From 74e3f40e39df1f19fc5b835b3c3ef15b2596b880 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Mon, 3 Feb 2025 09:49:01 +0000 Subject: [PATCH 1/5] Patch CVE-2023-27043 in python-3.9 --- SPECS/python3/CVE-2023-27043.patch | 220 +++++++++++++++++++++++++++++ SPECS/python3/python3.spec | 3 +- 2 files changed, 222 insertions(+), 1 deletion(-) create mode 100644 SPECS/python3/CVE-2023-27043.patch diff --git a/SPECS/python3/CVE-2023-27043.patch b/SPECS/python3/CVE-2023-27043.patch new file mode 100644 index 00000000000..63484b1c420 --- /dev/null +++ b/SPECS/python3/CVE-2023-27043.patch @@ -0,0 +1,220 @@ +From 76b1e32b1d730355bd976dbe18c9dd43fafb0ea0 Mon Sep 17 00:00:00 2001 +From: Bala +Date: Thu, 30 Jan 2025 08:38:50 +0000 +Subject: [PATCH] Return empty tuple to indicate the email parsing error. + +Cut short version of original patch taken from below commit +Taking the changes only for Lib/email/utils.py + +From ee953f2b8fc12ee9b8209ab60a2f06c603e5a624 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Fri, 6 Sep 2024 13:13:54 +0200 +Subject: [PATCH] [3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses + in email.parseaddr() (GH-111116) (#123769) + +Detect email address parsing errors and return empty tuple to +indicate the parsing error (old API). Add an optional 'strict' +parameter to getaddresses() and parseaddr() functions. Patch by +Thomas Dwyer. + +(cherry picked from commit 4a153a1d3b18803a684cd1bcc2cdf3ede3dbae19) + +Co-authored-by: Victor Stinner +Co-Authored-By: Thomas Dwyer + + Doc/library/email.utils.rst | 19 +- + Doc/whatsnew/3.9.rst | 10 + + Lib/email/utils.py | 151 ++++++++++++- + Lib/test/test_email/test_email.py | 204 +++++++++++++++++- + ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 + + 5 files changed, 371 insertions(+), 21 deletions(-) +--- + Lib/email/utils.py | 151 ++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 142 insertions(+), 9 deletions(-) + +diff --git a/Lib/email/utils.py b/Lib/email/utils.py +index aa949aa..af2fb14 100644 +--- a/Lib/email/utils.py ++++ b/Lib/email/utils.py +@@ -48,6 +48,7 @@ TICK = "'" + specialsre = re.compile(r'[][\\()<>@,:;".]') + escapesre = re.compile(r'[\\"]') + ++ + def _has_surrogates(s): + """Return True if s may contain surrogate-escaped binary data.""" + # This check is based on the fact that unless there are surrogates, utf8 +@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): + return address + + ++def _iter_escaped_chars(addr): ++ pos = 0 ++ escape = False ++ for pos, ch in enumerate(addr): ++ if escape: ++ yield (pos, '\\' + ch) ++ escape = False ++ elif ch == '\\': ++ escape = True ++ else: ++ yield (pos, ch) ++ if escape: ++ yield (pos, '\\') ++ ++ ++def _strip_quoted_realnames(addr): ++ """Strip real names between quotes.""" ++ if '"' not in addr: ++ # Fast path ++ return addr ++ ++ start = 0 ++ open_pos = None ++ result = [] ++ for pos, ch in _iter_escaped_chars(addr): ++ if ch == '"': ++ if open_pos is None: ++ open_pos = pos ++ else: ++ if start != open_pos: ++ result.append(addr[start:open_pos]) ++ start = pos + 1 ++ open_pos = None ++ ++ if start < len(addr): ++ result.append(addr[start:]) ++ ++ return ''.join(result) + +-def getaddresses(fieldvalues): +- """Return a list of (REALNAME, EMAIL) for each fieldvalue.""" +- all = COMMASPACE.join(str(v) for v in fieldvalues) +- a = _AddressList(all) +- return