diff --git a/lang/python/python-cryptography/Makefile b/lang/python/python-cryptography/Makefile index 9c9e5405a..692d1f63e 100644 --- a/lang/python/python-cryptography/Makefile +++ b/lang/python/python-cryptography/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-cryptography -PKG_VERSION:=2.4.2 +PKG_VERSION:=2.5 PKG_RELEASE:=1 PKG_SOURCE:=cryptography-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= https://files.pythonhosted.org/packages/source/c/cryptography -PKG_HASH:=05a6052c6a9f17ff78ba78f8e6eb1d777d25db3b763343a1ae89a7a8670386dd +PKG_HASH:=4946b67235b9d2ea7d31307be9d5ad5959d6c4a8f98f900157b47abddf698401 PKG_LICENSE:=Apache-2.0 BSD-3-Clause PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD diff --git a/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch b/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch deleted file mode 100644 index dfceff5c8..000000000 --- a/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch +++ /dev/null @@ -1,23 +0,0 @@ -From e7a6229b332969d621aaf25f3fc5cdd99e3c9072 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Sun, 18 Nov 2018 18:04:01 -0800 -Subject: [PATCH] Adjust DTLS check (#4593) - -OpenSSL defines these even with OPENSSL_NO_DTLS. ---- - src/_cffi_src/openssl/ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py -index c921dbee..f0b8939c 100644 ---- a/src/_cffi_src/openssl/ssl.py -+++ b/src/_cffi_src/openssl/ssl.py -@@ -709,7 +709,7 @@ static const long TLS_ST_BEFORE = 0; - static const long TLS_ST_OK = 0; - #endif - --#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 -+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 - static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; - const SSL_METHOD *(*DTLS_method)(void) = NULL; - const SSL_METHOD *(*DTLS_server_method)(void) = NULL; diff --git a/lang/python/python-lxml/Makefile b/lang/python/python-lxml/Makefile index 3acaecff6..1d8b54c7e 100644 --- a/lang/python/python-lxml/Makefile +++ b/lang/python/python-lxml/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-lxml -PKG_VERSION:=4.3.0 +PKG_VERSION:=4.3.1 PKG_RELEASE:=1 PKG_SOURCE:=lxml-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/l/lxml -PKG_HASH:=d1e111b3ab98613115a208c1017f266478b0ab224a67bc8eac670fa0bad7d488 +PKG_HASH:=da5e7e941d6e71c9c9a717c93725cda0708c2474f532e3680ac5e39ec57d224d PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)-lxml-$(PKG_VERSION) PKG_UNPACK=$(HOST_TAR) -C $(PKG_BUILD_DIR) --strip-components=1 -xzf $(DL_DIR)/$(PKG_SOURCE) diff --git a/lang/python/python-package-install.sh b/lang/python/python-package-install.sh index e5f6ec893..a1b21e49f 100644 --- a/lang/python/python-package-install.sh +++ b/lang/python/python-package-install.sh @@ -40,6 +40,17 @@ process_filespec() { ) } +delete_empty_dirs() { + local dst_dir="$1" + if [ -d "$dst_dir/usr" ] ; then + for _ in $(seq 1 10) ; do + find "$dst_dir/usr" -empty -type d -exec rmdir {} \; || continue + break + done + rmdir "$dst_dir/usr" || true + fi +} + ver="$1" src_dir="$2" dst_dir="$3" @@ -47,20 +58,24 @@ python="$4" mode="$5" filespec="$6" +find "$src_dir" -name "*\.exe" -exec rm -f {} \; + process_filespec "$src_dir" "$dst_dir" "$filespec" || { echo "process filespec error-ed" exit 1 } +usr_bin_dir="$dst_dir/usr/bin" + +if [ -d "$usr_bin_dir" ] ; then + sed "1"'!'"b;s,^#"'!'".*python.*,#"'!'"/usr/bin/python${ver}," -i $usr_bin_dir/* +fi + if [ "$mode" == "sources" ] ; then # Copy only python source files - find $dst_dir -not -type d -not -name "*\.py" | xargs rm -f + find "$dst_dir" -not -type d -not -name "*\.py" -exec rm -f {} \; - # Delete empty folders (if the case) - if [ -d "$dst_dir/usr" ] ; then - find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty - rmdir --ignore-fail-on-non-empty $dst_dir/usr - fi + delete_empty_dirs "$dst_dir" exit 0 fi @@ -73,19 +88,15 @@ legacy= # So, we just stuck to un-optimized byte-codes, # which is still way better/faster than running # Python sources all the time. -$python -m compileall $legacy -d '/' $dst_dir || { +$python -m compileall $legacy -d '/' "$dst_dir" || { echo "python -m compileall err-ed" exit 1 } # Delete source files and pyc [ un-optimized bytecode files ] # We may want to make this optimization thing configurable later, but not sure atm -find $dst_dir -type f -name "*\.py" | xargs rm -f +find "$dst_dir" -type f -name "*\.py" -exec rm -f {} \; -# Delete empty folders (if the case) -if [ -d "$dst_dir/usr" ] ; then - find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty - rmdir --ignore-fail-on-non-empty $dst_dir/usr -fi +delete_empty_dirs "$dst_dir" exit 0 diff --git a/lang/python/python-package.mk b/lang/python/python-package.mk index 66a492983..af35dcdb3 100644 --- a/lang/python/python-package.mk +++ b/lang/python/python-package.mk @@ -69,7 +69,6 @@ define PyPackage define Package/$(1)/install $(call PyPackage/$(1)/install,$$(1)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f $(SHELL) $(python_mk_path)python-package-install.sh "2" \ "$(PKG_INSTALL_DIR)" "$$(1)" \ "$(HOST_PYTHON_BIN)" "$$(2)" \ @@ -113,7 +112,6 @@ define Build/Compile/PyMod cd $(PKG_BUILD_DIR)/$(strip $(1)), \ ./setup.py $(2), \ $(3)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f endef PYTHON_PKG_SETUP_ARGS:=--single-version-externally-managed diff --git a/lang/python/python-pyasn1-modules/Makefile b/lang/python/python-pyasn1-modules/Makefile index 8ee4e1d3a..a41daabcc 100644 --- a/lang/python/python-pyasn1-modules/Makefile +++ b/lang/python/python-pyasn1-modules/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pyasn1-modules -PKG_VERSION:=0.2.3 +PKG_VERSION:=0.2.4 PKG_RELEASE:=1 PKG_SOURCE:=pyasn1-modules-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/pyasn1-modules -PKG_HASH:=d14fcb29dabecba3d7b360bf72327c26c385248a5d603cf6be5f566ce999b261 +PKG_HASH:=a52090e8c5841ebbf08ae455146792d9ef3e8445b21055d3a3b7ed9c712b7c7c PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE.txt diff --git a/lang/python/python-pyopenssl/Makefile b/lang/python/python-pyopenssl/Makefile index 9beefbae3..d68e19c66 100644 --- a/lang/python/python-pyopenssl/Makefile +++ b/lang/python/python-pyopenssl/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pyopenssl -PKG_VERSION:=18.0.0 +PKG_VERSION:=19.0.0 PKG_RELEASE:=1 PKG_SOURCE:=pyOpenSSL-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://pypi.io/packages/source/p/pyOpenSSL -PKG_HASH:=6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 +PKG_HASH:=aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/lang/python/python/Makefile b/lang/python/python/Makefile index a065edaa0..041b3028c 100644 --- a/lang/python/python/Makefile +++ b/lang/python/python/Makefile @@ -12,7 +12,7 @@ include ../python-version.mk PKG_NAME:=python PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION) diff --git a/lang/python/python/files/python-package-pip.mk b/lang/python/python/files/python-package-pip.mk index b08256464..e0c6de978 100644 --- a/lang/python/python/files/python-package-pip.mk +++ b/lang/python/python/files/python-package-pip.mk @@ -14,8 +14,6 @@ endef define PyPackage/python-pip/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/* $(CP) $(PKG_BUILD_DIR)/install-pip/bin/* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON_VERSION)/site-packages/pip \ diff --git a/lang/python/python/files/python-package-setuptools.mk b/lang/python/python/files/python-package-setuptools.mk index 413ec7979..f90b01864 100644 --- a/lang/python/python/files/python-package-setuptools.mk +++ b/lang/python/python/files/python-package-setuptools.mk @@ -14,8 +14,6 @@ endef define PyPackage/python-setuptools/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/* $(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON_VERSION)/site-packages/pkg_resources \ diff --git a/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch b/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch new file mode 100644 index 000000000..05e0ae64f --- /dev/null +++ b/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch @@ -0,0 +1,120 @@ +From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 15 Jan 2019 15:11:52 -0800 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes +--- + Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ + Lib/test/test_ssl.py | 22 +++++++++++++++++++ + .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ + Modules/_ssl.c | 4 ++++ + 4 files changed, 51 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem +new file mode 100644 +index 0000000000..13b95a77fd +--- /dev/null ++++ b/Lib/test/talos-2019-0758.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO ++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 ++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh ++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB ++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES ++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD ++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C ++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP ++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF ++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp ++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io ++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 ++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu ++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG ++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p ++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr ++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit ++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV ++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ ++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== ++-----END CERTIFICATE----- +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index e476031702..9240184d98 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") + BADKEY = data_file("badkey.pem") + NOKIACERT = data_file("nokia.pem") + NULLBYTECERT = data_file("nullbytecert.pem") ++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") + + DHFILE = data_file("ffdh3072.pem") + BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) +@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase): + self.assertEqual(p['crlDistributionPoints'], + ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +new file mode 100644 +index 0000000000..dffe347eec +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index a96c419260..19bb1207b4 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) { + STACK_OF(GENERAL_NAME) *gns; + + dp = sk_DIST_POINT_value(dps, i); ++ if (dp->distpoint == NULL) { ++ /* Ignore empty DP value, CVE-2019-5010 */ ++ continue; ++ } + gns = dp->distpoint->name.fullname; + + for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { +-- +2.17.1 + diff --git a/lang/python/python3-package.mk b/lang/python/python3-package.mk index 9e473b5c5..9cfa7673e 100644 --- a/lang/python/python3-package.mk +++ b/lang/python/python3-package.mk @@ -68,7 +68,6 @@ define Py3Package define