From 4ed12e16f882008388c007c6e86be3ce038d8751 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 5 Jun 2020 18:00:41 -0500 Subject: poky: subtree update:a35bf0e5d3..b66b9f7548 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit backport: meson 0.54.2: backport upstream patch for boost libs Adrian Bunk (1): libubootenv: Remove the DEPENDS on mtd-utils Alex Kiernan (2): openssh: Upgrade 8.2p1 -> 8.3p1 systemd: upgrade v245.5 -> v245.6 Alexander Kanavin (68): btrfs-tools: upgrade 5.4.1 -> 5.6.1 build-compare: upgrade to latest revision ccache: upgrade 3.7.7 -> 3.7.9 createrepo-c: upgrade 0.15.7 -> 0.15.10 dpkg: upgrade 1.19.7 -> 1.20.0 librepo: upgrade 1.11.2 -> 1.11.3 python3-numpy: upgrade 1.18.3 -> 1.18.4 python3-cython: upgrade 0.29.16 -> 0.29.19 python3-gitdb: upgrade 4.0.4 -> 4.0.5 python3-mako: upgrade 1.1.1 -> 1.1.3 python3-pygments: upgrade 2.5.2 -> 2.6.1 python3-smmap: upgrade 2.0.5 -> 3.0.4 python3-subunit: upgrade 1.3.0 -> 1.4.0 python3-testtools: upgrade 2.3.0 -> 2.4.0 python3: upgrade 3.8.2 -> 3.8.3 strace: upgrade 5.5 -> 5.6 vala: upgrade 0.46.6 -> 0.48.6 cups: upgrade 2.3.1 -> 2.3.3 gawk: upgrade 5.0.1 -> 5.1.0 libsolv: upgrade 0.7.10 -> 0.7.14 man-pages: upgrade 5.05 -> 5.06 msmtp: upgrade 1.8.8 -> 1.8.10 stress-ng: upgrade 0.11.01 -> 0.11.12 stress-ng: mark as incompatible with musl sudo: upgrade 1.8.31 -> 1.9.0 adwaita-icon-theme: upgrade 3.34.3 -> 3.36.1 gtk+3: upgrade 3.24.14 -> 3.24.20 cogl-1.0: upgrade 1.22.4 -> 1.22.6 mesa: upgrade 20.0.2 -> 20.0.7 mesa: merge the .bb content into .inc piglit: upgrade to latest revision waffle: upgrade 1.6.0 -> 1.6.1 pixman: upgrade 0.38.4 -> 0.40.0 kmod: upgrade 26 -> 27 powertop: upgrade 2.10 -> 2.12 alsa-plugins: upgrade 1.2.1 -> 1.2.2 alsa-tools: upgrade 1.1.7 -> 1.2.2 alsa-utils: split the content into .inc alsa-topology/ucm-conf: update to 1.2.2 x264: upgrade to latest revision puzzles: upgrade to latest revision libcap: upgrade 2.33 -> 2.34 libical: upgrade 3.0.7 -> 3.0.8 libunwind: upgrade 1.3.1 -> 1.4.0 rng-tools: upgrade 6.9 -> 6.10 babeltrace: correct the git SRC_URI libexif: update to 0.6.22 ppp: update 2.4.7 -> 2.4.8 gettext: update 0.20.1 -> 0.20.2 ptest-runner: fix upstream version check automake: 1.16.1 -> 1.16.2 bison: 3.5.4 -> 3.6.2 cmake: update 3.16.5 -> 3.17.3 gnu-config: update to latest revision jquery: update to 3.5.1 json-c: update 0.13.1 - > 0.14 libmodulemd: update 2.9.2 -> 2.9.4 meson: upgrade 0.53.2 -> 0.54.2 shared-mime-info: fix upstream version check mpg123: fix upstream version check ethtool: upgrade 5.4 -> 5.6 libcpre2: update 10.34 -> 10.35 help2man-native: update to 1.47.15 apt: update to 1.8.2.1 asciidoc: bump PV to 8.6.10 pulseaudio: exclude pre-releases from version checks xinetd: switch to a maintained opensuse fork lz4: disable static library Andreas Müller (1): vte: Pack ${libexecdir}/vte-urlencode-cwd to vte-prompt Anuj Mittal (1): linux-yocto: bump genericx86 kernel version to v5.4.40 Bruce Ashfield (5): linux-yocto/5.4: update to v5.4.42 linux-yocto-rt/5.4: update to rt24 linux-yocto/5.4: temporarily revert IKHEADERS in standard kernels linux-yocto: gather reproducibility configs into a fragment linux-yocto/5.4: update to v5.4.43 Christian Eggers (2): librsvg: Extend for nativesdk tiff: Extend for nativesdk Hongxu Jia (1): rpm: fix rpm -Kv