a.addresslist ++ ++supports_strict_parsing = True ++ ++def getaddresses(fieldvalues, *, strict=True): ++ """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue. ++ ++ When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in ++ its place. ++ ++ If strict is true, use a strict parser which rejects malformed inputs. ++ """ ++ ++ # If strict is true, if the resulting list of parsed addresses is greater ++ # than the number of fieldvalues in the input list, a parsing error has ++ # occurred and consequently a list containing a single empty 2-tuple [('', ++ # '')] is returned in its place. This is done to avoid invalid output. ++ # ++ # Malformed input: getaddresses(['alice@example.com ']) ++ # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')] ++ # Safe output: [('', '')] ++ ++ if not strict: ++ all = COMMASPACE.join(str(v) for v in fieldvalues) ++ a = _AddressList(all) ++ return a.addresslist ++ ++ fieldvalues = [str(v) for v in fieldvalues] ++ fieldvalues = _pre_parse_validation(fieldvalues) ++ addr = COMMASPACE.join(fieldvalues) ++ a = _AddressList(addr) ++ result = _post_parse_validation(a.addresslist) ++ ++ # Treat output as invalid if the number of addresses is not equal to the ++ # expected number of addresses. ++ n = 0 ++ for v in fieldvalues: ++ # When a comma is used in the Real Name part it is not a deliminator. ++ # So strip those out before counting the commas. ++ v = _strip_quoted_realnames(v) ++ # Expected number of addresses: 1 + number of commas ++ n += 1 + v.count(',') ++ if len(result) != n: ++ return [('', '')] ++ ++ return result ++ ++ ++def _check_parenthesis(addr): ++ # Ignore parenthesis in quoted real names. ++ addr = _strip_quoted_realnames(addr) ++ ++ opens = 0 ++ for pos, ch in _iter_escaped_chars(addr): ++ if ch == '(': ++ opens += 1 ++ elif ch == ')': ++ opens -= 1 ++ if opens < 0: ++ return False ++ return (opens == 0) ++ ++ ++def _pre_parse_validation(email_header_fields): ++ accepted_values = [] ++ for v in email_header_fields: ++ if not _check_parenthesis(v): ++ v = "('', '')" ++ accepted_values.append(v) ++ ++ return accepted_values ++ ++ ++def _post_parse_validation(parsed_email_header_tuples): ++ accepted_values = [] ++ # The parser would have parsed a correctly formatted domain-literal ++ # The existence of an [ after parsing indicates a parsing failure ++ for v in parsed_email_header_tuples: ++ if '[' in v[1]: ++ v = ('', '') ++ accepted_values.append(v) ++ ++ return accepted_values + + + def _format_timetuple_and_zone(timetuple, zone): +@@ -205,16 +321,33 @@ def parsedate_to_datetime(data): + tzinfo=datetime.timezone(datetime.timedelta(seconds=tz))) + + +-def parseaddr(addr): ++def parseaddr(addr, *, strict=True): + """ + Parse addr into its constituent realname and email address parts. + + Return a tuple of realname and email address, unless the parse fails, in + which case return a 2-tuple of ('', ''). ++ ++ If strict is True, use a strict parser which rejects malformed inputs. + """ +- addrs = _AddressList(addr).addresslist +- if not addrs: +- return '', '' ++ if not strict: ++ addrs = _AddressList(addr).addresslist ++ if not addrs: ++ return ('', '') ++ return addrs[0] ++ ++ if isinstance(addr, list): ++ addr = addr[0] ++ ++ if not isinstance(addr, str): ++ return ('', '') ++ ++ addr = _pre_parse_validation([addr])[0] ++ addrs = _post_parse_validation(_AddressList(addr).addresslist) ++ ++ if not addrs or len(addrs) > 1: ++ return ('', '') ++ + return addrs[0] + + +-- +2.40.4 + diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 4f0652ee0ab..6004de3ceca 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -12,7 +12,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.9.19 -Release: 8%{?dist} +Release: 9%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -29,6 +29,7 @@ Patch5: CVE-2024-8088.patch Patch6: CVE-2024-4032.patch Patch7: CVE-2024-11168.patch Patch8: CVE-2024-6923.patch +Patch9: CVE-2023-27043.patch # Patch for setuptools, resolved in 65.5.1 Patch1000: CVE-2022-40897.patch Patch1001: CVE-2024-6345.patch From 1d5620503fa0b6ec633ff1d7e7856bfec9fb18ca Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Mon, 3 Feb 2025 10:25:49 +0000 Subject: [PATCH 2/5] Apply patch --- SPECS/python3/python3.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 6004de3ceca..6b091862df9 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -176,6 +176,7 @@ The test package contains all regression tests for Python as well as the modules %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build # Remove GCC specs and build environment linker scripts From a8460d5377eb7bca8c14c1de360c96f96ebbe996 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Mon, 3 Feb 2025 12:11:23 +0000 Subject: [PATCH 3/5] try original patch --- SPECS/python3/CVE-2023-27043.patch | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/SPECS/python3/CVE-2023-27043.patch b/SPECS/python3/CVE-2023-27043.patch index 63484b1c420..6a83d7e1e88 100644 --- a/SPECS/python3/CVE-2023-27043.patch +++ b/SPECS/python3/CVE-2023-27043.patch @@ -1,11 +1,12 @@ -From 76b1e32b1d730355bd976dbe18c9dd43fafb0ea0 Mon Sep 17 00:00:00 2001 -From: Bala -Date: Thu, 30 Jan 2025 08:38:50 +0000 +From f79d810ddc98eb7650c6f613cf01b77e2eb7368f Mon Sep 17 00:00:00 2001 +From: Balakumaran Kannan +Date: Thu, 30 Jan 2025 05:22:45 +0000 Subject: [PATCH] Return empty tuple to indicate the email parsing error. Cut short version of original patch taken from below commit Taking the changes only for Lib/email/utils.py +--- From ee953f2b8fc12ee9b8209ab60a2f06c603e5a624 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 6 Sep 2024 13:13:54 +0200 @@ -21,19 +22,20 @@ Thomas Dwyer. Co-authored-by: Victor Stinner Co-Authored-By: Thomas Dwyer - +--- Doc/library/email.utils.rst | 19 +- Doc/whatsnew/3.9.rst | 10 + Lib/email/utils.py | 151 ++++++++++++- Lib/test/test_email/test_email.py | 204 +++++++++++++++++- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 + 5 files changed, 371 insertions(+), 21 deletions(-) +--- --- Lib/email/utils.py | 151 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 142 insertions(+), 9 deletions(-) diff --git a/Lib/email/utils.py b/Lib/email/utils.py -index aa949aa..af2fb14 100644 +index 48d30160aa6..7ca7a7c8867 100644 --- a/Lib/email/utils.py +++ b/Lib/email/utils.py @@ -48,6 +48,7 @@ TICK = "'" @@ -42,7 +44,7 @@ index aa949aa..af2fb14 100644 + def _has_surrogates(s): - """Return True if s may contain surrogate-escaped binary data.""" + """Return True if s contains surrogate-escaped binary data.""" # This check is based on the fact that unless there are surrogates, utf8 @@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'): return address @@ -177,7 +179,7 @@ index aa949aa..af2fb14 100644 