diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2020-06-06 02:00:41 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2020-06-11 01:09:50 +0300 |
| commit | 4ed12e16f882008388c007c6e86be3ce038d8751 (patch) | |
| tree | e47a1ec0a2595400db33f4aa34b14bc4d5d72ad2 /poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch | |
| parent | 8928e81ba673979d658b919717563a78e9d6d25d (diff) | |
| download | openbmc-4ed12e16f882008388c007c6e86be3ce038d8751.tar.xz | |
poky: subtree update:a35bf0e5d3..b66b9f7548
backport:
meson 0.54.2: backport upstream patch for boost libs
Adrian Bunk (1):
libubootenv: Remove the DEPENDS on mtd-utils
Alex Kiernan (2):
openssh: Upgrade 8.2p1 -> 8.3p1
systemd: upgrade v245.5 -> v245.6
Alexander Kanavin (68):
btrfs-tools: upgrade 5.4.1 -> 5.6.1
build-compare: upgrade to latest revision
ccache: upgrade 3.7.7 -> 3.7.9
createrepo-c: upgrade 0.15.7 -> 0.15.10
dpkg: upgrade 1.19.7 -> 1.20.0
librepo: upgrade 1.11.2 -> 1.11.3
python3-numpy: upgrade 1.18.3 -> 1.18.4
python3-cython: upgrade 0.29.16 -> 0.29.19
python3-gitdb: upgrade 4.0.4 -> 4.0.5
python3-mako: upgrade 1.1.1 -> 1.1.3
python3-pygments: upgrade 2.5.2 -> 2.6.1
python3-smmap: upgrade 2.0.5 -> 3.0.4
python3-subunit: upgrade 1.3.0 -> 1.4.0
python3-testtools: upgrade 2.3.0 -> 2.4.0
python3: upgrade 3.8.2 -> 3.8.3
strace: upgrade 5.5 -> 5.6
vala: upgrade 0.46.6 -> 0.48.6
cups: upgrade 2.3.1 -> 2.3.3
gawk: upgrade 5.0.1 -> 5.1.0
libsolv: upgrade 0.7.10 -> 0.7.14
man-pages: upgrade 5.05 -> 5.06
msmtp: upgrade 1.8.8 -> 1.8.10
stress-ng: upgrade 0.11.01 -> 0.11.12
stress-ng: mark as incompatible with musl
sudo: upgrade 1.8.31 -> 1.9.0
adwaita-icon-theme: upgrade 3.34.3 -> 3.36.1
gtk+3: upgrade 3.24.14 -> 3.24.20
cogl-1.0: upgrade 1.22.4 -> 1.22.6
mesa: upgrade 20.0.2 -> 20.0.7
mesa: merge the .bb content into .inc
piglit: upgrade to latest revision
waffle: upgrade 1.6.0 -> 1.6.1
pixman: upgrade 0.38.4 -> 0.40.0
kmod: upgrade 26 -> 27
powertop: upgrade 2.10 -> 2.12
alsa-plugins: upgrade 1.2.1 -> 1.2.2
alsa-tools: upgrade 1.1.7 -> 1.2.2
alsa-utils: split the content into .inc
alsa-topology/ucm-conf: update to 1.2.2
x264: upgrade to latest revision
puzzles: upgrade to latest revision
libcap: upgrade 2.33 -> 2.34
libical: upgrade 3.0.7 -> 3.0.8
libunwind: upgrade 1.3.1 -> 1.4.0
rng-tools: upgrade 6.9 -> 6.10
babeltrace: correct the git SRC_URI
libexif: update to 0.6.22
ppp: update 2.4.7 -> 2.4.8
gettext: update 0.20.1 -> 0.20.2
ptest-runner: fix upstream version check
automake: 1.16.1 -> 1.16.2
bison: 3.5.4 -> 3.6.2
cmake: update 3.16.5 -> 3.17.3
gnu-config: update to latest revision
jquery: update to 3.5.1
json-c: update 0.13.1 - > 0.14
libmodulemd: update 2.9.2 -> 2.9.4
meson: upgrade 0.53.2 -> 0.54.2
shared-mime-info: fix upstream version check
mpg123: fix upstream version check
ethtool: upgrade 5.4 -> 5.6
libcpre2: update 10.34 -> 10.35
help2man-native: update to 1.47.15
apt: update to 1.8.2.1
asciidoc: bump PV to 8.6.10
pulseaudio: exclude pre-releases from version checks
xinetd: switch to a maintained opensuse fork
lz4: disable static library
Andreas Müller (1):
vte: Pack ${libexecdir}/vte-urlencode-cwd to vte-prompt
Anuj Mittal (1):
linux-yocto: bump genericx86 kernel version to v5.4.40
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.42
linux-yocto-rt/5.4: update to rt24
linux-yocto/5.4: temporarily revert IKHEADERS in standard kernels
linux-yocto: gather reproducibility configs into a fragment
linux-yocto/5.4: update to v5.4.43
Christian Eggers (2):
librsvg: Extend for nativesdk
tiff: Extend for nativesdk
Hongxu Jia (1):
rpm: fix rpm -Kv xxx.rpm failed if signature header is larger than 64KB
Jacob Kroon (1):
bitbake: doc: More explanation to tasks that recursively depend on themselves
Jan Luebbe (1):
classes/buildhistory: capture package config
Jens Rehsack (2):
initscripts/init-system-helpers: fix mountnfs.sh dependency
init-system-helpers: avoid superfluous update-rc.d
Joshua Watt (2):
layer.conf: Bump OE-Core layer version
wic: Add --offset argument for partitions
Junling Zheng (3):
buildstats.bbclass: Remove useless variables
buildstats.bbclass: Do not recalculate build start time
security_flags: Remove stack protector flag from LDFLAGS
Kai Kang (1):
bitbake: bitbake-user-manual-metadata.xml: fix a minor error
Khem Raj (4):
make-mod-scripts: Fix a rare build race condition
go-1.14: Update to 1.14.3 minor release
armv8/tunes: Set TUNE_PKGARCH_64 based on ARMPKGARCH
ltp: Disable sigwaitinfo tests relying on undefined behavior
Konrad Weihmann (8):
qemurunner: fix ip fallback detection
sysfsutils: rem leftover settings for libsysfs-dev
debianutils: whitespace fixes
libjpeg-turbo: whitespace fixes
cairo: remove trailing whitespace
gtk-doc: remove trailing whitespace
libxt: fix whitespaces
cogl: point to correct HOMEPAGE
Lee Chee Yang (4):
re2c: fix CVE-2020-11958
bind: fix CVE-2020-8616/7
glib-2.0: 2.64.2 -> 2.64.3
glib-networking: 2.64.2 -> 2.64.3
Marco Felsch (1):
util-linux: alternatify rtcwake
Mark Hatle (1):
sstate.bbclass: When siginfo or sig files are missing, stop fetcher errors
Martin Jansa (6):
devtool: use -f and don't use --exclude-standard when adding files to workspace
meta-selftest: add test of .gitignore in tarball
lib/oe/patch: prevent applying patches without any subject
lib/oe/patch: GitApplyTree: save 1 echo in commit-msg hook
Revert "lib/oe/patch: fix handling of patches with no header"
meta-selftest: add test for .patch file with long filename and without subject
Mauro Queirós (3):
bitbake: git.py: skip smudging if lfs=0 is set
bitbake: git.py: LFS bitbake note should not be printed if need_lfs is not set.
bitbake: git.py: Use the correct branch to check if the repository has LFS objects.
Ming Liu (2):
u-boot.inc: fix some inconsistent coding style
u-boot: introduce UBOOT_INITIAL_ENV
Paul Barker (5):
archiver: Fix test case for srpm archiver mode
oe-selftest: Allow overriding the build directory used for tests
oe-selftest: Support verbose log output
oe-selftest: Recursively patch test case paths
bitbake: fetch2: Add the ability to list expanded URL data
Peter Kjellerstedt (1):
cairo: Do not try to remove nonexistent directories
Pierre-Jean Texier (1):
diffoscope: upgrade 144 -> 146
Ralph Siemsen (1):
cve-check: include epoch in product version output
Richard Purdie (7):
lib/classextend: Drop unneeded comment
poky.ent: Update UBUNTU_HOST_PACKAGES_ESSENTIAL to match recent changes
maintainers: Update Ross' email address
logrotate: Drop obsolete setting/comment
oeqa/targetcontrol: Rework exception handling to avoid warnings
patchelf: Add patch to address corrupt shared library issue
poky.ent: Update XXX_HOST_PACKAGES_ESSENTIAL to include mesa for other distros
Robert P. J. Day (1):
bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable
Tim Orling (1):
bitbake: toaster-requirements.txt: require Django 2.2
Trevor Gamblin (1):
qemuarm: check serial consoles vs /proc/consoles
Wang Mingyu (13):
less: upgrade 551 -> 562
liburcu: upgrade 0.12.0 -> 0.12.1
alsa-lib: upgrade 1.2.1.2 -> 1.2.2
alsa-utils: upgrade 1.2.1 -> 1.2.2
python3-six: upgrade 1.14.0 -> 1.15.0
util-linux: upgrade 2.35.1 -> 2.35.2
xf86-input-libinput: upgrade 0.29.0 -> 0.30.0
ca-certificates: upgrade 20190110 -> 20200601
dbus: upgrade 1.12.16 -> 1.12.18
libyaml: upgrade 0.2.4 -> 0.2.5
sqlite: upgrade 3.31.1 -> 3.32.1
valgrind: upgrade 3.15.0 -> 3.16.0
dbus-test: upgrade 1.12.16 -> 1.12.18
akuster (2):
poky.ent: Update OPENSUSE_HOST_PACKAGES_ESSENTIAL to include mesa-dri-devel
yocto-docs: Add SPDX headers in scripts and Makefile
hongxu (1):
core-image-minimal-initramfs: keep restriction with initramfs-module-install
zangrc (3):
python3-pycairo:upgrade 1.19.0 -> 1.19.1
python3-pygobject:upgrade 3.34.0 -> 3.36.1
python3-setuptools:upgrade 45.2.0 -> 47.1.1
zhengruoqin (2):
gdb: upgrade 9.1 -> 9.2
libyaml: upgrade 0.2.2 -> 0.2.4
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I60e616be0c30904f8cfc947089ed2e4f5e84bc60
