diff options
| author |   Martin Jansa <martin.jansa@gmail.com> | 2019-05-17 20:16:17 +0000 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2019-06-01 09:11:13 -0700 |
| commit | e7bdff05da6075efc21c5ac9492b06e481e5a239 (patch) | |
| tree | 2dd00db404f02a748815fdef69a2efaa4579bfe9 /meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | |
| parent | 592e7de7f5208940fbcfcad3371f93f8ce2ca738 (diff) | |
| download | openembedded-core-contrib-e7bdff05da6075efc21c5ac9492b06e481e5a239.tar.gz | |
python: add a fix for CVE-2019-9948 and CVE-2019-9636
Source: OpenEmbedded.org
MR: 98320, 98319
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6
ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd
Description:
Fixes:
CVE-2019-9948
CVE-2019-9636
CVE-2019-9940 is a dup of 9948 per python.org
CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Minor clean up for thud]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch')
| -rw-r--r-- | meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch new file mode 100644 index 0000000000..b267237018 --- /dev/null +++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch @@ -0,0 +1,55 @@ +From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001 +From: Sihoon Lee <push0ebp@gmail.com> +Date: Fri, 17 May 2019 02:41:06 +0900 +Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into + assertRasies in DummyURLopener test, and simplify mitigation + +Upstream-Status: Submitted https://github.com/python/cpython/pull/11842 + +CVE: CVE-2019-9948 + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + Lib/test/test_urllib.py | 11 +++-------- + Lib/urllib.py | 4 ++-- + 2 files changed, 5 insertions(+), 10 deletions(-) + +diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py +index e5f210e62a18..1e23dfb0bb16 100644 +--- a/Lib/test/test_urllib.py ++++ b/Lib/test/test_urllib.py +@@ -1027,14 +1027,9 @@ def test_local_file_open(self): + class DummyURLopener(urllib.URLopener): + def open_local_file(self, url): + return url +- self.assertEqual(DummyURLopener().open( +- 'local-file://example'), '//example') +- self.assertEqual(DummyURLopener().open( +- 'local_file://example'), '//example') +- self.assertRaises(IOError, urllib.urlopen, +- 'local-file://example') +- self.assertRaises(IOError, urllib.urlopen, +- 'local_file://example') ++ for url in ('local_file://example', 'local-file://example'): ++ self.assertRaises(IOError, DummyURLopener().open, url) ++ self.assertRaises(IOError, urllib.urlopen, url) + + # Just commented them out. + # Can't really tell why keep failing in windows and sparc. +diff --git a/Lib/urllib.py b/Lib/urllib.py +index a24e9a5c68fb..39b834054e9e 100644 +--- a/Lib/urllib.py ++++ b/Lib/urllib.py +@@ -203,10 +203,10 @@ def open(self, fullurl, data=None): + name = 'open_' + urltype + self.type = urltype + name = name.replace('-', '_') +- ++ + # bpo-35907: # disallow the file reading with the type not allowed + if not hasattr(self, name) or \ +- (self == _urlopener and name == 'open_local_file'): ++ getattr(self, name) == self.open_local_file: + if proxy: + return self.open_unknown_proxy(proxy, fullurl, data) + else: |