def _format_timetuple_and_zone(timetuple, zone): -@@ -205,16 +321,33 @@ def parsedate_to_datetime(data): +@@ -202,16 +318,33 @@ def parsedate_to_datetime(data): tzinfo=datetime.timezone(datetime.timedelta(seconds=tz))) @@ -216,5 +218,5 @@ index aa949aa..af2fb14 100644 -- -2.40.4 +2.39.4 From 47548387d03fe0e11cb34ec09611d06911d3c7e6 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Mon, 3 Feb 2025 13:27:56 +0000 Subject: [PATCH 4/5] Update changelog --- SPECS/python3/CVE-2023-27043.patch | 6 +++--- SPECS/python3/python3.spec | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/SPECS/python3/CVE-2023-27043.patch b/SPECS/python3/CVE-2023-27043.patch index 6a83d7e1e88..741f659e26d 100644 --- a/SPECS/python3/CVE-2023-27043.patch +++ b/SPECS/python3/CVE-2023-27043.patch @@ -6,7 +6,7 @@ Subject: [PATCH] Return empty tuple to indicate the email parsing error. Cut short version of original patch taken from below commit Taking the changes only for Lib/email/utils.py ---- + From ee953f2b8fc12ee9b8209ab60a2f06c603e5a624 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 6 Sep 2024 13:13:54 +0200 @@ -22,14 +22,14 @@ Thomas Dwyer. Co-authored-by: Victor Stinner Co-Authored-By: Thomas Dwyer ---- + Doc/library/email.utils.rst | 19 +- Doc/whatsnew/3.9.rst | 10 + Lib/email/utils.py | 151 ++++++++++++- Lib/test/test_email/test_email.py | 204 +++++++++++++++++- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst | 8 + 5 files changed, 371 insertions(+), 21 deletions(-) ---- + --- Lib/email/utils.py | 151 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 142 insertions(+), 9 deletions(-) diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 6b091862df9..be4c450cf52 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -332,6 +332,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Mon Feb 03 2024 Bala - 3.9.19-9 +- Address CVE-2023-27043 by patching + * Thu Nov 28 2024 Kanishk Bansal - 3.9.19-8 - Address CVE-2024-6923 From 45b4976850fe782d9cc5edd31b87eb1630740193 Mon Sep 17 00:00:00 2001 From: Balakumaran Kannan Date: Mon, 3 Feb 2025 13:30:06 +0000 Subject: [PATCH 5/5] Update toolchain manifest files --- .../manifests/package/pkggen_core_aarch64.txt | 8 ++++---- .../manifests/package/pkggen_core_x86_64.txt | 8 ++++---- .../manifests/package/toolchain_aarch64.txt | 18 +++++++++--------- .../manifests/package/toolchain_x86_64.txt | 18 +++++++++--------- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 545262dc0e0..88362fbbce8 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm ca-certificates-2.0.0-19.cm2.noarch.rpm dwz-0.14-2.cm2.aarch64.rpm unzip-6.0-21.cm2.aarch64.rpm -python3-3.9.19-8.cm2.aarch64.rpm -python3-devel-3.9.19-8.cm2.aarch64.rpm -python3-libs-3.9.19-8.cm2.aarch64.rpm -python3-setuptools-3.9.19-8.cm2.noarch.rpm +python3-3.9.19-9.cm2.aarch64.rpm +python3-devel-3.9.19-9.cm2.aarch64.rpm +python3-libs-3.9.19-9.cm2.aarch64.rpm +python3-setuptools-3.9.19-9.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.aarch64.rpm libselinux-3.2-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index caf136d4d4e..654b286cb7f 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-19.cm2.noarch.rpm ca-certificates-2.0.0-19.cm2.noarch.rpm dwz-0.14-2.cm2.x86_64.rpm unzip-6.0-21.cm2.x86_64.rpm -python3-3.9.19-8.cm2.x86_64.rpm -python3-devel-3.9.19-8.cm2.x86_64.rpm -python3-libs-3.9.19-8.cm2.x86_64.rpm -python3-setuptools-3.9.19-8.cm2.noarch.rpm +python3-3.9.19-9.cm2.x86_64.rpm +python3-devel-3.9.19-9.cm2.x86_64.rpm +python3-libs-3.9.19-9.cm2.x86_64.rpm +python3-setuptools-3.9.19-9.