From f0c33b14d28290945356d41788f5bbfc54265771 Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Sat, 14 Nov 2020 18:40:38 +0800 Subject: [PATCH] fix CVE-2021-3177 --- CVE-2020-27619.patch | 67 +++++++ CVE-2021-3177.patch | 183 ++++++++++++++++++ ...rence-leak-if-a-thread-is-not-joined.patch | 63 ++++++ python3.spec | 29 ++- 4 files changed, 340 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-27619.patch create mode 100644 CVE-2021-3177.patch create mode 100644 backport-Fix-a-reference-leak-if-a-thread-is-not-joined.patch diff --git a/CVE-2020-27619.patch b/CVE-2020-27619.patch new file mode 100644 index 0000000..1ba9598 --- /dev/null +++ b/CVE-2020-27619.patch @@ -0,0 +1,67 @@ +From 43e523103886af66d6c27cd72431b5d9d14cd2a9 Mon Sep 17 00:00:00 2001 +From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 19 Oct 2020 19:38:40 -0700 +Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP + in the CJK codec tests (GH-22566) (GH-22578) + +(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) + +https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9 +reason:CVE-2020-27619 + +Co-authored-by: Serhiy Storchaka +--- + Lib/test/multibytecodec_support.py | 22 +++++++------------ + .../2020-10-05-17-43-46.bpo-41944.rf1dYb.rst | 1 + + 2 files changed, 9 insertions(+), 14 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst + +diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py +index cca8af67d6d1d..f76c0153f5ecf 100644 +--- a/Lib/test/multibytecodec_support.py ++++ b/Lib/test/multibytecodec_support.py +@@ -305,29 +305,23 @@ def test_mapping_file(self): + self._test_mapping_file_plain() + + def _test_mapping_file_plain(self): +- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+')))) ++ def unichrs(s): ++ return ''.join(chr(int(x, 16)) for x in s.split('+')) ++ + urt_wa = {} + + with self.open_mapping_file() as f: + for line in f: + if not line: + break +- data = line.split('#')[0].strip().split() ++ data = line.split('#')[0].split() + if len(data) != 2: + continue + +- csetval = eval(data[0]) +- if csetval <= 0x7F: +- csetch = bytes([csetval & 0xff]) +- elif csetval >= 0x1000000: +- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff), +- ((csetval >> 8) & 0xff), (csetval & 0xff)]) +- elif csetval >= 0x10000: +- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff), +- (csetval & 0xff)]) +- elif csetval >= 0x100: +- csetch = bytes([(csetval >> 8), (csetval & 0xff)]) +- else: ++ if data[0][:2] != '0x': ++ self.fail(f"Invalid line: {line!r}") ++ csetch = bytes.fromhex(data[0][2:]) ++ if len(csetch) == 1 and 0x80 <= csetch[0]: + continue + + unich = unichrs(data[1]) +diff --git a/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +new file mode 100644 +index 0000000000000..4f9782f1c85af +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2020-10-05-17-43-46.bpo-41944.rf1dYb.rst +@@ -0,0 +1 @@ ++Tests for CJK codecs no longer call ``eval()`` on content received via HTTP. diff --git a/CVE-2021-3177.patch b/CVE-2021-3177.patch new file mode 100644 index 0000000..da97329 --- /dev/null +++ b/CVE-2021-3177.patch @@ -0,0 +1,183 @@ +From 298cc0231a271b5d5c6d55273297b9541353ecc3 Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 09:28:15 -0600 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. + +https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7 +reason:CVE-2021-3177 + +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 0000000000000..7df65a156feab +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 40a05a44edd4c..56ccc2f1e0b5d 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -487,58 +487,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -547,22 +536,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff --git a/backport-Fix-a-reference-leak-if-a-thread-is-not-joined.patch b/backport-Fix-a-reference-leak-if-a-thread-is-not-joined.patch new file mode 100644 index 0000000..2919676 --- /dev/null +++ b/backport-Fix-a-reference-leak-if-a-thread-is-not-joined.patch @@ -0,0 +1,63 @@ +From d3dcc92778807ae8f7ebe85178f36a29711cd478 Mon Sep 17 00:00:00 2001 +From: Victor Stinner +Date: Mon, 19 Aug 2019 23:37:17 +0100 +Subject: [PATCH] bpo-37788: Fix a reference leak if a thread is not joined + (GH-15228) + +Add threading.Thread.