Diffstat (limited to 'poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch')
| -rw-r--r-- | poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch | 248 |
1 files changed, 0 insertions, 248 deletions
diff --git a/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001 -From: Victor Stinner <vstinner@python.org> -Date: Thu, 2 Apr 2020 02:52:20 +0200 -Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler - (GH-18284) - -Upstream-Status: Backport -(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4) - -CVE: CVE-2020-8492 - -The AbstractBasicAuthHandler class of the urllib.request module uses -an inefficient regular expression which can be exploited by an -attacker to cause a denial of service. Fix the regex to prevent the -catastrophic backtracking. Vulnerability reported by Ben Caller -and Matt Schwager. - -AbstractBasicAuthHandler of urllib.request now parses all -WWW-Authenticate HTTP headers and accepts multiple challenges per -header: use the realm of the first Basic challenge. - -Co-Authored-By: Serhiy Storchaka <storchaka@gmail.com> -Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> ---- - Lib/test/test_urllib2.py | 90 ++++++++++++------- - Lib/urllib/request.py | 69 ++++++++++---- - .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 + - .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++ - 4 files changed, 115 insertions(+), 52 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst - create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst - -diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py -index 8abedaac98..e69ac3e213 100644 ---- a/Lib/test/test_urllib2.py -+++ b/Lib/test/test_urllib2.py -@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase): - bypass = {'exclude_simple': True, 'exceptions': []} - self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass)) - -- def test_basic_auth(self, quote_char='"'): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' % -- (quote_char, realm, quote_char)) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -- -- def test_basic_auth_with_single_quoted_realm(self): -- self.test_basic_auth(quote_char="'") -- -- def test_basic_auth_with_unquoted_realm(self): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- with self.assertWarns(UserWarning): -+ def check_basic_auth(self, headers, realm): -+ with self.subTest(realm=realm, headers=headers): -+ opener = OpenerDirector() -+ password_manager = MockPasswordManager() -+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -+ body = '\r\n'.join(headers) + '\r\n\r\n' -+ http_handler = MockHTTPHandler(401, body) -+ opener.add_handler(auth_handler) -+ opener.add_handler(http_handler) - self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -+ realm, http_handler, password_manager, -+ "http://acme.example.com/protected", -+ "http://acme.example.com/protected") -+ -+ def test_basic_auth(self): -+ realm = "realm2@example.com" -+ realm2 = "realm2@example.com" -+ basic = f'Basic realm="{realm}"' -+ basic2 = f'Basic realm="{realm2}"' -+ other_no_realm = 'Otherscheme xxx' -+ digest = (f'Digest realm="{realm2}", ' -+ f'qop="auth, auth-int", ' -+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", ' -+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"') -+ for realm_str in ( -+ # test "quote" and 'quote' -+ f'Basic realm="{realm}"', -+ f"Basic realm='{realm}'", -+ -+ # charset is ignored -+ f'Basic realm="{realm}", charset="UTF-8"', -+ -+ # Multiple challenges per header -+ f'{basic}, {basic2}', -+ f'{basic}, {other_no_realm}', -+ f'{other_no_realm}, {basic}', -+ f'{basic}, {digest}', -+ f'{digest}, {basic}', -+ ): -+ headers = [f'WWW-Authenticate: {realm_str}'] -+ self.check_basic_auth(headers, realm) -+ -+ # no quote: expect a warning -+ with support.check_warnings(("Basic Auth Realm was unquoted", -+ UserWarning)): -+ headers = [f'WWW-Authenticate: Basic realm={realm}'] -+ self.check_basic_auth(headers, realm) -+ -+ # Multiple headers: one challenge per header. -+ # Use