xxx.rpm failed if signature header is larger than 64KB Jacob Kroon (1): bitbake: doc: More explanation to tasks that recursively depend on themselves Jan Luebbe (1): classes/buildhistory: capture package config Jens Rehsack (2): initscripts/init-system-helpers: fix mountnfs.sh dependency init-system-helpers: avoid superfluous update-rc.d Joshua Watt (2): layer.conf: Bump OE-Core layer version wic: Add --offset argument for partitions Junling Zheng (3): buildstats.bbclass: Remove useless variables buildstats.bbclass: Do not recalculate build start time security_flags: Remove stack protector flag from LDFLAGS Kai Kang (1): bitbake: bitbake-user-manual-metadata.xml: fix a minor error Khem Raj (4): make-mod-scripts: Fix a rare build race condition go-1.14: Update to 1.14.3 minor release armv8/tunes: Set TUNE_PKGARCH_64 based on ARMPKGARCH ltp: Disable sigwaitinfo tests relying on undefined behavior Konrad Weihmann (8): qemurunner: fix ip fallback detection sysfsutils: rem leftover settings for libsysfs-dev debianutils: whitespace fixes libjpeg-turbo: whitespace fixes cairo: remove trailing whitespace gtk-doc: remove trailing whitespace libxt: fix whitespaces cogl: point to correct HOMEPAGE Lee Chee Yang (4): re2c: fix CVE-2020-11958 bind: fix CVE-2020-8616/7 glib-2.0: 2.64.2 -> 2.64.3 glib-networking: 2.64.2 -> 2.64.3 Marco Felsch (1): util-linux: alternatify rtcwake Mark Hatle (1): sstate.bbclass: When siginfo or sig files are missing, stop fetcher errors Martin Jansa (6): devtool: use -f and don't use --exclude-standard when adding files to workspace meta-selftest: add test of .gitignore in tarball lib/oe/patch: prevent applying patches without any subject lib/oe/patch: GitApplyTree: save 1 echo in commit-msg hook Revert "lib/oe/patch: fix handling of patches with no header" meta-selftest: add test for .patch file with long filename and without subject Mauro Queirós (3): bitbake: git.py: skip smudging if lfs=0 is set bitbake: git.py: LFS bitbake note should not be printed if need_lfs is not set. bitbake: git.py: Use the correct branch to check if the repository has LFS objects. Ming Liu (2): u-boot.inc: fix some inconsistent coding style u-boot: introduce UBOOT_INITIAL_ENV Paul Barker (5): archiver: Fix test case for srpm archiver mode oe-selftest: Allow overriding the build directory used for tests oe-selftest: Support verbose log output oe-selftest: Recursively patch test case paths bitbake: fetch2: Add the ability to list expanded URL data Peter Kjellerstedt (1): cairo: Do not try to remove nonexistent directories Pierre-Jean Texier (1): diffoscope: upgrade 144 -> 146 Ralph Siemsen (1): cve-check: include epoch in product version output Richard Purdie (7): lib/classextend: Drop unneeded comment poky.ent: Update UBUNTU_HOST_PACKAGES_ESSENTIAL to match recent changes maintainers: Update Ross' email address logrotate: Drop obsolete setting/comment oeqa/targetcontrol: Rework exception handling to avoid warnings patchelf: Add patch to address corrupt shared library issue poky.ent: Update XXX_HOST_PACKAGES_ESSENTIAL to include mesa for other distros Robert P. J. Day (1): bitbake.conf: Remove unused DEPLOY_DIR_TOOLS variable Tim Orling (1): bitbake: toaster-requirements.txt: require Django 2.2 Trevor Gamblin (1): qemuarm: check serial consoles vs /proc/consoles