summaryrefslogtreecommitdiff
path: root/recipes-devtools/python
diff options
context:
space:
mode:
authorAndrii Davydenko <andrii.davydenko@globallogic.com>2022-12-14 12:08:42 +0200
committerMykyta Dorokhin <mykyta.dorokhin@globallogic.com>2023-01-24 12:41:29 +0200
commit2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-devtools/python
parent1e52890ac41318d28923787af35541a8f9ee0653 (diff)
downloadmeta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip
CVE Packages Update
Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component.
Diffstat (limited to 'recipes-devtools/python')
-rw-r--r--recipes-devtools/python/python3/CVE-2022-37454.patch106
-rw-r--r--recipes-devtools/python/python3/CVE-2022-45061.patch101
-rw-r--r--recipes-devtools/python/python3_%.bbappend7
3 files changed, 214 insertions, 0 deletions
diff --git a/recipes-devtools/python/python3/CVE-2022-37454.patch b/recipes-devtools/python/python3/CVE-2022-37454.patch
new file mode 100644
index 0000000..f45c5bd
--- /dev/null
+++ b/recipes-devtools/python/python3/CVE-2022-37454.patch
@@ -0,0 +1,106 @@
+From 948c6794711458fd148a3fa62296cadeeb2ed631 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Fri, 28 Oct 2022 03:07:50 -0700
+Subject: [PATCH] [3.8] gh-98517: Fix buffer overflows in _sha3 module
+ (GH-98519) (#98527)
+
+This is a port of the applicable part of XKCP's fix [1] for
+CVE-2022-37454 and avoids the segmentation fault and the infinite
+loop in the test cases published in [2].
+
+[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
+[2]: https://mouha.be/sha-3-buffer-overflow/
+
+Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org>
+(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3)
+
+Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
+
+CVE: CVE-2022-37454
+Upstream-Status: Backport [https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631]
+Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
+---
+ Lib/test/test_hashlib.py | 9 +++++++++
+ .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 +
+ Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++-------
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+
+diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py
+index 8b53d23ef525..e6cec4e306e5 100644
+--- a/Lib/test/test_hashlib.py
++++ b/Lib/test/test_hashlib.py
+@@ -434,6 +434,15 @@ def test_case_md5_huge(self, size):
+ def test_case_md5_uintmax(self, size):
+ self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3')
+
++ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems')
++ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False)
++ def test_sha3_update_overflow(self, size):
++ """Regression test for gh-98517 CVE-2022-37454."""
++ h = hashlib.sha3_224()
++ h.update(b'\x01')
++ h.update(b'\x01'*0xffff_ffff)
++ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed')
++
+ # use the three examples from Federal Information Processing Standards
+ # Publication 180-1, Secure Hash Standard, 1995 April 17
+ # http://www.itl.nist.gov/div897/pubs/fip180-1.htm
+diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+new file mode 100644
+index 000000000000..2d23a6ad93c7
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst
+@@ -0,0 +1 @@
++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454).
+diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc
+index e10739deafa8..cf92e4db4d36 100644
+--- a/Modules/_sha3/kcp/KeccakSponge.inc
++++ b/Modules/_sha3/kcp/KeccakSponge.inc
+@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+ i = 0;
+ curData = data;
+ while(i < dataByteLen) {
+- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
++ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
+ #ifdef SnP_FastLoop_Absorb
+ /* processing full blocks first */
+
+@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
+ }
+ else {
+ /* normal lane: using the message queue */
+-
+- partialBlock = (unsigned int)(dataByteLen - i);
+- if (partialBlock+instance->byteIOIndex > rateInBytes)
++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+ partialBlock = rateInBytes-instance->byteIOIndex;
++ else
++ partialBlock = (unsigned int)(dataByteLen - i);
+ #ifdef KeccakReference
+ displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
+ #endif
+@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+ i = 0;
+ curData = data;
+ while(i < dataByteLen) {
+- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
++ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
+ for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
+ SnP_Permute(instance->state);
+ SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
+@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
+ SnP_Permute(instance->state);
+ instance->byteIOIndex = 0;
+ }
+- partialBlock = (unsigned int)(dataByteLen - i);
+- if (partialBlock+instance->byteIOIndex > rateInBytes)
++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
+ partialBlock = rateInBytes-instance->byteIOIndex;
++ else
++ partialBlock = (unsigned int)(dataByteLen - i);
+ i += partialBlock;
+
+ SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
+
diff --git a/recipes-devtools/python/python3/CVE-2022-45061.patch b/recipes-devtools/python/python3/CVE-2022-45061.patch
new file mode 100644
index 0000000..2d0a449
--- /dev/null
+++ b/recipes-devtools/python/python3/CVE-2022-45061.patch
@@ -0,0 +1,101 @@
+From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 7 Nov 2022 18:57:10 -0800
+Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
+ (GH-99222)
+
+There was an unnecessary quadratic loop in idna decoding. This restores
+the behavior to linear.
