From dad9a1a2a4a1720537e91ac9c125721ec4996eea Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Sat, 5 Oct 2019 00:58:08 +0800 Subject: [PATCH] python: Fix CVE-2019-16056, CVE-2019-16935 These patches address issues: CVE-2019-16056: email.utils.parseaddr mistakenly parse an email CVE-2019-16935: A reflected XSS in python/Lib/DocXMLRPCServer.py Links to Python issues: https://bugs.python.org/issue34155 https://bugs.python.org/issue38243 Signed-off-by: Jeffery To --- lang/python/python/Makefile | 2 +- ...-the-server-title-of-DocXMLRPCServer.patch | 159 ++++++++++++++++++ ...nt-parse-domains-containing-GH-13079.patch | 80 +++++++++ 3 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 lang/python/python/patches/027-bpo-38243-Escape-the-server-title-of-DocXMLRPCServer.patch create mode 100644 lang/python/python/patches/028-bpo-34155-Dont-parse-domains-containing-GH-13079.patch diff --git a/lang/python/python/Makefile b/lang/python/python/Makefile index 6e44f51449..67592c970e 100644 --- a/lang/python/python/Makefile +++ b/lang/python/python/Makefile @@ -12,7 +12,7 @@ include ../python-version.mk PKG_NAME:=python PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION) diff --git a/lang/python/python/patches/027-bpo-38243-Escape-the-server-title-of-DocXMLRPCServer.patch b/lang/python/python/patches/027-bpo-38243-Escape-the-server-title-of-DocXMLRPCServer.patch new file mode 100644 index 0000000000..5b90eb9d83 --- /dev/null +++ b/lang/python/python/patches/027-bpo-38243-Escape-the-server-title-of-DocXMLRPCServer.patch @@ -0,0 +1,159 @@ +From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001 +From: Dong-hee Na +Date: Sat, 28 Sep 2019 10:17:25 +0900 +Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of + DocXMLRPCServer when rendering + +--- + Lib/DocXMLRPCServer.py | 10 +++++++++- + Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++ + .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++ + 3 files changed, 32 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst + +diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py +index 4064ec2e48d4d..a0e407b6318ad 100644 +--- a/Lib/DocXMLRPCServer.py ++++ b/Lib/DocXMLRPCServer.py +@@ -210,7 +210,15 @@ def generate_html_documentation(self): + methods + ) + +- return documenter.page(self.server_title, documentation) ++ escape_table = { ++ "&": "&", ++ '"': """, ++ "'": "'", ++ ">": ">", ++ "<": "<", ++ } ++ title = ''.join(escape_table.get(c, c) for c in self.server_title) ++ return documenter.page(title, documentation) + + class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): + """XML-RPC and documentation request handler class. +diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py +index 4dff4159e2466..c45b892b8b3e7 100644 +--- a/Lib/test/test_docxmlrpc.py ++++ b/Lib/test/test_docxmlrpc.py +@@ -1,5 +1,6 @@ + from DocXMLRPCServer import DocXMLRPCServer + import httplib ++import re + import sys + from test import test_support + threading = test_support.import_module('threading') +@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self): + self.assertIn("""Try self.add, too.""", + response.read()) + ++ def test_server_title_escape(self): ++ """Test that the server title and documentation ++ are escaped for HTML. ++ """ ++ self.serv.set_server_title('test_title