__del__() method to ensure that the thread state +lock is removed from the _shutdown_locks list when a thread +completes. +--- + Lib/test/test_threading.py | 8 ++++++++ + Lib/threading.py | 10 ++++++++++ + .../Library/2019-08-12-17-21-10.bpo-37788.F0tR05.rst | 1 + + 3 files changed, 19 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2019-08-12-17-21-10.bpo-37788.F0tR05.rst + +diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py +index 7c16974c1630a..5e90627822f9f 100644 +--- a/Lib/test/test_threading.py ++++ b/Lib/test/test_threading.py +@@ -761,6 +761,14 @@ def test_shutdown_locks(self): + # Daemon threads must never add it to _shutdown_locks. + self.assertNotIn(tstate_lock, threading._shutdown_locks) + ++ def test_leak_without_join(self): ++ # bpo-37788: Test that a thread which is not joined explicitly ++ # does not leak. Test written for reference leak checks. ++ def noop(): pass ++ with support.wait_threads_exit(): ++ threading.Thread(target=noop).start() ++ # Thread.join() is not called ++ + + class ThreadJoinOnShutdown(BaseTestCase): + +diff --git a/Lib/threading.py b/Lib/threading.py +index 32a3d7c303362..67e1c4facfee2 100644 +--- a/Lib/threading.py ++++ b/Lib/threading.py +@@ -806,6 +806,16 @@ class is implemented. + # For debugging and _after_fork() + _dangling.add(self) + ++ def __del__(self): ++ if not self._initialized: ++ return ++ lock = self._tstate_lock ++ if lock is not None and not self.daemon: ++ # ensure that self._tstate_lock is not in _shutdown_locks ++ # if join() was not called explicitly ++ with _shutdown_locks_lock: ++ _shutdown_locks.discard(lock) ++ + def _reset_internal_locks(self, is_alive): + # private! Called by _after_fork() to reset our internal locks as + # they may be in an invalid state leading to a deadlock or crash. +diff --git a/Misc/NEWS.d/next/Library/2019-08-12-17-21-10.bpo-37788.F0tR05.rst b/Misc/NEWS.d/next/Library/2019-08-12-17-21-10.bpo-37788.F0tR05.rst +new file mode 100644 +index 0000000000000..d9b1e82b92238 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2019-08-12-17-21-10.bpo-37788.F0tR05.rst +@@ -0,0 +1 @@ ++Fix a reference leak if a thread is not joined. diff --git a/python3.spec b/python3.spec index 77e1278..ae900ac 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.8.5 -Release: 2 +Release: 5 License: Python %global branchversion 3.8 @@ -95,6 +95,10 @@ Patch178: 00178-dont-duplicate-flags-in-sysconfig.patch Patch189: 00189-use-rpm-wheels.patch Patch205: 00205-make-libpl-respect-lib64.patch Patch251: 00251-change-user-install-location.patch +Patch252: CVE-2020-27619.patch +Patch253: backport-Fix-a-reference-leak-if-a-thread-is-not-joined.patch + +Patch6000: CVE-2021-3177.patch Provides: python%{branchversion} = %{version}-%{release} Provides: python(abi) = %{branchversion} @@ -187,6 +191,9 @@ rm -r Modules/expat rm Lib/ensurepip/_bundled/*.whl %patch205 -p1 %patch251 -p1 +%patch252 -p1 +%patch253 -p1 +%patch6000 -p1 rm configure pyconfig.h.in @@ -794,7 +801,25 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog -* Tue Aug 19 2020 whoisxxx - 3.8.5-2 +* Fri Feb 05 2021 shangyibin - 3.8.5-5 +- Type:cves +- ID:CVE-2021-3177 +- SUG:NA +- DESC:fix CVE-2021-3177 + +* Mon Feb 01 2021 shixuantong - 3.8.5-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix a reference leak if a thread is not joined + +* Sat Nov 14 2020 shixuantong - 3.8.5-3 +- Type:cves +- ID:CVE-2020-27619 +- SUG:NA +- DESC:fix CVE-2020-27619 + +* Wed Aug 19 2020 whoisxxx - 3.8.5-2 - Type:bugfix - ID:NA - SUG:NA -- Gitee