Security fix for CVE-2007-4559
Fixes: rhzb#2141080
This commit is contained in:
Charalampos Stratakis
parent
882b7bd781
commit
98e458e2e0
3 changed files with 2535 additions and 1 deletions
2465
00397-pep-706-cve-2007-4559-filter-api-for-tarfile-extractall.patch
Normal file
2465
00397-pep-706-cve-2007-4559-filter-api-for-tarfile-extractall.patch
Normal file
File diff suppressed because it is too large
Load diff
42
pip-CVE-2007-4559.patch
Normal file
42
pip-CVE-2007-4559.patch
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
diff --git a/pip/_internal/utils/misc.py b/pip/_internal/utils/misc.py
|
||||
index 84a421f..fbdb654 100644
|
||||
--- a/pip/_internal/utils/misc.py
|
||||
+++ b/pip/_internal/utils/misc.py
|
||||
@@ -532,6 +532,13 @@ def untar_file(filename, location):
|
||||
if leading:
|
||||
fn = split_leading_dir(fn)[1]
|
||||
path = os.path.join(location, fn)
|
||||
+
|
||||
+ # Call the `data` filter for its side effect (raising exception)
|
||||
+ try:
|
||||
+ tarfile.data_filter(member.replace(name=fn), location)
|
||||
+ except tarfile.LinkOutsideDestinationError:
|
||||
+ pass
|
||||
+
|
||||
if member.isdir():
|
||||
ensure_dir(path)
|
||||
elif member.issym():
|
||||
diff --git a/pip/_vendor/distlib/util.py b/pip/_vendor/distlib/util.py
|
||||
index 0b14a93..8f3f12e 100644
|
||||
--- a/pip/_vendor/distlib/util.py
|
||||
+++ b/pip/_vendor/distlib/util.py
|
||||
@@ -1238,6 +1238,19 @@ def unarchive(archive_filename, dest_dir, format=None, check=True):
|
||||
for tarinfo in archive.getmembers():
|
||||
if not isinstance(tarinfo.name, text_type):
|
||||
tarinfo.name = tarinfo.name.decode('utf-8')
|
||||
+
|
||||
+ # Limit extraction of dangerous items, if this Python
|
||||
+ # allows it easily. If not, just trust the input.
|
||||
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
|
||||
+ def extraction_filter(member, path):
|
||||
+ """Run tarfile.tar_fillter, but raise the expected ValueError"""
|
||||
+ # This is only called if the current Python has tarfile filters
|
||||
+ try:
|
||||
+ return tarfile.tar_filter(member, path)
|
||||
+ except tarfile.FilterError as exc:
|
||||
+ raise ValueError(str(exc))
|
||||
+ archive.extraction_filter = extraction_filter
|
||||
+
|
||||
archive.extractall(dest_dir)
|
||||
|
||||
finally:
|
||||
|
|
@ -17,7 +17,7 @@ URL: https://www.python.org/
|
|||
#global prerel ...
|
||||
%global upstream_version %{general_version}%{?prerel}
|
||||
Version: %{general_version}%{?prerel:~%{prerel}}
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
# Python is Python
|
||||
# pip MIT is and bundles:
|
||||
# appdirs: MIT
|
||||
|
|
@ -319,6 +319,9 @@ Source10: idle3.desktop
|
|||
# AppData file for idle3
|
||||
Source11: idle3.appdata.xml
|
||||
|
||||
# Patch for the bundled pip wheel for CVE-2007-4559
|
||||
Source12: pip-CVE-2007-4559.patch
|
||||
|
||||
# (Patches taken from github.com/fedora-python/cpython)
|
||||
|
||||
# 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
|
||||
|
|
@ -614,6 +617,20 @@ Patch392: 00392-cve-2022-37454-fix-buffer-overflows-in-_sha3-module.patch
|
|||
# the behavior to linear.
|
||||
Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
|
||||
|
||||
# 00397 # e867e27272cd259b76133784ef3f2811e671f3db
|
||||
# PEP 706, CVE-2007-4559: Filter API for tarfile.extractall
|
||||
#
|
||||
# Add API for allowing checks on the content of tar files, allowing callers to mitigate
|
||||
# directory traversal (CVE-2007-4559) and related issues.
|
||||
#
|
||||
# Python 3.12 will warn if this API is not used.
|
||||
# Python 3.14 will fail if it's not used.
|
||||
#
|
||||
# Backport from https://github.com/python/cpython/issues/102950
|
||||
#
|
||||
# Change document: https://peps.python.org/pep-0706/
|
||||
Patch397: 00397-pep-706-cve-2007-4559-filter-api-for-tarfile-extractall.patch
|
||||
|
||||
# 00399 # dc0a803eea47d3b4f0657816b112b5a33491500f
|
||||
# CVE-2023-24329
|
||||
#
|
||||
|
|
@ -1016,6 +1033,12 @@ rm Lib/ensurepip/_bundled/*.whl
|
|||
# Apply the remaining patches
|
||||
%autopatch -m 190
|
||||
|
||||
# Patch the bundled pip wheel for CVE-2007-4559
|
||||
unzip -qq Lib/ensurepip/_bundled/pip-%{pip_version}-py2.py3-none-any.whl
|
||||
patch -p1 < %{SOURCE12}
|
||||
zip -rq Lib/ensurepip/_bundled/pip-%{pip_version}-py2.py3-none-any.whl pip pip-%{pip_version}.dist-info
|
||||
rm -rf pip/ pip-%{pip_version}.dist-info/
|
||||
|
||||
# Remove bundled libraries to ensure that we're using the system copy.
|
||||
rm -r Modules/expat
|
||||
rm -r Modules/zlib
|
||||
|
|
@ -1925,6 +1948,10 @@ CheckPython optimized
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Thu Feb 29 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-27
|
||||
- Security fix for CVE-2007-4559
|
||||
- Fixes: rhbz#2141080
|
||||
|
||||
* Wed Feb 28 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-26
|
||||
- Fix tests for XMLPullParser with Expat 2.6.0
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue