Security fix for CVE-2007-4559

Fixes: rhzb#2141080

00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

@@ -0,0 +1,107 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Sun, 11 Feb 2024 12:08:39 +0200
+Subject: [PATCH] 00422: gh-115133: Fix tests for XMLPullParser with Expat
+ 2.6.0
+
+Feeding the parser by too small chunks defers parsing to prevent
+CVE-2023-52425. Future versions of Expat may be more reactive.
+
+(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
+---
+ Lib/test/test_xml_etree.py                    | 58 ++++++++++++-------
+ ...-02-08-14-21-28.gh-issue-115133.ycl4ko.rst |  2 +
+ 2 files changed, 38 insertions(+), 22 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+
+diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
+index acaa519f42..2195eb9485 100644
+--- a/Lib/test/test_xml_etree.py
++++ b/Lib/test/test_xml_etree.py
+@@ -10,6 +10,7 @@ import html
+ import io
+ import operator
+ import pickle
++import pyexpat
+ import sys
+ import types
+ import unittest
+@@ -97,6 +98,10 @@ EXTERNAL_ENTITY_XML = """\
+ <document>&entity;</document>
+ """
+ 
++fails_with_expat_2_6_0 = (unittest.expectedFailure
++                        if pyexpat.version_info >= (2, 6, 0) else
++                        lambda test: test)
++
+ class ModuleTest(unittest.TestCase):
+     def test_sanity(self):
+         # Import sanity.
+@@ -1044,28 +1049,37 @@ class XMLPullParserTest(unittest.TestCase):
+         self.assertEqual([(action, elem.tag) for action, elem in events],
+                          expected)
+ 
+-    def test_simple_xml(self):
+-        for chunk_size in (None, 1, 5):
+-            with self.subTest(chunk_size=chunk_size):
+-                parser = ET.XMLPullParser()
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, "<!-- comment -->\n", chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser,
+-                           "<root>\n  <element key='value'>text</element",
+-                           chunk_size)
+-                self.assert_event_tags(parser, [])
+-                self._feed(parser, ">\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'element')])
+-                self._feed(parser, "<element>text</element>tail\n", chunk_size)
+-                self._feed(parser, "<empty-element/>\n", chunk_size)
+-                self.assert_event_tags(parser, [
+-                    ('end', 'element'),
+-                    ('end', 'empty-element'),
+-                    ])
+-                self._feed(parser, "</root>\n", chunk_size)
+-                self.assert_event_tags(parser, [('end', 'root')])
+-                self.assertIsNone(parser.close())
++    def test_simple_xml(self, chunk_size=None):
++        parser = ET.XMLPullParser()
++        self.assert_event_tags(parser, [])
++        self._feed(parser, "<!-- comment -->\n", chunk_size)
++        self.assert_event_tags(parser, [])
++        self._feed(parser,
++                   "<root>\n  <element key='value'>text</element",
++                   chunk_size)
++        self.assert_event_tags(parser, [])
++        self._feed(parser, ">\n", chunk_size)
++        self.assert_event_tags(parser, [('end', 'element')])
++        self._feed(parser, "<element>text</element>tail\n", chunk_size)
++        self._feed(parser, "<empty-element/>\n", chunk_size)
++        self.assert_event_tags(parser, [
++            ('end', 'element'),
++            ('end', 'empty-element'),
++            ])
++        self._feed(parser, "</root>\n", chunk_size)
++        self.assert_event_tags(parser, [('end', 'root')])
++        self.assertIsNone(parser.close())
++
++    @fails_with_expat_2_6_0
++    def test_simple_xml_chunk_1(self):
++        self.test_simple_xml(chunk_size=1)
++
++    @fails_with_expat_2_6_0
++    def test_simple_xml_chunk_5(self):
++        self.test_simple_xml(chunk_size=5)
++
++    def test_simple_xml_chunk_22(self):
++        self.test_simple_xml(chunk_size=22)
+ 
+     def test_feed_while_iterating(self):
+         parser = ET.XMLPullParser()
+diff --git a/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+new file mode 100644
+index 0000000000..6f1015235c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-02-08-14-21-28.gh-issue-115133.ycl4ko.rst
+@@ -0,0 +1,2 @@
++Fix tests for :class:`~xml.etree.ElementTree.XMLPullParser` with Expat
++2.6.0.

