" ]; then
+ NAME="$NAME-$CUSTOM"
+fi
+
+BASETGZ="/var/cache/pbuilder/$NAME-base.tgz"
+BASEPATH="/var/cache/pbuilder/$NAME-base.cow"
+BUILDRESULT="/tmp/"
+BUILDPLACE="/var/cache/pbuilder/build/"
+
+if $(echo ${DEBIAN_SUITES[@]} | grep -q ${DIST%-backports}); then
+ COMPONENTS="main"
+ if [ -n "${NONFREE}" ]; then
+ COMPONENTS="$COMPONENTS contrib non-free"
+ fi
+ DEBOOTSTRAPOPTS=(
+ '--keyring' '/usr/share/keyrings/debian-archive-keyring.gpg'
+ ${DEBOOTSTRAPOPTS[@]}
+ )
+
+ case "$DIST" in
+ $OLDSTABLE)
+ if [ "$OLDSTABLE_ARCHIVED" = "true" ]; then
+ MIRRORSITE="http://archive.debian.org/debian/";
+ else
+ MIRRORSITE="http://$DEBIAN_MIRROR/debian/";
+ fi
+ ;;
+ experimental)
+ if [ -z "$OTHERMIRROR" ]; then
+ OTHERMIRROR="deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS"
+ else
+ OTHERMIRROR="deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS | ${OTHERMIRROR}"
+ fi
+ ;;
+ *-backports)
+ if [ -z "$OTHERMIRROR" ]; then
+ OTHERMIRROR="deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS"
+ else
+ OTHERMIRROR="deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS | ${OTHERMIRROR}"
+ fi
+ EXTRAPACKAGES="$EXTRAPACKAGES debian-backports-keyring"
+ ;;
+ esac
+
+elif $(echo ${UBUNTU_SUITES[@]} | grep -q ${DIST%-backports}); then
+ # Ubuntu configuration
+ MIRRORSITE="http://$UBUNTU_MIRROR/ubuntu/";
+ COMPONENTS="main universe"
+ if [ -n "${NONFREE}" ]; then
+ COMPONENTS="$COMPONENTS multiverse"
+ fi
+
+ if [ -r /usr/share/keyrings/ubuntu-archive-keyring.gpg ]; then
+ DEBOOTSTRAPOPTS=(
+ '--keyring' '/usr/share/keyrings/ubuntu-archive-keyring.gpg'
+ ${DEBOOTSTRAPOPTS[@]}
+ )
+ fi
+
+ case "$DIST" in
+ *-backports)
+ OTHERMIRROR="deb $MIRRORSITE $DIST $COMPONENTS"
+ ;;
+ esac
+else
+ echo "Unknown distribution: $DIST"
+ exit 1
+fi
+
+case "$0" in
+ */pdebuild)
+ : do nothing
+ ;;
+ *)
+ DIST=${DIST%-backports}
+ DIST=${DIST/experimental/$UNSTABLE}
+ DISTRIBUTION=$DIST
+ ;;
+esac
+
+# : ${HOOKDIR:="$HOME/.pbuilder/hooks.d"}
+
+DEBOOTSTRAP="debootstrap"
+PKGNAME_LOGFILE="yes"
only in patch2:
unchanged:
--- python2.6-2.6.6.orig/debian/patches/CVE-2011-1521.diff
+++ python2.6-2.6.6/debian/patches/CVE-2011-1521.diff
@@ -0,0 +1,103 @@
+# HG changeset patch
+# User Guido van Rossum <guido@python.org>
+# AW: removed NEWS from patch
+Merge issue 11662 from 2.5.
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -162,6 +162,20 @@ Content-Type: text/html; charset=iso-885
+ finally:
+ self.unfakehttp()
+
++ def test_invalid_redirect(self):
++ # urlopen() should raise IOError for many error codes.
++ self.fakehttp("""HTTP/1.1 302 Found
++Date: Wed, 02 Jan 2008 03:03:54 GMT
++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e
++Location: file:README
++Connection: close
++Content-Type: text/html; charset=iso-8859-1
++""")
++ try:
++ self.assertRaises(IOError, urllib.urlopen, "http://python.org/";)
++ finally:
++ self.unfakehttp()
++
+ def test_empty_socket(self):
+ # urlopen() raises IOError if the underlying socket does not send any
+ # data. (#1680230)
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -942,6 +942,27 @@ class HandlerTests(unittest.TestCase):
+ self.assertEqual(count,
+ urllib2.HTTPRedirectHandler.max_redirections)
+
++ def test_invalid_redirect(self):
++ from_url = "http://example.com/a.html";
++ valid_schemes = ['http', 'https', 'ftp']
++ invalid_schemes = ['file', 'imap', 'ldap']
++ schemeless_url = "example.com/b.html"
++ h = urllib2.HTTPRedirectHandler()
++ o = h.parent = MockOpener()
++ req = Request(from_url)
++
++ for scheme in invalid_schemes:
++ invalid_url = scheme + '://' + schemeless_url
++ self.assertRaises(urllib2.HTTPError, h.http_error_302,
++ req, MockFile(), 302, "Security Loophole",
++ MockHeaders({"location": invalid_url}))
++
++ for scheme in valid_schemes:
++ valid_url = scheme + '://' + schemeless_url
++ h.http_error_302(req, MockFile(), 302, "That's fine",
++ MockHeaders({"location": valid_url}))
++ self.assertEqual(o.req.get_full_url(), valid_url)
++
+ def test_cookie_redirect(self):
+ # cookies shouldn't leak into redirected requests
+ from cookielib import CookieJar
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+--- a/Lib/urllib.py
++++ b/Lib/urllib.py
+@@ -652,6 +652,18 @@ class FancyURLopener(URLopener):
+ fp.close()
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
++
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ raise IOError('redirect error', errcode,
++ errmsg + " - Redirection to url '%s' is not allowed" %
++ newurl,
++ headers)
++
+ return self.open(newurl)
+
+ def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
+diff --git a/Lib/urllib2.py b/Lib/urllib2.py
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler):
+
+ newurl = urlparse.urljoin(req.get_full_url(), newurl)
+
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ raise HTTPError(newurl, code,
++ msg + " - Redirection to url '%s' is not allowed" %
++ newurl,
++ headers, fp)
++
+ # XXX Probably want to forget about the state of the current
+ # request, although that might interact poorly with other
+ # handlers that also use handler-specific request attributes
only in patch2:
unchanged:
--- python2.6-2.6.6.orig/debian/patches/CVE-2011-3389.diff
+++ python2.6-2.6.6/debian/patches/CVE-2011-3389.diff
@@ -0,0 +1,34 @@
+# HG changeset patch
+# User Antoine Pitrou <solipsis@pitrou.net>
+# Date 1327653765 -3600
+# Node ID 9a4131ada792123aa4dded51bf67f583fc515db2
+# Parent 62fa61f2ee7d6a7861eccebc8f727d5cf6996065
+Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC IV attack countermeasure.
+
+diff --git a/Misc/NEWS b/Misc/NEWS
+--- a/Misc/NEWS
++++ b/Misc/NEWS
+@@ -13,6 +13,9 @@ Core and Builtins
+ Library
+ -------
+
++- Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
++ IV attack countermeasure.
++
+
+ What's New in Python 2.6.7?
+ ===========================
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -357,7 +357,8 @@ newPySSLObject(PySocketSockObject *Sock,
+ }
+
+ /* ssl compatibility */
+- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
++ SSL_CTX_set_options(self->ctx,
++ SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+
+ verification_mode = SSL_VERIFY_NONE;
+ if (certreq == PY_SSL_CERT_OPTIONAL)
+
only in patch2:
unchanged:
--- python2.6-2.6.6.orig/debian/patches/CVE-2012-0845.diff
+++ python2.6-2.6.6/debian/patches/CVE-2012-0845.diff
@@ -0,0 +1,35 @@
+# HG changeset patch
+# User Charles-François Natali <neologix@free.fr>
+# Date 1329570938 -3600
+# Node ID 24244a744d0143b24137b343d93d937c223877aa
+# Parent 9a4131ada792123aa4dded51bf67f583fc515db2
+Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in SimpleXMLRPCServer
+upon malformed POST request.
+
+diff --git a/Lib/SimpleXMLRPCServer.py b/Lib/SimpleXMLRPCServer.py
+--- a/Lib/SimpleXMLRPCServer.py
++++ b/Lib/SimpleXMLRPCServer.py
+@@ -459,7 +459,10 @@ class SimpleXMLRPCRequestHandler(BaseHTT
+ L = []
+ while size_remaining:
+ chunk_size = min(size_remaining, max_chunk_size)
+- L.append(self.rfile.read(chunk_size))
++ chunk = self.rfile.read(chunk_size)
++ if not chunk:
++ break
++ L.append(chunk)
+ size_remaining -= len(L[-1])
+ data = ''.join(L)
+
+diff --git a/Misc/NEWS b/Misc/NEWS
+--- a/Misc/NEWS
++++ b/Misc/NEWS
+@@ -13,6 +13,9 @@ Core and Builtins
+ Library
+ -------
+
++- Issue #14001: CVE-2012-0845: xmlrpc: Fix an endless loop in
++ SimpleXMLRPCServer upon malformed POST request.
++
+ - Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
+ IV attack countermeasure.
Attachment:
signature.asc
Description: Digital signature