the first Basic realm. -+ for challenges in ( -+ [basic, basic2], -+ [basic, digest], -+ [digest, basic], -+ ): -+ headers = [f'WWW-Authenticate: {challenge}' -+ for challenge in challenges] -+ self.check_basic_auth(headers, realm) - - def test_proxy_basic_auth(self): - opener = OpenerDirector() -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index 7fe50535da..2a3d71554f 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler: - - # allow for double- and single-quoted realm values - # (single quotes are a violation of the RFC, but appear in the wild) -- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' -- 'realm=(["\']?)([^"\']*)\\2', re.I) -+ rx = re.compile('(?:^|,)' # start of the string or ',' -+ '[ \t]*' # optional whitespaces -+ '([^ \t]+)' # scheme like "Basic" -+ '[ \t]+' # mandatory whitespaces -+ # realm=xxx -+ # realm='xxx' -+ # realm="xxx" -+ 'realm=(["\']?)([^"\']*)\\2', -+ re.I) - - # XXX could pre-emptively send auth info already accepted (RFC 2617, - # end of section 2, and section 1.2 immediately after "credentials" -@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler: - self.passwd = password_mgr - self.add_password = self.passwd.add_password - -+ def _parse_realm(self, header): -+ # parse WWW-Authenticate header: accept multiple challenges per header -+ found_challenge = False -+ for mo in AbstractBasicAuthHandler.rx.finditer(header): -+ scheme, quote, realm = mo.groups() -+ if quote not in ['"', "'"]: -+ warnings.warn("Basic Auth Realm was unquoted", -+ UserWarning, 3) -+ -+ yield (scheme, realm) -+ -+ found_challenge = True -+ -+ if not found_challenge: -+ if header: -+ scheme = header.split()[0] -+ else: -+ scheme = '' -+ yield (scheme, None) -+ - def http_error_auth_reqed(self, authreq, host, req, headers): - # host may be an authority (without userinfo) or a URL with an - # authority -- # XXX could be multiple headers -- authreq = headers.get(authreq, None) -+ headers = headers.get_all(authreq) -+ if not headers: -+ # no header found -+ return - -- if authreq: -- scheme = authreq.split()[0] -- if scheme.lower() != 'basic': -- raise ValueError("AbstractBasicAuthHandler does not" -- " support the following scheme: '%s'" % -- scheme) -- else: -- mo = AbstractBasicAuthHandler.rx.search(authreq) -- if mo: -- scheme, quote, realm = mo.groups() -- if quote not in ['"',"'"]: -- warnings.warn("Basic Auth Realm was unquoted", -- UserWarning, 2) -- if scheme.lower() == 'basic': -- return self.retry_http_basic_auth(host, req, realm) -+ unsupported = None -+ for header in headers: -+ for scheme, realm in self._parse_realm(header): -+ if scheme.lower() != 'basic': -+ unsupported = scheme -+ continue -+ -+ if realm is not None: -+ # Use the first matching Basic challenge. -+ # Ignore following challenges even if they use the Basic -+ # scheme. -+ return self.retry_http_basic_auth(host, req, realm) -+ -+ if unsupported is not None: -+ raise ValueError("AbstractBasicAuthHandler does not " -+ "support the following scheme: %r" -+ % (scheme,)) - - def retry_http_basic_auth(self, host, req, realm): - user, pw = self.passwd.find_user_password(realm, host) -diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -new file mode 100644 -index 0000000000..be80ce79d9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -@@ -0,0 +1,3 @@ -+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` -+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges -+per header: use the realm of the first Basic challenge. -diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -new file mode 100644 -index 0000000000..9f2800581c ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -@@ -0,0 +1,5 @@ -+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the -+:mod:`urllib.request` module uses an inefficient regular expression which can -+be exploited by an attacker to cause a denial of service. Fix the regex to -+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller -+and Matt Schwager. --- -2.24.1 - |