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm which-2.21-8.cm2.x86_64.rpm libselinux-3.2-1.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 8c8d7f7e2a4..af4c80f7aac 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm procps-ng-lang-3.3.17-2.cm2.aarch64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm -python3-3.9.19-8.cm2.aarch64.rpm +python3-3.9.19-9.cm2.aarch64.rpm python3-audit-3.0.6-8.cm2.aarch64.rpm python3-cracklib-2.9.7-5.cm2.aarch64.rpm -python3-curses-3.9.19-8.cm2.aarch64.rpm +python3-curses-3.9.19-9.cm2.aarch64.rpm python3-Cython-0.29.33-2.cm2.aarch64.rpm -python3-debuginfo-3.9.19-8.cm2.aarch64.rpm -python3-devel-3.9.19-8.cm2.aarch64.rpm +python3-debuginfo-3.9.19-9.cm2.aarch64.rpm +python3-devel-3.9.19-9.cm2.aarch64.rpm python3-gpg-1.16.0-2.cm2.aarch64.rpm python3-jinja2-3.0.3-5.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm -python3-libs-3.9.19-8.cm2.aarch64.rpm +python3-libs-3.9.19-9.cm2.aarch64.rpm python3-libxml2-2.10.4-5.cm2.aarch64.rpm python3-lxml-4.9.1-1.cm2.aarch64.rpm python3-magic-5.40-3.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.aarch64.rpm python3-newt-0.52.21-5.cm2.aarch64.rpm -python3-pip-3.9.19-8.cm2.noarch.rpm +python3-pip-3.9.19-9.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.aarch64.rpm -python3-setuptools-3.9.19-8.cm2.noarch.rpm -python3-test-3.9.19-8.cm2.aarch64.rpm -python3-tools-3.9.19-8.cm2.aarch64.rpm +python3-setuptools-3.9.19-9.cm2.noarch.rpm +python3-test-3.9.19-9.cm2.aarch64.rpm +python3-tools-3.9.19-9.cm2.aarch64.rpm readline-8.1-1.cm2.aarch64.rpm readline-debuginfo-8.1-1.cm2.aarch64.rpm readline-devel-8.1-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 5a637183e62..6255aa04740 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm procps-ng-lang-3.3.17-2.cm2.x86_64.rpm pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm -python3-3.9.19-8.cm2.x86_64.rpm +python3-3.9.19-9.cm2.x86_64.rpm python3-audit-3.0.6-8.cm2.x86_64.rpm python3-cracklib-2.9.7-5.cm2.x86_64.rpm -python3-curses-3.9.19-8.cm2.x86_64.rpm +python3-curses-3.9.19-9.cm2.x86_64.rpm python3-Cython-0.29.33-2.cm2.x86_64.rpm -python3-debuginfo-3.9.19-8.cm2.x86_64.rpm -python3-devel-3.9.19-8.cm2.x86_64.rpm +python3-debuginfo-3.9.19-9.cm2.x86_64.rpm +python3-devel-3.9.19-9.cm2.x86_64.rpm python3-gpg-1.16.0-2.cm2.x86_64.rpm python3-jinja2-3.0.3-5.cm2.noarch.rpm python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm -python3-libs-3.9.19-8.cm2.x86_64.rpm +python3-libs-3.9.19-9.cm2.x86_64.rpm python3-libxml2-2.10.4-5.cm2.x86_64.rpm python3-lxml-4.9.1-1.cm2.x86_64.rpm python3-magic-5.40-3.cm2.noarch.rpm python3-markupsafe-2.1.0-1.cm2.x86_64.rpm python3-newt-0.52.21-5.cm2.x86_64.rpm -python3-pip-3.9.19-8.cm2.noarch.rpm +python3-pip-3.9.19-9.cm2.noarch.rpm python3-pygments-2.4.2-7.cm2.noarch.rpm python3-rpm-4.18.0-4.cm2.x86_64.rpm -python3-setuptools-3.9.19-8.cm2.noarch.rpm -python3-test-3.9.19-8.cm2.x86_64.rpm -python3-tools-3.9.19-8.cm2.x86_64.rpm +python3-setuptools-3.9.19-9.cm2.noarch.rpm +python3-test-3.9.19-9.cm2.x86_64.rpm +python3-tools-3.9.19-9.cm2.x86_64.rpm readline-8.1-1.cm2.x86_64.rpm readline-debuginfo-8.1-1.cm2.x86_64.rpm readline-devel-8.1-1.cm2.x86_64.rpm