diff options
| author | J0WI <J0WI@users.noreply.github.com> | 2019-01-23 15:42:31 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-01-24 16:29:57 +0000 |
| commit | a22bed04e6d6950b727d73d46a56ac32beaa305b (patch) | |
| tree | 11f4ebe23ac4e4141c1d0372b4a983b1aab33599 /community/python2-tkinter | |
| parent | d96309a215754135a99d10a0a43b14ca0bd4d434 (diff) | |
| download | aports-a22bed04e6d6950b727d73d46a56ac32beaa305b.tar.bz2 aports-a22bed04e6d6950b727d73d46a56ac32beaa305b.tar.xz | |
community/python2-tkinter: synchronize with main/python2
Diffstat (limited to 'community/python2-tkinter')
| -rw-r--r-- | community/python2-tkinter/APKBUILD | 20 | ||||
| -rw-r--r-- | community/python2-tkinter/CVE-2019-5010.patch | 116 | ||||
| -rw-r--r-- | community/python2-tkinter/musl-find_library.patch | 45 | ||||
| -rw-r--r-- | community/python2-tkinter/unchecked-ioctl.patch | 11 |
4 files changed, 189 insertions, 3 deletions
diff --git a/community/python2-tkinter/APKBUILD b/community/python2-tkinter/APKBUILD index 0cb63c76f8..fd4a23a221 100644 --- a/community/python2-tkinter/APKBUILD +++ b/community/python2-tkinter/APKBUILD @@ -6,7 +6,7 @@ pkgname=python2-tkinter pkgver=2.7.15 _verbase=${pkgver%.*} -pkgrel=0 +pkgrel=3 pkgdesc="A graphical user interface for the Python" url="https://wiki.python.org/moin/TkInter" arch="all" @@ -18,9 +18,20 @@ makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev tk tk-dev python2" replaces="python2" replaces_priority=1 -source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz" +source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz + CVE-2019-5010.patch + musl-find_library.patch + unchecked-ioctl.patch + " builddir="$srcdir/Python-$pkgver" +# secfixes: +# 2.7.15-r3: +# - CVE-2019-5010 +# 2.7.15-r0: +# - CVE-2018-1060 +# - CVE-2018-1061 + prepare() { local _pyapkbuild="$startdir"/../main/python2/APKBUILD if [ -e "$_pyapkbuild" ]; then @@ -97,4 +108,7 @@ _idle() { _mv_files usr/bin } -sha512sums="27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6 Python-2.7.15.tar.xz" +sha512sums="27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6 Python-2.7.15.tar.xz +fccc9878c0e7cdc2c91f24ab2849bc21362bf7559f0800841f282aebe11fb0d0436fb1057f59edea16c039d156e900569c616798526f42d3d190ce4631d456ab CVE-2019-5010.patch +ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch +5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch" diff --git a/community/python2-tkinter/CVE-2019-5010.patch b/community/python2-tkinter/CVE-2019-5010.patch new file mode 100644 index 0000000000..af746c6eaf --- /dev/null +++ b/community/python2-tkinter/CVE-2019-5010.patch @@ -0,0 +1,116 @@ +From 280917872027ee991416d2623fc16ff1eed48f50 Mon Sep 17 00:00:00 2001 +From: Christian Heimes <christian@python.org> +Date: Tue, 15 Jan 2019 23:47:42 +0100 +Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569) + +Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL +distribution points with empty DP or URI correctly. A malicious or buggy +certificate can result into segfault. + +Signed-off-by: Christian Heimes <christian@python.org> + +https://bugs.python.org/issue35746 +(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) + +Co-authored-by: Christian Heimes <christian@python.org> +--- + Lib/test/talos-2019-0758.pem | 22 +++++++++++++++++++ + Lib/test/test_ssl.py | 22 +++++++++++++++++++ + .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst | 3 +++ + Modules/_ssl.c | 4 ++++ + 4 files changed, 51 insertions(+) + create mode 100644 Lib/test/talos-2019-0758.pem + create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst + +diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem +new file mode 100644 +index 000000000000..13b95a77fd8a +--- /dev/null ++++ b/Lib/test/talos-2019-0758.pem +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO ++BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7 ++MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh ++bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB ++J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES ++V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD ++5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C ++1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP ++WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF ++j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp ++HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io ++UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7 ++2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu ++bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG ++SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p ++t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr ++t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit ++p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV ++Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+ ++10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA== ++-----END CERTIFICATE----- +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index e47603170253..9240184d98a4 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -72,6 +72,7 @@ def data_file(*name): + BADKEY = data_file("badkey.pem") + NOKIACERT = data_file("nokia.pem") + NULLBYTECERT = data_file("nullbytecert.pem") ++TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem") + + DHFILE = data_file("ffdh3072.pem") + BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding()) +@@ -227,6 +228,27 @@ def test_parse_cert(self): + self.assertEqual(p['crlDistributionPoints'], + ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',)) + ++ def test_parse_cert_CVE_2019_5010(self): ++ p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP) ++ if support.verbose: ++ sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ self.assertEqual( ++ p, ++ { ++ 'issuer': ( ++ (('countryName', 'UK'),), (('commonName', 'cody-ca'),)), ++ 'notAfter': 'Jun 14 18:00:58 2028 GMT', ++ 'notBefore': 'Jun 18 18:00:58 2018 GMT', ++ 'serialNumber': '02', ++ 'subject': ((('countryName', 'UK'),), ++ (('commonName', ++ 'codenomicon-vm-2.test.lal.cisco.com'),)), ++ 'subjectAltName': ( ++ ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),), ++ 'version': 3 ++ } ++ ) ++ + def test_parse_cert_CVE_2013_4238(self): + p = ssl._ssl._test_decode_cert(NULLBYTECERT) + if support.verbose: +diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +new file mode 100644 +index 000000000000..dffe347eec84 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst +@@ -0,0 +1,3 @@ ++[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did ++not handle CRL distribution points with empty DP or URI correctly. A ++malicious or buggy certificate can result into segfault. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index a96c41926036..19bb1207b48f 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) { + STACK_OF(GENERAL_NAME) *gns; + + dp = sk_DIST_POINT_value(dps, i); ++ if (dp->distpoint == NULL) { ++ /* Ignore empty DP value, CVE-2019-5010 */ ++ continue; ++ } + gns = dp->distpoint->name.fullname; + + for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { diff --git a/community/python2-tkinter/musl-find_library.patch b/community/python2-tkinter/musl-find_library.patch new file mode 100644 index 0000000000..7899abb736 --- /dev/null +++ b/community/python2-tkinter/musl-find_library.patch @@ -0,0 +1,45 @@ +diff -ru Python-2.7.12.orig/Lib/ctypes/util.py Python-2.7.12/Lib/ctypes/util.py +--- Python-2.7.12.orig/Lib/ctypes/util.py 2016-06-26 00:49:30.000000000 +0300 ++++ Python-2.7.12/Lib/ctypes/util.py 2016-11-03 16:05:46.954665040 +0200 +@@ -204,6 +204,41 @@ + def find_library(name, is64 = False): + return _get_soname(_findLib_crle(name, is64) or _findLib_gcc(name)) + ++ elif True: ++ ++ # Patched for Alpine Linux / musl - search manually system paths ++ def _is_elf(filepath): ++ try: ++ with open(filepath, 'rb') as fh: ++ return fh.read(4) == b'\x7fELF' ++ except: ++ return False ++ ++ def find_library(name): ++ from glob import glob ++ # absolute name? ++ if os.path.isabs(name): ++ return name ++ # special case for libm, libcrypt and libpthread and musl ++ if name in ['m', 'crypt', 'pthread']: ++ name = 'c' ++ elif name in ['libm.so', 'libcrypt.so', 'libpthread.so']: ++ name = 'libc.so' ++ # search in standard locations (musl order) ++ paths = ['/lib', '/usr/local/lib', '/usr/lib'] ++ if 'LD_LIBRARY_PATH' in os.environ: ++ paths = os.environ['LD_LIBRARY_PATH'].split(':') + paths ++ for d in paths: ++ f = os.path.join(d, name) ++ if _is_elf(f): ++ return os.path.basename(f) ++ ++ prefix = os.path.join(d, 'lib'+name) ++ for suffix in ['.so', '.so.*']: ++ for f in glob('{0}{1}'.format(prefix, suffix)): ++ if _is_elf(f): ++ return os.path.basename(f) ++ + else: + + def _findSoname_ldconfig(name): diff --git a/community/python2-tkinter/unchecked-ioctl.patch b/community/python2-tkinter/unchecked-ioctl.patch new file mode 100644 index 0000000000..4d5564c2cb --- /dev/null +++ b/community/python2-tkinter/unchecked-ioctl.patch @@ -0,0 +1,11 @@ +--- ./Modules/fcntlmodule.c.orig ++++ ./Modules/fcntlmodule.c +@@ -118,7 +118,7 @@ + int mutate_arg = 1; + char buf[IOCTL_BUFSZ+1]; /* argument plus NUL byte */ + +- if (PyArg_ParseTuple(args, "O&Iw#|i:ioctl", ++ if (PyArg_ParseTuple(args, "O&Iw#|n:ioctl", + conv_descriptor, &fd, &code, + &str, &len, &mutate_arg)) { + char *arg; |