From f936a300b48955faecce028ac9ac509b1b83906c Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Tue, 8 Dec 2020 22:48:19 +0100 Subject: [PATCH] gnu: Python: Fix CVE-2020-26116. * gnu/packages/patches/python-CVE-2020-26116.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/python.scm (python-3.8)[source](patches): Add it. --- gnu/local.mk | 1 + .../patches/python-CVE-2020-26116.patch | 47 +++++++++++++++++++ gnu/packages/python.scm | 1 + 3 files changed, 49 insertions(+) create mode 100644 gnu/packages/patches/python-CVE-2020-26116.patch diff --git a/gnu/local.mk b/gnu/local.mk index 7f0b69cacf..897de3eaf9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1515,6 +1515,7 @@ dist_patch_DATA = \ %D%/packages/patches/python-3-fix-tests.patch \ %D%/packages/patches/python-3.8-fix-tests.patch \ %D%/packages/patches/python-CVE-2018-14647.patch \ + %D%/packages/patches/python-CVE-2020-26116.patch \ %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch \ %D%/packages/patches/python-argcomplete-1.11.1-fish31.patch \ %D%/packages/patches/python-axolotl-AES-fix.patch \ diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch new file mode 100644 index 0000000000..dc0571e964 --- /dev/null +++ b/gnu/packages/patches/python-CVE-2020-26116.patch @@ -0,0 +1,47 @@ +Fix CVE-2020-26116: + +https://cve.circl.lu/cve/CVE-2020-26116 +https://bugs.python.org/issue39603 + +Taken from upstream (sans test and NEWS update): +https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf + +diff --git a/Lib/http/client.py b/Lib/http/client.py +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -147,6 +147,10 @@ + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False, + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1177,6 +1183,15 @@ def _encode_request(self, request): + # ASCII also helps prevent CVE-2019-9740. + return request.encode('ascii') + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 43704bccae..533b2bdeff 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -370,6 +370,7 @@ data types.") (uri (string-append "https://www.python.org/ftp/python/" version "/Python-" version ".tar.xz")) (patches (search-patches + "python-CVE-2020-26116.patch" "python-3-fix-tests.patch" "python-3.8-fix-tests.patch" "python-3-deterministic-build-info.patch" -- 2.20.1