[Buildroot] [PATCH 1/3] package/python: add upstream security fix for CVE-2019-9948

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/python: add upstream security fix for CVE-2019-9948
Date: Sun, 16 Jun 2019 23:17:09 +0200	[thread overview]
Message-ID: <20190616211712.824-1-peter@korsgaard.com> (raw)

Fixes CVE-2019-9948: Unnecessary URL scheme exists to allow file:// reading
file in urllib.

https://bugs.python.org/issue35907

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...VE-2019-9948-urllib-rejects-local_file-sc.patch | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch

diff --git a/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch b/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
new file mode 100644
index 0000000000..5ca1433465
--- /dev/null
+++ b/package/python/0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
@@ -0,0 +1,59 @@
+From b15bde8058e821b383d81fcae68b335a752083ca Mon Sep 17 00:00:00 2001
+From: SH <push0ebp@gmail.com>
+Date: Wed, 22 May 2019 06:12:23 +0900
+Subject: [PATCH] bpo-35907, CVE-2019-9948: urllib rejects local_file:// scheme
+  (GH-11842)
+
+ CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen().
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ Lib/test/test_urllib.py                                           | 7 +++++++
+ Lib/urllib.py                                                     | 4 +++-
+ Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst | 1 +
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index d7778d4194..ae1f6c0b29 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -1048,6 +1048,13 @@ class URLopener_Tests(unittest.TestCase):
+             "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
+             "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ 
++    def test_local_file_open(self):
++        class DummyURLopener(urllib.URLopener):
++            def open_local_file(self, url):
++                return url
++        for url in ('local_file://example', 'local-file://example'):
++            self.assertRaises(IOError, DummyURLopener().open, url)
++            self.assertRaises(IOError, urllib.urlopen, url)
+ 
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index d85504a5cb..156879dd0a 100644
+--- a/Lib/urllib.py
++++ b/Lib/urllib.py
+@@ -203,7 +203,9 @@ class URLopener:
+         name = 'open_' + urltype
+         self.type = urltype
+         name = name.replace('-', '_')
+-        if not hasattr(self, name):
++
++        # bpo-35907: disallow the file reading with the type not allowed
++        if not hasattr(self, name) or name == 'open_local_file':
+             if proxy:
+                 return self.open_unknown_proxy(proxy, fullurl, data)
+             else:
+diff --git a/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+new file mode 100644
+index 0000000000..bb187d8d65
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2019-02-13-17-21-10.bpo-35907.ckk2zg.rst
+@@ -0,0 +1 @@
++CVE-2019-9948: Avoid file reading as disallowing the unnecessary URL scheme in urllib.urlopen
+-- 
+2.11.0
+
-- 
2.11.0

next             reply	other threads:[~2019-06-16 21:17 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-16 21:17 Peter Korsgaard [this message]
2019-06-16 21:17 ` [Buildroot] [PATCH 2/3] package/python: add upstream security fix for CVE-2019-9636 Peter Korsgaard
2019-06-23 21:32   ` Peter Korsgaard
2019-06-16 21:17 ` [Buildroot] [PATCH 3/3] package/python3: add upstream security fix for CVE-2019-10160 Peter Korsgaard
2019-06-23 21:32   ` Peter Korsgaard
2019-06-17 19:05 ` [Buildroot] [PATCH 1/3] package/python: add upstream security fix for CVE-2019-9948 Thomas Petazzoni
2019-06-23 21:32 ` Peter Korsgaard

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5ca143346 )
 OR (
bs:"[Buildroot] [PATCH 1/3] package/python: add upstream security fix for CVE-2019-9948" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190616211712.824-1-peter@korsgaard.com \
    --to=peter@korsgaard.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.