From 14d0a9c58dc12c089c3d2209ebb1d9b37b68abad Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 4 Feb 2019 16:10:08 +0200 Subject: [PATCH 1/8] python,python3: move .exe removal in `python-package-install.sh` script It's a common operation for both Python & Python3, so move it to the script `python-package-install.sh` script. Signed-off-by: Alexandru Ardelean --- lang/python/python-package-install.sh | 2 ++ lang/python/python-package.mk | 2 -- lang/python/python3-package.mk | 2 -- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/lang/python/python-package-install.sh b/lang/python/python-package-install.sh index e5f6ec893..ae6f2ef77 100644 --- a/lang/python/python-package-install.sh +++ b/lang/python/python-package-install.sh @@ -47,6 +47,8 @@ python="$4" mode="$5" filespec="$6" +find "$src_dir" -name "*\.exe" | xargs rm -f + process_filespec "$src_dir" "$dst_dir" "$filespec" || { echo "process filespec error-ed" exit 1 diff --git a/lang/python/python-package.mk b/lang/python/python-package.mk index 66a492983..af35dcdb3 100644 --- a/lang/python/python-package.mk +++ b/lang/python/python-package.mk @@ -69,7 +69,6 @@ define PyPackage define Package/$(1)/install $(call PyPackage/$(1)/install,$$(1)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f $(SHELL) $(python_mk_path)python-package-install.sh "2" \ "$(PKG_INSTALL_DIR)" "$$(1)" \ "$(HOST_PYTHON_BIN)" "$$(2)" \ @@ -113,7 +112,6 @@ define Build/Compile/PyMod cd $(PKG_BUILD_DIR)/$(strip $(1)), \ ./setup.py $(2), \ $(3)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f endef PYTHON_PKG_SETUP_ARGS:=--single-version-externally-managed diff --git a/lang/python/python3-package.mk b/lang/python/python3-package.mk index 9e473b5c5..9cfa7673e 100644 --- a/lang/python/python3-package.mk +++ b/lang/python/python3-package.mk @@ -68,7 +68,6 @@ define Py3Package define Package/$(1)/install $(call Py3Package/$(1)/install,$$(1)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f $(SHELL) $(python3_mk_path)python-package-install.sh "3" \ "$(PKG_INSTALL_DIR)" "$$(1)" \ "$(HOST_PYTHON3_BIN)" "$$(2)" \ @@ -112,7 +111,6 @@ define Build/Compile/Py3Mod cd $(PKG_BUILD_DIR)/$(strip $(1)), \ ./setup.py $(2), \ $(3)) - find $(PKG_INSTALL_DIR) -name "*\.exe" | xargs rm -f endef PYTHON3_PKG_SETUP_ARGS:=--single-version-externally-managed From 1bf7679211425bb0f63f22ce00c700c7d84eb2d4 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 5 Feb 2019 12:04:43 +0200 Subject: [PATCH 2/8] python,python3: make deletion tolerant for paths with spaces Piping to xargs does not handle spaces in paths too well, because it splits up the paths. For deleting empty dirs, we also need to do several retries, otherwise `find` will try to go through the directories after they're deleted. Signed-off-by: Alexandru Ardelean --- lang/python/python-package-install.sh | 31 ++++++++++--------- .../python3/files/python3-package-pip.mk | 5 ++- .../files/python3-package-setuptools.mk | 5 ++- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/lang/python/python-package-install.sh b/lang/python/python-package-install.sh index ae6f2ef77..30373751c 100644 --- a/lang/python/python-package-install.sh +++ b/lang/python/python-package-install.sh @@ -40,6 +40,17 @@ process_filespec() { ) } +delete_empty_dirs() { + local dst_dir="$1" + if [ -d "$dst_dir/usr" ] ; then + for _ in $(seq 1 10) ; do + find "$dst_dir/usr" -empty -type d -exec rmdir {} \; || continue + break + done + rmdir "$dst_dir/usr" || true + fi +} + ver="$1" src_dir="$2" dst_dir="$3" @@ -47,7 +58,7 @@ python="$4" mode="$5" filespec="$6" -find "$src_dir" -name "*\.exe" | xargs rm -f +find "$src_dir" -name "*\.exe" -exec rm -f {} \; process_filespec "$src_dir" "$dst_dir" "$filespec" || { echo "process filespec error-ed" @@ -56,13 +67,9 @@ process_filespec "$src_dir" "$dst_dir" "$filespec" || { if [ "$mode" == "sources" ] ; then # Copy only python source files - find $dst_dir -not -type d -not -name "*\.py" | xargs rm -f + find "$dst_dir" -not -type d -not -name "*\.py" -exec rm -f {} \; - # Delete empty folders (if the case) - if [ -d "$dst_dir/usr" ] ; then - find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty - rmdir --ignore-fail-on-non-empty $dst_dir/usr - fi + delete_empty_dirs "$dst_dir" exit 0 fi @@ -75,19 +82,15 @@ legacy= # So, we just stuck to un-optimized byte-codes, # which is still way better/faster than running # Python sources all the time. -$python -m compileall $legacy -d '/' $dst_dir || { +$python -m compileall $legacy -d '/' "$dst_dir" || { echo "python -m compileall err-ed" exit 1 } # Delete source files and pyc [ un-optimized bytecode files ] # We