Patched python CVE-2023-24329 (CP of #6412) (#6415)

PawelWMS · amritakohli · web-flow · commit ffa4cde0120b · 2023-10-12T14:16:07.000-07:00
Co-authored-by: amritakohli &lt;56371098+amritakohli@users.noreply.github.com&gt;
diff --git a/SPECS/python3/CVE-2023-24329.patch b/SPECS/python3/CVE-2023-24329.patch
@@ -0,0 +1,78 @@
+From 141aadcb6e6c1c8ecc850847049002fed4475030 Mon Sep 17 00:00:00 2001
+From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
+Date: Sat, 12 Nov 2022 15:43:33 -0500
+Subject: [PATCH 1/2] Modify upstream patch to work with CBL-Mariner for
+ CVE-2023-24329. Modified by Amrita Kohli <amritakohli@microsoft.com>
+
+---
+ Lib/test/test_urlparse.py | 18 ++++++++++++++++++
+ Lib/urllib/parse.py       |  2 +-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 31943f3..f42ed9b 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -665,6 +665,24 @@ class UrlParseTestCase(unittest.TestCase):
+                         with self.assertRaises(ValueError):
+                             p.port
+ 
++    def test_attributes_bad_scheme(self):
++        """Check handling of invalid schemes."""
++        for bytes in (False, True):
++            for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++                for scheme in (".", "+", "-", "0", "http&", "६http"):
++                    with self.subTest(bytes=bytes, parse=parse, scheme=scheme):
++                        url = scheme + "://www.example.net"
++                        if bytes:
++                            if url.isascii():
++                                url = url.encode("ascii")
++                            else:
++                                continue
++                        p = parse(url)
++                        if bytes:
++                            self.assertEqual(p.scheme, b"")
++                        else:
++                            self.assertEqual(p.scheme, "")
++
+     def test_attributes_without_netloc(self):
+         # This example is straight from RFC 3261.  It looks like it
+         # should allow the username, hostname, and port to be filled
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index b7965fe..bd59852 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -470,7 +470,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         clear_cache()
+     netloc = query = fragment = ''
+     i = url.find(':')
+-    if i > 0:
++    if i > 0 and url[0].isascii() and url[0].isalpha():
+         for c in url[:i]:
+             if c not in scheme_chars:
+                 break
+-- 
+2.34.1
+
+
+From de2b58d3b30095440a30fcb72d595b434b351532 Mon Sep 17 00:00:00 2001
+From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
+Date: Sat, 12 Nov 2022 15:46:31 -0500
+Subject: [PATCH 2/2] gh-99418: Prevent urllib.parse.urlparse from accepting
+ schemes that don't begin with an alphabetical ASCII character.
+
+---
+ .../next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst  | 2 ++
+ 1 file changed, 2 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+
+diff --git a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+new file mode 100644
+index 0000000..0a06e7c
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.
+-- 
+2.34.1
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.14
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -26,8 +26,9 @@ Patch2:         0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch
 Patch3:         CVE-2022-37454.patch
 Patch4:         CVE-2022-45061.patch
 Patch5:         CVE-2022-42919.patch
+Patch6:         CVE-2023-24329.patch
 # Patch for setuptools, resolved in 65.5.1
-Patch1000:        CVE-2022-40897.patch
+Patch1000:      CVE-2022-40897.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -168,6 +169,7 @@ The test package contains all regression tests for Python as well as the modules
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 # Remove GCC specs and build environment linker scripts
@@ -321,6 +323,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Wed Oct 11 2023 Amrita Kohli <amritakohli@microsoft.com> - 3.9.14-8
+- Patch for CVE-2023-24329
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 3.9.14-7
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-13.cm2.noarch.rpm
 ca-certificates-2.0.0-13.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-20.cm2.aarch64.rpm
-python3-3.9.14-7.cm2.aarch64.rpm
-python3-devel-3.9.14-7.cm2.aarch64.rpm
-python3-libs-3.9.14-7.cm2.aarch64.rpm
-python3-setuptools-3.9.14-7.cm2.noarch.rpm
+python3-3.9.14-8.cm2.aarch64.rpm
+python3-devel-3.9.14-8.cm2.aarch64.rpm
+python3-libs-3.9.14-8.cm2.aarch64.rpm
+python3-setuptools-3.9.14-8.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-13.cm2.noarch.rpm
 ca-certificates-2.0.0-13.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-20.cm2.x86_64.rpm
-python3-3.9.14-7.cm2.x86_64.rpm
-python3-devel-3.9.14-7.cm2.x86_64.rpm
-python3-libs-3.9.14-7.cm2.x86_64.rpm
-python3-setuptools-3.9.14-7.cm2.noarch.rpm
+python3-3.9.14-8.cm2.x86_64.rpm
+python3-devel-3.9.14-8.cm2.x86_64.rpm
+python3-libs-3.9.14-8.cm2.x86_64.rpm
+python3-setuptools-3.9.14-8.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -508,28 +508,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.14-7.cm2.aarch64.rpm
+python3-3.9.14-8.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.14-7.cm2.aarch64.rpm
+python3-curses-3.9.14-8.cm2.aarch64.rpm
 python3-Cython-0.29.33-1.cm2.aarch64.rpm
-python3-debuginfo-3.9.14-7.cm2.aarch64.rpm
-python3-devel-3.9.14-7.cm2.aarch64.rpm
+python3-debuginfo-3.9.14-8.cm2.aarch64.rpm
+python3-devel-3.9.14-8.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.14-7.cm2.aarch64.rpm
+python3-libs-3.9.14-8.cm2.aarch64.rpm
 python3-libxml2-2.10.4-1.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.14-7.cm2.noarch.rpm
+python3-pip-3.9.14-8.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.14-7.cm2.noarch.rpm
-python3-test-3.9.14-7.cm2.aarch64.rpm
-python3-tools-3.9.14-7.cm2.aarch64.rpm
+python3-setuptools-3.9.14-8.cm2.noarch.rpm
+python3-test-3.9.14-8.cm2.aarch64.rpm
+python3-tools-3.9.14-8.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -508,28 +508,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.14-7.cm2.x86_64.rpm
+python3-3.9.14-8.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.14-7.cm2.x86_64.rpm
+python3-curses-3.9.14-8.cm2.x86_64.rpm
 python3-Cython-0.29.33-1.cm2.x86_64.rpm
-python3-debuginfo-3.9.14-7.cm2.x86_64.rpm
-python3-devel-3.9.14-7.cm2.x86_64.rpm
+python3-debuginfo-3.9.14-8.cm2.x86_64.rpm
+python3-devel-3.9.14-8.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.14-7.cm2.x86_64.rpm
+python3-libs-3.9.14-8.cm2.x86_64.rpm
 python3-libxml2-2.10.4-1.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.14-7.cm2.noarch.rpm
+python3-pip-3.9.14-8.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.14-7.cm2.noarch.rpm
-python3-test-3.9.14-7.cm2.x86_64.rpm
-python3-tools-3.9.14-7.cm2.x86_64.rpm
+python3-setuptools-3.9.14-8.cm2.noarch.rpm
+python3-test-3.9.14-8.cm2.x86_64.rpm
+python3-tools-3.9.14-8.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