Wang Mingyu (13): less: upgrade 551 -> 562 liburcu: upgrade 0.12.0 -> 0.12.1 alsa-lib: upgrade 1.2.1.2 -> 1.2.2 alsa-utils: upgrade 1.2.1 -> 1.2.2 python3-six: upgrade 1.14.0 -> 1.15.0 util-linux: upgrade 2.35.1 -> 2.35.2 xf86-input-libinput: upgrade 0.29.0 -> 0.30.0 ca-certificates: upgrade 20190110 -> 20200601 dbus: upgrade 1.12.16 -> 1.12.18 libyaml: upgrade 0.2.4 -> 0.2.5 sqlite: upgrade 3.31.1 -> 3.32.1 valgrind: upgrade 3.15.0 -> 3.16.0 dbus-test: upgrade 1.12.16 -> 1.12.18 akuster (2): poky.ent: Update OPENSUSE_HOST_PACKAGES_ESSENTIAL to include mesa-dri-devel yocto-docs: Add SPDX headers in scripts and Makefile hongxu (1): core-image-minimal-initramfs: keep restriction with initramfs-module-install zangrc (3): python3-pycairo:upgrade 1.19.0 -> 1.19.1 python3-pygobject:upgrade 3.34.0 -> 3.36.1 python3-setuptools:upgrade 45.2.0 -> 47.1.1 zhengruoqin (2): gdb: upgrade 9.1 -> 9.2 libyaml: upgrade 0.2.2 -> 0.2.4 Signed-off-by: Andrew Geissler Signed-off-by: Patrick Williams Change-Id: I60e616be0c30904f8cfc947089ed2e4f5e84bc60 --- ...VE-2020-8492-Fix-AbstractBasicAuthHandler.patch | 248 --------------------- 1 file changed, 248 deletions(-) delete mode 100644 poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch (limited to 'poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch') diff --git a/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch b/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch deleted file mode 100644 index e16b99bcb9..0000000000 --- a/poky/meta/recipes-devtools/python/files/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4 Mon Sep 17 00:00:00 2001 -From: Victor Stinner -Date: Thu, 2 Apr 2020 02:52:20 +0200 -Subject: [PATCH] bpo-39503: CVE-2020-8492: Fix AbstractBasicAuthHandler - (GH-18284) - -Upstream-Status: Backport -(https://github.com/python/cpython/commit/0b297d4ff1c0e4480ad33acae793fbaf4bf015b4) - -CVE: CVE-2020-8492 - -The AbstractBasicAuthHandler class of the urllib.request module uses -an inefficient regular expression which can be exploited by an -attacker to cause a denial of service. Fix the regex to prevent the -catastrophic backtracking. Vulnerability reported by Ben Caller -and Matt Schwager. - -AbstractBasicAuthHandler of urllib.request now parses all -WWW-Authenticate HTTP headers and accepts multiple challenges per -header: use the realm of the first Basic challenge. - -Co-Authored-By: Serhiy Storchaka -Signed-off-by: Trevor Gamblin ---- - Lib/test/test_urllib2.py | 90 ++++++++++++------- - Lib/urllib/request.py | 69 ++++++++++---- - .../2020-03-25-16-02-16.bpo-39503.YmMbYn.rst | 3 + - .../2020-01-30-16-15-29.bpo-39503.B299Yq.rst | 5 ++ - 4 files changed, 115 insertions(+), 52 deletions(-) - create mode 100644 Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst - create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst - -diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py -index 8abedaac98..e69ac3e213 100644 ---- a/Lib/test/test_urllib2.py -+++ b/Lib/test/test_urllib2.py -@@ -1446,40 +1446,64 @@ class HandlerTests(unittest.TestCase): - bypass = {'exclude_simple': True, 'exceptions': []} - self.assertTrue(_proxy_bypass_macosx_sysconf('test', bypass)) - -- def test_basic_auth(self, quote_char='"'): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s%s%s\r\n\r\n' % -- (quote_char, realm, quote_char)) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -- -- def test_basic_auth_with_single_quoted_realm(self): -- self.test_basic_auth(quote_char="'") -- -- def test_basic_auth_with_unquoted_realm(self): -- opener = OpenerDirector() -- password_manager = MockPasswordManager() -- auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -- realm = "ACME Widget Store" -- http_handler = MockHTTPHandler( -- 401, 'WWW-Authenticate: Basic realm=%s\r\n\r\n' % realm) -- opener.add_handler(auth_handler) -- opener.add_handler(http_handler) -- with self.assertWarns(UserWarning): -+ def check_basic_auth(self, headers, realm): -+ with self.subTest(realm=realm, headers=headers): -+ opener = OpenerDirector() -+ password_manager = MockPasswordManager() -+ auth_handler = urllib.request.HTTPBasicAuthHandler(password_manager) -+ body = '\r\n'.join(headers) + '\r\n\r\n' -+ http_handler = MockHTTPHandler(401, body) -+ opener.add_handler(auth_handler) -+ opener.add_handler(http_handler) - self._test_basic_auth(opener, auth_handler, "Authorization", -- realm, http_handler, password_manager, -- "http://acme.example.com/protected", -- "http://acme.example.com/protected", -- ) -+ realm, http_handler, password_manager, -+ "http://acme.example.com/protected", -+ "http://acme.example.com/protected") -+ -+ def test_basic_auth(self): -+ realm = "realm2@example.com" -+ realm2 = "realm2@example.com" -+ basic = f'Basic realm="{realm}"' -+ basic2 = f'Basic realm="{realm2}"' -+ other_no_realm = 'Otherscheme xxx' -+ digest = (f'Digest realm="{realm2}", ' -+ f'qop="auth, auth-int", ' -+ f'nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", ' -+ f'opaque="5ccc069c403ebaf9f0171e9517f40e41"') -+ for realm_str in ( -+ # test "quote" and 'quote' -+ f'Basic realm="{realm}"', -+ f"Basic realm='{realm}'", -+ -+ # charset is ignored -+ f'Basic realm="{realm}", charset="UTF-8"', -+ -+ # Multiple challenges per header -+ f'{basic}, {basic2}', -+ f'{basic}, {other_no_realm}', -+ f'{other_no_realm}, {basic}', -+ f'{basic}, {digest}', -+ f'{digest}, {basic}', -+ ): -+ headers = [f'WWW-Authenticate: {realm_str}'] -+ self.check_basic_auth(headers, realm) -+ -+ # no quote: expect a warning -+ with support.check_warnings(("Basic Auth Realm was unquoted", -+ UserWarning)): -+ headers = [f'WWW-Authenticate: Basic realm={realm}'] -+ self.check_basic_auth(headers, realm) -+ -+ # Multiple headers: one challenge per header. -+ # Use the first Basic realm. -+ for challenges in ( -+ [basic, basic2], -+ [basic, digest], -+ [digest, basic], -+ ): -+ headers = [f'WWW-Authenticate: {challenge}' -+ for challenge in challenges] -+ self.check_basic_auth(headers, realm) - - def test_proxy_basic_auth(self): - opener = OpenerDirector() -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index 7fe50535da..2a3d71554f 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -937,8 +937,15 @@ class AbstractBasicAuthHandler: - - # allow for double- and single-quoted realm values - # (single quotes are a violation of the RFC, but appear in the wild) -- rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' -- 'realm=(["\']?)([^"\']*)\\2', re.I) -+ rx = re.compile('(?:^|,)' # start of the string or ',' -+ '[ \t]*' # optional whitespaces -+ '([^ \t]+)' # scheme like "Basic" -+ '[ \t]+' # mandatory whitespaces -+ # realm=xxx -+ # realm='xxx' -+ # realm="xxx" -+ 'realm=(["\']?)