Package/$(1)/install $(call Py3Package/$(1)/install,$$(1)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f $(SHELL) $(python3_mk_path)python-package-install.sh "3" \ "$(PKG_INSTALL_DIR)" "$$(1)" \ "$(HOST_PYTHON3_BIN)" "$$(2)" \ @@ -112,7 +111,6 @@ define Build/Compile/Py3Mod cd $(PKG_BUILD_DIR)/$(strip $(1)), \ ./setup.py $(2), \ $(3)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f endef PYTHON3_PKG_SETUP_ARGS:=--single-version-externally-managed diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index ebe71b555..a88b8165c 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PKG_NAME:=python3 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz diff --git a/lang/python/python3/files/python3-package-pip.mk b/lang/python/python3/files/python3-package-pip.mk index 1aaeaf2ee..fd1cd59d5 100644 --- a/lang/python/python3/files/python3-package-pip.mk +++ b/lang/python/python3/files/python3-package-pip.mk @@ -14,14 +14,15 @@ endef define Package/python3-pip/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/* $(CP) $(PKG_BUILD_DIR)/install-pip/bin/pip3* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip-$(PYTHON3_PIP_VERSION).dist-info \ $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ - find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf + for _ in \$(seq 1 10) ; do \ + find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \ + break ; \ + done endef $(eval $(call Py3BasePackage,python3-pip, \ diff --git a/lang/python/python3/files/python3-package-setuptools.mk b/lang/python/python3/files/python3-package-setuptools.mk index c8415cbd9..5cb5f58de 100644 --- a/lang/python/python3/files/python3-package-setuptools.mk +++ b/lang/python/python3/files/python3-package-setuptools.mk @@ -14,8 +14,6 @@ endef define Py3Package/python3-setuptools/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/* $(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/easy_install-* $(1)/usr/bin $(LN) easy_install-$(PYTHON3_VERSION) $(1)/usr/bin/easy_install-3 $(CP) \ @@ -24,7 +22,10 @@ define Py3Package/python3-setuptools/install $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/setuptools-$(PYTHON3_SETUPTOOLS_VERSION).dist-info \ $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/easy_install.py \ $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf + for _ in \$(seq 1 10) ; do \ + find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \ + break ; \ + done endef $(eval $(call Py3BasePackage,python3-setuptools, \ diff --git a/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch b/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch new file mode 100644 index 000000000..f2cc065e4 --- /dev/null +++ b/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch @@ -0,0 +1,120 @@ +From be5de958e9052e322b0087c6dba81cdad0c3e031 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 15 Jan 2019 15:03:36 -0800 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes +--- + Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ + Lib/test/test_ssl.py | 22 +++++++++++++++++++ + .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ + Modules/_ssl.c | 4 ++++ + 4 files changed, 51 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem +new file mode 100644 +index 0000000000..13b95a77fd +--- /dev/null ++++ b/Lib/test/talos-2019-0758.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO ++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 ++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh ++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB ++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES ++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD ++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C ++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP ++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF ++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp ++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io ++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 ++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu ++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG ++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p ++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr ++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit ++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV ++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ ++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== ++-----END CERTIFICATE----- +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index f1b9565c8d..b6794ce3a8 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") + BADKEY = data_file("badkey.pem") + NOKIACERT = data_file("nokia.pem") + NULLBYTECERT = data_file("nullbytecert.pem") ++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") + + DHFILE = data_file("ffdh3072.pem") + BYTES_DHFILE = os.fsencode(DHFILE) +@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase): + self.assertEqual(p['crlDistributionPoints'], + ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +new file mode 100644 +index 0000000000..dffe347eec +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index 9894ad821d..9baec8a9bc 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) { + STACK_OF(GENERAL_NAME) *gns; + + dp = sk_DIST_POINT_value(dps, i); ++ if (dp->distpoint == NULL) { ++ /* Ignore empty DP value, CVE-2019-5010 */ ++ continue; ++ } + gns = dp->distpoint->name.fullname; + + for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { +-- +2.17.1 +