pip-CVE-2007-4559.patch

@@ -0,0 +1,42 @@
+diff --git a/pip/_internal/utils/misc.py b/pip/_internal/utils/misc.py
+index 84a421f..fbdb654 100644
+--- a/pip/_internal/utils/misc.py
++++ b/pip/_internal/utils/misc.py
+@@ -532,6 +532,13 @@ def untar_file(filename, location):
+             if leading:
+                 fn = split_leading_dir(fn)[1]
+             path = os.path.join(location, fn)
++
++            # Call the `data` filter for its side effect (raising exception)
++            try:
++                tarfile.data_filter(member.replace(name=fn), location)
++            except tarfile.LinkOutsideDestinationError:
++                pass
++
+             if member.isdir():
+                 ensure_dir(path)
+             elif member.issym():
+diff --git a/pip/_vendor/distlib/util.py b/pip/_vendor/distlib/util.py
+index 0b14a93..8f3f12e 100644
+--- a/pip/_vendor/distlib/util.py
++++ b/pip/_vendor/distlib/util.py
+@@ -1238,6 +1238,19 @@ def unarchive(archive_filename, dest_dir, format=None, check=True):
+             for tarinfo in archive.getmembers():
+                 if not isinstance(tarinfo.name, text_type):
+                     tarinfo.name = tarinfo.name.decode('utf-8')
++
++        # Limit extraction of dangerous items, if this Python
++        # allows it easily. If not, just trust the input.
++        # See: https://docs.python.org/3/library/tarfile.html#extraction-filters
++        def extraction_filter(member, path):
++            """Run tarfile.tar_fillter, but raise the expected ValueError"""
++            # This is only called if the current Python has tarfile filters
++            try:
++                return tarfile.tar_filter(member, path)
++            except tarfile.FilterError as exc:
++                raise ValueError(str(exc))
++        archive.extraction_filter = extraction_filter
++
+         archive.extractall(dest_dir)
+ 
+     finally:

python3.6.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 22%{?dist}
+Release: 27%{?dist}
 # Python is Python
 # pip MIT is and bundles:
 #   appdirs: MIT
@@ -319,6 +319,9 @@ Source10: idle3.desktop
 # AppData file for idle3
 Source11: idle3.appdata.xml
 
+# Patch for the bundled pip wheel for CVE-2007-4559
+Source12: pip-CVE-2007-4559.patch
+
 # (Patches taken from github.com/fedora-python/cpython)
 
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
@@ -614,6 +617,20 @@ Patch392: 00392-cve-2022-37454-fix-buffer-overflows-in-_sha3-module.patch
 # the behavior to linear.
 Patch394: 00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
 
+# 00397 # e867e27272cd259b76133784ef3f2811e671f3db
+# PEP 706, CVE-2007-4559: Filter API for tarfile.extractall
+#
+# Add API for allowing checks on the content of tar files, allowing callers to mitigate
+# directory traversal (CVE-2007-4559) and related issues.
+#
+# Python 3.12 will warn if this API is not used.
+# Python 3.14 will fail if it's not used.
+#
+# Backport from https://github.com/python/cpython/issues/102950
+#
+# Change document: https://peps.python.org/pep-0706/
+Patch397: 00397-pep-706-cve-2007-4559-filter-api-for-tarfile-extractall.patch
+
 # 00399 # dc0a803eea47d3b4f0657816b112b5a33491500f
 # CVE-2023-24329
 #
@@ -655,6 +672,13 @@ Patch410: 00410-bpo-42598-fix-implicit-function-declarations-in-configure.patch
 # Thomas Dwyer.
 Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
 
+# 00422 # fefea32e0c70109a5c88e3d22ec9ff554fcbc6ab
+# gh-115133: Fix tests for XMLPullParser with Expat 2.6.0
+#
+# Feeding the parser by too small chunks defers parsing to prevent
+# CVE-2023-52425. Future versions of Expat may be more reactive.
+Patch422: 00422-gh-115133-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1003,6 +1027,12 @@ rm Lib/ensurepip/_bundled/*.whl
 # Apply the remaining patches
 %autopatch -m 190
 
+# Patch the bundled pip wheel for CVE-2007-4559
+unzip -qq Lib/ensurepip/_bundled/pip-%{pip_version}-py2.py3-none-any.whl
+patch -p1 < %{SOURCE12}
+zip -rq Lib/ensurepip/_bundled/pip-%{pip_version}-py2.py3-none-any.whl pip pip-%{pip_version}.dist-info
+rm -rf pip/ pip-%{pip_version}.dist-info/
+
 # Remove bundled libraries to ensure that we're using the system copy.
 rm -r Modules/expat
 rm -r Modules/zlib
@@ -1912,6 +1942,13 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Thu Feb 29 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-27
+- Security fix for CVE-2007-4559
+- Fixes: rhbz#2141080
+
+* Wed Feb 28 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-23
+- Fix tests for XMLPullParser with Expat 2.6.0
+
 * Mon Dec 18 2023 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-22
 - Security fix for CVE-2023-27043 (rhbz#2196191)