([^"\']*)\\2', -+ re.I) - - # XXX could pre-emptively send auth info already accepted (RFC 2617, - # end of section 2, and section 1.2 immediately after "credentials" -@@ -950,27 +957,51 @@ class AbstractBasicAuthHandler: - self.passwd = password_mgr - self.add_password = self.passwd.add_password - -+ def _parse_realm(self, header): -+ # parse WWW-Authenticate header: accept multiple challenges per header -+ found_challenge = False -+ for mo in AbstractBasicAuthHandler.rx.finditer(header): -+ scheme, quote, realm = mo.groups() -+ if quote not in ['"', "'"]: -+ warnings.warn("Basic Auth Realm was unquoted", -+ UserWarning, 3) -+ -+ yield (scheme, realm) -+ -+ found_challenge = True -+ -+ if not found_challenge: -+ if header: -+ scheme = header.split()[0] -+ else: -+ scheme = '' -+ yield (scheme, None) -+ - def http_error_auth_reqed(self, authreq, host, req, headers): - # host may be an authority (without userinfo) or a URL with an - # authority -- # XXX could be multiple headers -- authreq = headers.get(authreq, None) -+ headers = headers.get_all(authreq) -+ if not headers: -+ # no header found -+ return - -- if authreq: -- scheme = authreq.split()[0] -- if scheme.lower() != 'basic': -- raise ValueError("AbstractBasicAuthHandler does not" -- " support the following scheme: '%s'" % -- scheme) -- else: -- mo = AbstractBasicAuthHandler.rx.search(authreq) -- if mo: -- scheme, quote, realm = mo.groups() -- if quote not in ['"',"'"]: -- warnings.warn("Basic Auth Realm was unquoted", -- UserWarning, 2) -- if scheme.lower() == 'basic': -- return self.retry_http_basic_auth(host, req, realm) -+ unsupported = None -+ for header in headers: -+ for scheme, realm in self._parse_realm(header): -+ if scheme.lower() != 'basic': -+ unsupported = scheme -+ continue -+ -+ if realm is not None: -+ # Use the first matching Basic challenge. -+ # Ignore following challenges even if they use the Basic -+ # scheme. -+ return self.retry_http_basic_auth(host, req, realm) -+ -+ if unsupported is not None: -+ raise ValueError("AbstractBasicAuthHandler does not " -+ "support the following scheme: %r" -+ % (scheme,)) - - def retry_http_basic_auth(self, host, req, realm): - user, pw = self.passwd.find_user_password(realm, host) -diff --git a/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -new file mode 100644 -index 0000000000..be80ce79d9 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2020-03-25-16-02-16.bpo-39503.YmMbYn.rst -@@ -0,0 +1,3 @@ -+:class:`~urllib.request.AbstractBasicAuthHandler` of :mod:`urllib.request` -+now parses all WWW-Authenticate HTTP headers and accepts multiple challenges -+per header: use the realm of the first Basic challenge. -diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -new file mode 100644 -index 0000000000..9f2800581c ---- /dev/null -+++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst -@@ -0,0 +1,5 @@ -+CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the -+:mod:`urllib.request` module uses an inefficient regular expression which can -+be exploited by an attacker to cause a denial of service. Fix the regex to -+prevent the catastrophic backtracking. Vulnerability reported by Ben Caller -+and Matt Schwager. --- -2.24.1 - -- cgit v1.2.3