may want to make this optimization thing configurable later, but not sure atm -find $dst_dir -type f -name "*\.py" | xargs rm -f +find "$dst_dir" -type f -name "*\.py" -exec rm -f {} \; -# Delete empty folders (if the case) -if [ -d "$dst_dir/usr" ] ; then - find $dst_dir/usr -type d | xargs rmdir --ignore-fail-on-non-empty - rmdir --ignore-fail-on-non-empty $dst_dir/usr -fi +delete_empty_dirs "$dst_dir" exit 0 diff --git a/lang/python/python3/files/python3-package-pip.mk b/lang/python/python3/files/python3-package-pip.mk index 1aaeaf2ee..8e209e139 100644 --- a/lang/python/python3/files/python3-package-pip.mk +++ b/lang/python/python3/files/python3-package-pip.mk @@ -21,7 +21,10 @@ define Package/python3-pip/install $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip-$(PYTHON3_PIP_VERSION).dist-info \ $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ - find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf + for _ in \$(seq 1 10) ; do \ + find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \ + break ; \ + done endef $(eval $(call Py3BasePackage,python3-pip, \ diff --git a/lang/python/python3/files/python3-package-setuptools.mk b/lang/python/python3/files/python3-package-setuptools.mk index c8415cbd9..472f5a620 100644 --- a/lang/python/python3/files/python3-package-setuptools.mk +++ b/lang/python/python3/files/python3-package-setuptools.mk @@ -24,7 +24,10 @@ define Py3Package/python3-setuptools/install $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/setuptools-$(PYTHON3_SETUPTOOLS_VERSION).dist-info \ $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON3_VERSION)/site-packages/easy_install.py \ $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ | xargs rm -rf + for _ in \$(seq 1 10) ; do \ + find $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages/ -name __pycache__ -exec rm -rf {} \; || continue ; \ + break ; \ + done endef $(eval $(call Py3BasePackage,python3-setuptools, \ From ed862da9367a6f488a9afee78bfc99dbc9b6906a Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 4 Feb 2019 16:36:25 +0200 Subject: [PATCH 3/8] python,python3: move shebang handle in install script This extends the Python[3] shebang fixup to all packages. Only Python scripts in `/usr/bin` will be handled at the moment. Later it may make sense to also cover executables in `/bin`, though typically Python executables shouldn't be placed there. Previously the shebang handling was only done for python[3]-pip & python[3]-setuptools. Signed-off-by: Alexandru Ardelean --- lang/python/python-package-install.sh | 6 ++++++ lang/python/python/files/python-package-pip.mk | 2 -- lang/python/python/files/python-package-setuptools.mk | 2 -- lang/python/python3/files/python3-package-pip.mk | 2 -- lang/python/python3/files/python3-package-setuptools.mk | 2 -- 5 files changed, 6 insertions(+), 8 deletions(-) diff --git a/lang/python/python-package-install.sh b/lang/python/python-package-install.sh index 30373751c..a1b21e49f 100644 --- a/lang/python/python-package-install.sh +++ b/lang/python/python-package-install.sh @@ -65,6 +65,12 @@ process_filespec "$src_dir" "$dst_dir" "$filespec" || { exit 1 } +usr_bin_dir="$dst_dir/usr/bin" + +if [ -d "$usr_bin_dir" ] ; then + sed "1"'!'"b;s,^#"'!'".*python.*,#"'!'"/usr/bin/python${ver}," -i $usr_bin_dir/* +fi + if [ "$mode" == "sources" ] ; then # Copy only python source files find "$dst_dir" -not -type d -not -name "*\.py" -exec rm -f {} \; diff --git a/lang/python/python/files/python-package-pip.mk b/lang/python/python/files/python-package-pip.mk index b08256464..e0c6de978 100644 --- a/lang/python/python/files/python-package-pip.mk +++ b/lang/python/python/files/python-package-pip.mk @@ -14,8 +14,6 @@ endef define PyPackage/python-pip/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/* $(CP) $(PKG_BUILD_DIR)/install-pip/bin/* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON_VERSION)/site-packages/pip \ diff --git a/lang/python/python/files/python-package-setuptools.mk b/lang/python/python/files/python-package-setuptools.mk index 413ec7979..f90b01864 100644 --- a/lang/python/python/files/python-package-setuptools.mk +++ b/lang/python/python/files/python-package-setuptools.mk @@ -14,8 +14,6 @@ endef define PyPackage/python-setuptools/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/* $(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-setuptools/lib/python$(PYTHON_VERSION)/site-packages/pkg_resources \ diff --git a/lang/python/python3/files/python3-package-pip.mk b/lang/python/python3/files/python3-package-pip.mk index 8e209e139..fd1cd59d5 100644 --- a/lang/python/python3/files/python3-package-pip.mk +++ b/lang/python/python3/files/python3-package-pip.mk @@ -14,8 +14,6 @@ endef define Package/python3-pip/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-pip/bin/* $(CP) $(PKG_BUILD_DIR)/install-pip/bin/pip3* $(1)/usr/bin $(CP) \ $(PKG_BUILD_DIR)/install-pip/lib/python$(PYTHON3_VERSION)/site-packages/pip \ diff --git a/lang/python/python3/files/python3-package-setuptools.mk b/lang/python/python3/files/python3-package-setuptools.mk index 472f5a620..5cb5f58de 100644 --- a/lang/python/python3/files/python3-package-setuptools.mk +++ b/lang/python/python3/files/python3-package-setuptools.mk @@ -14,8 +14,6 @@ endef define Py3Package/python3-setuptools/install $(INSTALL_DIR) $(1)/usr/bin $(1)/usr/lib/python$(PYTHON3_VERSION)/site-packages - # Adjust shebang to proper python location on target - sed "1s@.*@#\!/usr/bin/python$(PYTHON3_VERSION)@" -i $(PKG_BUILD_DIR)/install-setuptools/bin/* $(CP) $(PKG_BUILD_DIR)/install-setuptools/bin/easy_install-* $(1)/usr/bin $(LN) easy_install-$(PYTHON3_VERSION) $(1)/usr/bin/easy_install-3 $(CP) \ From c76759809768f2327a1ed2d831437122665be056 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 4 Feb 2019 11:28:00 +0200 Subject: [PATCH 4/8] python,python3: fix CVE-2019-5010 - Denial of Service This patch addresses issue: [ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service Link to Python issue: https://bugs.python.org/issue35746 Signed-off-by: Alexandru Ardelean --- lang/python/python/Makefile | 2 +- ...gfault-in-ssl-s-cert-parser-GH-11569.patch | 120 ++++++++++++++++++ lang/python/python3/Makefile | 2 +- ...gfault-in-ssl-s-cert-parser-GH-11569.patch | 120 ++++++++++++++++++ 4 files changed, 242 insertions(+), 2 deletions(-) create mode 100644 lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch create mode 100644 lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch diff --git a/lang/python/python/Makefile b/lang/python/python/Makefile index a065edaa0..041b3028c 100644 --- a/lang/python/python/Makefile +++ b/lang/python/python/Makefile @@ -12,7 +12,7 @@ include ../python-version.mk PKG_NAME:=python PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION) diff --git a/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch b/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch new file mode 100644 index 000000000..05e0ae64f --- /dev/null +++ b/lang/python/python/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch @@ -0,0 +1,120 @@ +From 06b15424b0dcacb1c551b2a36e739fffa8d0c595 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 15 Jan 2019 15:11:52 -0800 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes +--- + Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ + Lib/test/test_ssl.py | 22 +++++++++++++++++++ + .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ + Modules/_ssl.c | 4 ++++ + 4 files changed, 51 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem +new file mode 100644 +index 0000000000..13b95a77fd +--- /dev/null ++++ b/Lib/test/talos-2019-0758.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO ++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 ++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh ++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB ++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES ++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD ++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C ++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP ++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF ++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp ++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io ++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 ++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu ++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG ++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p ++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr ++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit ++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV ++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ ++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== ++-----END CERTIFICATE----- +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index e476031702..9240184d98 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -72,6 +72,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") + BADKEY = data_file("badkey.pem") + NOKIACERT = data_file("nokia.pem") + NULLBYTECERT = data_file("nullbytecert.pem") ++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") + + DHFILE = data_file("ffdh3072.pem") + BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) +@@ -227,6 +228,27 @@ class BasicSocketTests(unittest.TestCase): + self.assertEqual(p['crlDistributionPoints'], + ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +new file mode 100644 +index 0000000000..dffe347eec +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index a96c419260..19bb1207b4 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) { + STACK_OF(GENERAL_NAME) *gns; + + dp = sk_DIST_POINT_value(dps, i); ++ if (dp->distpoint == NULL) { ++ /* Ignore empty DP value, CVE-2019-5010 */ ++ continue; ++ } + gns = dp->distpoint->name.fullname; + + for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { +-- +2.17.1 + diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index ebe71b555..a88b8165c 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -14,7 +14,7 @@ PYTHON_VERSION:=$(PYTHON3_VERSION) PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO) PKG_NAME:=python3 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz diff --git a/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch b/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch new file mode 100644 index 000000000..f2cc065e4 --- /dev/null +++ b/lang/python/python3/patches/018-bpo-35746-Fix-segfault-in-ssl-s-cert-parser-GH-11569.patch @@ -0,0 +1,120 @@ +From be5de958e9052e322b0087c6dba81cdad0c3e031 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Tue, 15 Jan 2019 15:03:36 -0800 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes +--- + Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ + Lib/test/test_ssl.py | 22 +++++++++++++++++++ + .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ + Modules/_ssl.c | 4 ++++ + 4 files changed, 51 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem +new file mode 100644 +index 0000000000..13b95a77fd +--- /dev/null ++++ b/Lib/test/talos-2019-0758.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO ++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 ++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh ++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB ++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES ++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD ++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C ++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP ++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF ++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp ++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io ++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 ++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu ++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG ++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p ++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr ++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit ++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV ++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ ++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== ++-----END CERTIFICATE----- +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index f1b9565c8d..b6794ce3a8 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -116,6 +116,7 @@ NONEXISTINGCERT = data_file("XXXnonexisting.pem") + BADKEY = data_file("badkey.pem") + NOKIACERT = data_file("nokia.pem") + NULLBYTECERT = data_file("nullbytecert.pem") ++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") + + DHFILE = data_file("ffdh3072.pem") + BYTES_DHFILE = os.fsencode(DHFILE) +@@ -365,6 +366,27 @@ class BasicSocketTests(unittest.TestCase): + self.assertEqual(p['crlDistributionPoints'], + ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +new file mode 100644 +index 0000000000..dffe347eec +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index 9894ad821d..9baec8a9bc 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -1516,6 +1516,10 @@ _get_crl_dp(X509 *certificate) { + STACK_OF(GENERAL_NAME) *gns; + + dp = sk_DIST_POINT_value(dps, i); ++ if (dp->distpoint == NULL) { ++ /* Ignore empty DP value, CVE-2019-5010 */ ++ continue; ++ } + gns = dp->distpoint->name.fullname; + + for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { +-- +2.17.1 + From a06a7870f3285e45b471a24cbf24a490d5ed3065 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 12 Feb 2019 11:47:11 +0200 Subject: [PATCH 5/8] python-pyasn1-modules: bump to version 0.2.4 Signed-off-by: Alexandru Ardelean --- lang/python/python-pyasn1-modules/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-pyasn1-modules/Makefile b/lang/python/python-pyasn1-modules/Makefile index 8ee4e1d3a..a41daabcc 100644 --- a/lang/python/python-pyasn1-modules/Makefile +++ b/lang/python/python-pyasn1-modules/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pyasn1-modules -PKG_VERSION:=0.2.3 +PKG_VERSION:=0.2.4 PKG_RELEASE:=1 PKG_SOURCE:=pyasn1-modules-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/p/pyasn1-modules -PKG_HASH:=d14fcb29dabecba3d7b360bf72327c26c385248a5d603cf6be5f566ce999b261 +PKG_HASH:=a52090e8c5841ebbf08ae455146792d9ef3e8445b21055d3a3b7ed9c712b7c7c PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE.txt From c2fe5fae4262795dcaa0a54db18e3825992a2b54 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 12 Feb 2019 11:48:48 +0200 Subject: [PATCH 6/8] python-cryptography: bump to version 2.5 Signed-off-by: Alexandru Ardelean --- lang/python/python-cryptography/Makefile | 4 ++-- .../002-remove-undefined-dtls-methods.patch | 23 ------------------- 2 files changed, 2 insertions(+), 25 deletions(-) delete mode 100644 lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch diff --git a/lang/python/python-cryptography/Makefile b/lang/python/python-cryptography/Makefile index 9c9e5405a..692d1f63e 100644 --- a/lang/python/python-cryptography/Makefile +++ b/lang/python/python-cryptography/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-cryptography -PKG_VERSION:=2.4.2 +PKG_VERSION:=2.5 PKG_RELEASE:=1 PKG_SOURCE:=cryptography-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= https://files.pythonhosted.org/packages/source/c/cryptography -PKG_HASH:=05a6052c6a9f17ff78ba78f8e6eb1d777d25db3b763343a1ae89a7a8670386dd +PKG_HASH:=4946b67235b9d2ea7d31307be9d5ad5959d6c4a8f98f900157b47abddf698401 PKG_LICENSE:=Apache-2.0 BSD-3-Clause PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD diff --git a/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch b/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch deleted file mode 100644 index dfceff5c8..000000000 --- a/lang/python/python-cryptography/patches/002-remove-undefined-dtls-methods.patch +++ /dev/null @@ -1,23 +0,0 @@ -From e7a6229b332969d621aaf25f3fc5cdd99e3c9072 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Sun, 18 Nov 2018 18:04:01 -0800 -Subject: [PATCH] Adjust DTLS check (#4593) - -OpenSSL defines these even with OPENSSL_NO_DTLS. ---- - src/_cffi_src/openssl/ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py -index c921dbee..f0b8939c 100644 ---- a/src/_cffi_src/openssl/ssl.py -+++ b/src/_cffi_src/openssl/ssl.py -@@ -709,7 +709,7 @@ static const long TLS_ST_BEFORE = 0; - static const long TLS_ST_OK = 0; - #endif - --#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 -+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 - static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; - const SSL_METHOD *(*DTLS_method)(void) = NULL; - const SSL_METHOD *(*DTLS_server_method)(void) = NULL; From e31f3b5a13c4bae302b4def9ce4b6b1521002f74 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 12 Feb 2019 11:49:54 +0200 Subject: [PATCH 7/8] python-lxml: bump to version 4.3.1 Signed-off-by: Alexandru Ardelean --- lang/python/python-lxml/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-lxml/Makefile b/lang/python/python-lxml/Makefile index 3acaecff6..1d8b54c7e 100644 --- a/lang/python/python-lxml/Makefile +++ b/lang/python/python-lxml/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-lxml -PKG_VERSION:=4.3.0 +PKG_VERSION:=4.3.1 PKG_RELEASE:=1 PKG_SOURCE:=lxml-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://files.pythonhosted.org/packages/source/l/lxml -PKG_HASH:=d1e111b3ab98613115a208c1017f266478b0ab224a67bc8eac670fa0bad7d488 +PKG_HASH:=da5e7e941d6e71c9c9a717c93725cda0708c2474f532e3680ac5e39ec57d224d PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)-lxml-$(PKG_VERSION) PKG_UNPACK=$(HOST_TAR) -C $(PKG_BUILD_DIR) --strip-components=1 -xzf $(DL_DIR)/$(PKG_SOURCE) From 382f1ec6e4842d4cd9662c6e1c392f85e947a407 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 12 Feb 2019 11:51:04 +0200 Subject: [PATCH 8/8] python-pyopenssl: bump to version 19.0.0 Signed-off-by: Alexandru Ardelean --- lang/python/python-pyopenssl/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-pyopenssl/Makefile b/lang/python/python-pyopenssl/Makefile index 9beefbae3..d68e19c66 100644 --- a/lang/python/python-pyopenssl/Makefile +++ b/lang/python/python-pyopenssl/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pyopenssl -PKG_VERSION:=18.0.0 +PKG_VERSION:=19.0.0 PKG_RELEASE:=1 PKG_SOURCE:=pyOpenSSL-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://pypi.io/packages/source/p/pyOpenSSL -PKG_HASH:=6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 +PKG_HASH:=aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE