diff options
| author |   Chen Qi <Qi.Chen@windriver.com> | 2019-10-29 10:47:26 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-30 13:47:05 +0000 |
| commit | 49ff6c7ef1d366007c49083f4e5faaf5a9eb086f (patch) | |
| tree | bb026ae3e265000cbd6dd164c0f4c41c573c8b6c | |
| parent | f83ecbabb911c46de77708ede759a0b768928ea2 (diff) | |
| download | openembedded-core-contrib-49ff6c7ef1d366007c49083f4e5faaf5a9eb086f.tar.gz | |
python: CVE-2019-16056
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 27be9cf71a6fe906a23e81b56f1cc18a6fc9ef97)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch | 90 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python_2.7.16.bb | 1 |
2 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch new file mode 100644 index 0000000000..5415472a35 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch @@ -0,0 +1,90 @@ +From 532ed09c5454bb789a301bb6f1339a0818255610 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com> +Date: Sat, 14 Sep 2019 13:26:38 -0400 +Subject: [PATCH] [2.7] bpo-34155: Dont parse domains containing @ (GH-13079) + (GH-16006) + +This change skips parsing of email addresses where domains include a "@" character, which can be maliciously used since the local part is returned as a complete address. + +(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9) + +Excludes changes to Lib/email/_header_value_parser.py, which did not +exist in 2.7. + +Co-authored-by: jpic <jpic@users.noreply.github.com> + +https://bugs.python.org/issue34155 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9] + +CVE: CVE-2019-16056 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + Lib/email/_parseaddr.py | 11 ++++++++++- + Lib/email/test/test_email.py | 14 ++++++++++++++ + .../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 + + 3 files changed, 25 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst + +diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py +index 690db2c22d..dc49d2e45a 100644 +--- a/Lib/email/_parseaddr.py ++++ b/Lib/email/_parseaddr.py +@@ -336,7 +336,12 @@ class AddrlistClass: + aslist.append('@') + self.pos += 1 + self.gotonext() +- return EMPTYSTRING.join(aslist) + self.getdomain() ++ domain = self.getdomain() ++ if not domain: ++ # Invalid domain, return an empty address instead of returning a ++ # local part to denote failed parsing. ++ return EMPTYSTRING ++ return EMPTYSTRING.join(aslist) + domain + + def getdomain(self): + """Get the complete domain name from an address.""" +@@ -351,6 +356,10 @@ class AddrlistClass: + elif self.field[self.pos] == '.': + self.pos += 1 + sdlist.append('.') ++ elif self.field[self.pos] == '@': ++ # bpo-34155: Don't parse domains with two `@` like ++ # `a@malicious.org@important.com`. ++ return EMPTYSTRING + elif self.field[self.pos] in self.atomends: + break + else: +diff --git a/Lib/email/test/test_email.py b/Lib/email/test/test_email.py +index 4b4dee3d34..2efe44ac5a 100644 +--- a/Lib/email/test/test_email.py ++++ b/Lib/email/test/test_email.py +@@ -2306,6 +2306,20 @@ class TestMiscellaneous(TestEmailBase): + self.assertEqual(Utils.parseaddr('<>'), ('', '')) + self.assertEqual(Utils.formataddr(Utils.parseaddr('<>')), '') + ++ def test_parseaddr_multiple_domains(self): ++ self.assertEqual( ++ Utils.parseaddr('a@b@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ Utils.parseaddr('a@b.c@c'), ++ ('', '') ++ ) ++ self.assertEqual( ++ Utils.parseaddr('a@172.17.0.1@c'), ++ ('', '') ++ ) ++ + def test_noquote_dump(self): + self.assertEqual( + Utils.formataddr(('A Silly Person', 'person@dom.ain')), +diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +new file mode 100644 +index 0000000000..50292e29ed +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst +@@ -0,0 +1 @@ ++Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic. diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb index ec724c3918..b263e7214c 100644 --- a/meta/recipes-devtools/python/python_2.7.16.bb +++ b/meta/recipes-devtools/python/python_2.7.16.bb @@ -30,6 +30,7 @@ SRC_URI += " \ file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ file://float-endian.patch \ file://0001-python2-use-cc_basename-to-replace-CC-for-checking-c.patch \ + file://0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch \ " S = "${WORKDIR}/Python-${PV}" |