+
+(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
+
+(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
+
+Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+
+CVE: CVE-2022-45061
+Upstream-Status: Backport [https://github.com/python/cpython/pull/99231/commits/064ec20bf7a181ba5fa961aaa12973812aa6ca5d]
+Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
+
+---
+ Lib/encodings/idna.py | 32 +++++++++----------
+ Lib/test/test_codecs.py | 6 ++++
+ ...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++
+ 3 files changed, 27 insertions(+), 17 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+
+diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py
+index ea4058512fe3..bf98f513366b 100644
+--- a/Lib/encodings/idna.py
++++ b/Lib/encodings/idna.py
+@@ -39,23 +39,21 @@ def nameprep(label):
+
+ # Check bidi
+ RandAL = [stringprep.in_table_d1(x) for x in label]
+- for c in RandAL:
+- if c:
+- # There is a RandAL char in the string. Must perform further
+- # tests:
+- # 1) The characters in section 5.8 MUST be prohibited.
+- # This is table C.8, which was already checked
+- # 2) If a string contains any RandALCat character, the string
+- # MUST NOT contain any LCat character.
+- if any(stringprep.in_table_d2(x) for x in label):
+- raise UnicodeError("Violation of BIDI requirement 2")
+-
+- # 3) If a string contains any RandALCat character, a
+- # RandALCat character MUST be the first character of the
+- # string, and a RandALCat character MUST be the last
+- # character of the string.
+- if not RandAL[0] or not RandAL[-1]:
+- raise UnicodeError("Violation of BIDI requirement 3")
++ if any(RandAL):
++ # There is a RandAL char in the string. Must perform further
++ # tests:
++ # 1) The characters in section 5.8 MUST be prohibited.
++ # This is table C.8, which was already checked
++ # 2) If a string contains any RandALCat character, the string
++ # MUST NOT contain any LCat character.
++ if any(stringprep.in_table_d2(x) for x in label):
++ raise UnicodeError("Violation of BIDI requirement 2")
++ # 3) If a string contains any RandALCat character, a
++ # RandALCat character MUST be the first character of the
++ # string, and a RandALCat character MUST be the last
++ # character of the string.
++ if not RandAL[0] or not RandAL[-1]:
++ raise UnicodeError("Violation of BIDI requirement 3")
+
+ return label
+
+diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py
+index d1faf0126c1e..37ade7d80d02 100644
+--- a/Lib/test/test_codecs.py
++++ b/Lib/test/test_codecs.py
+@@ -1532,6 +1532,12 @@ def test_builtin_encode(self):
+ self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
+ self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
+
++ def test_builtin_decode_length_limit(self):
++ with self.assertRaisesRegex(UnicodeError, "too long"):
++ (b"xn--016c"+b"a"*1100).decode("idna")
++ with self.assertRaisesRegex(UnicodeError, "too long"):
++ (b"xn--016c"+b"a"*70).decode("idna")
++
+ def test_stream(self):
+ r = codecs.getreader("idna")(io.BytesIO(b"abc"))
+ r.read(3)
+diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+new file mode 100644
+index 000000000000..5185fac2e29d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
+@@ -0,0 +1,6 @@
++The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio`
++related name resolution functions no longer involves a quadratic algorithm.
++This prevents a potential CPU denial of service if an out-of-spec excessive
++length hostname involving bidirectional characters were decoded. Some protocols
++such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
++to supply such a name.
+
diff --git a/recipes-devtools/python/python3_%.bbappend b/recipes-devtools/python/python3_%.bbappend
index 70b4561..6636814 100644
--- a/recipes-devtools/python/python3_%.bbappend
+++ b/recipes-devtools/python/python3_%.bbappend
@@ -1,6 +1,13 @@
# Make python3 the default
# Remove this stuff if there is ever a python4.
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = " \
+ file://CVE-2022-45061.patch \
+ file://CVE-2022-37454.patch \
+"
+
# Debian and Ubuntu have this (prior levels linked to python2)
PACKAGES_append = " python-is-python3"
ALLOW_EMPTY_python-is-python3 = "1"