From 5f4f2eb9d3a1e3b6127a17366531feef5e088085 Mon Sep 17 00:00:00 2001 From: xinsheng3 Date: Thu, 30 Oct 2025 10:35:17 +0800 Subject: [PATCH] fix CVE-2024-5642 --- backport-CVE-2024-5642.patch | 54 ++++++++++++++++++++++++++++++++++++ python3.spec | 9 +++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-5642.patch diff --git a/backport-CVE-2024-5642.patch b/backport-CVE-2024-5642.patch new file mode 100644 index 0000000..bd3be2e --- /dev/null +++ b/backport-CVE-2024-5642.patch @@ -0,0 +1,54 @@ +From a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31 Mon Sep 17 00:00:00 2001 +From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> +Date: Tue, 7 Oct 2025 13:09:33 +0100 +Subject: [PATCH] [3.9] gh-121227: Disallow setting an empty list for NPN + (GH-137161) + +--- + Lib/ssl.py | 2 ++ + Lib/test/test_ssl.py | 6 ++++++ + .../Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst | 2 ++ + 3 files changed, 10 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst + +diff --git a/Lib/ssl.py b/Lib/ssl.py +index cb5ec51681e..a78e6acbfbc 100644 +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -520,6 +520,8 @@ class SSLContext(_SSLContext): + + def set_npn_protocols(self, npn_protocols): + protos = bytearray() ++ if not npn_protocols: ++ raise SSLError('NPN protocols must not be empty') + for protocol in npn_protocols: + b = bytes(protocol, 'ascii') + if len(b) == 0 or len(b) > 255: +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index b9163ae0d5e..a2e771ed7fd 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -4219,6 +4219,12 @@ class ThreadedTests(unittest.TestCase): + if len(stats['server_npn_protocols']) else 'nothing' + self.assertEqual(server_result, expected, msg % (server_result, "server")) + ++ def test_empty_npn_protocols(self): ++ """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227""" ++ client_context, server_context, hostname = testing_context() ++ with self.assertRaises(ssl.SSLError): ++ server_context.set_npn_protocols([]) ++ + def sni_contexts(self): + server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + server_context.load_cert_chain(SIGNED_CERTFILE) +diff --git a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst +new file mode 100644 +index 00000000000..6350f74a396 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst +@@ -0,0 +1,2 @@ ++Raise an :exc:`SSL.SSLError` if an empty *protocols* argument is passed to ++:meth:`ssl.SSLContext.set_npn_protocols` to fix ``CVE-2024-5642``. +-- +2.45.1.windows.1 + diff --git a/python3.spec b/python3.spec index b0ae7c4..78e536a 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.9.9 -Release: 47 +Release: 48 License: Python-2.0 %global branchversion 3.9 @@ -141,6 +141,7 @@ Patch6043: backport-3.9-bpo-43757-Make-pathlib-use-os.path.realpath-to-r.patch Patch6044: backport-CVE-2025-4517,CVE-2025-4138,CVE-2024-12718,CVE-2025-4330,CVE-2025-4435.patch Patch6045: backport-CVE-2025-6069.patch Patch6046: backport-CVE-2025-8291.patch +Patch6047: backport-CVE-2024-5642.patch Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch Patch9001: python3-Add-sw64-architecture.patch @@ -851,6 +852,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Thu Oct 30 2025 xinsheng - 3.9.9-48 +- Type:CVE +- CVE:CVE-2024-5642 +- SUG:NA +- DESC:fix CVE-2024-5642 + * Wed Oct 8 2025 lizhipeng - 3.9.9-47 - fix CVE-2025-8291 -- Gitee