main/python2: sec upgrade to 2.7.16 (CVE-2018-14647)

author: Natanael Copa <ncopa@alpinelinux.org> 2019-04-16 18:48:54 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-05-06 21:30:31 +0200
commit: 45bea4333be5abe733052c6122bc6eb77f85aa13 (patch)
tree: 615a9731f11a98e936f738a292e0ede1cc7932fc
parent: 1ea961c4c2a72cdf6383b2bba3c33f4e9faa26da (diff)
2 files changed, 5 insertions, 121 deletions
diff --git a/main/python2/APKBUILD b/main/python2/APKBUILD
index 9a9ebf58bb6..107fb497c17 100644
--- a/main/python2/APKBUILD
+++ b/main/python2/APKBUILD
@@ -2,9 +2,9 @@
 
 pkgname=python2
 # the python2-tkinter's pkgver needs to be synchronized with this.
-pkgver=2.7.15
+pkgver=2.7.16
 _verbase=${pkgver%.*}
-pkgrel=3
+pkgrel=0
 pkgdesc="A high-level scripting language"
 url="https://www.python.org"
 arch="all"
@@ -17,13 +17,14 @@ depends=""
 makedepends="expat-dev openssl-dev zlib-dev ncurses-dev bzip2-dev
 	gdbm-dev sqlite-dev libffi-dev readline-dev linux-headers paxmark"
 source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
-	CVE-2019-5010.patch
 	musl-find_library.patch
 	unchecked-ioctl.patch
 	"
 builddir="$srcdir/Python-$pkgver"
 
 # secfixes:
+#   2.7.16-r0:
+#   - CVE-2018-14647
 #   2.7.15-r3:
 #   - CVE-2019-5010
 #   2.7.15-r0:
@@ -136,7 +137,6 @@ wininst() {
 		"$subpkgdir"/usr/lib/python$_verbase/distutils/command
 }
 
-sha512sums="27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6  Python-2.7.15.tar.xz
-fccc9878c0e7cdc2c91f24ab2849bc21362bf7559f0800841f282aebe11fb0d0436fb1057f59edea16c039d156e900569c616798526f42d3d190ce4631d456ab  CVE-2019-5010.patch
+sha512sums="16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b8c9e1cc83b5020398bd90a1b397dbdd7cb931c49f1aa4af6ef95414b43e0  Python-2.7.16.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
 5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82  unchecked-ioctl.patch"
diff --git a/main/python2/CVE-2019-5010.patch b/main/python2/CVE-2019-5010.patch
deleted file mode 100644
index af746c6eaf8..00000000000
--- a/main/python2/CVE-2019-5010.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 280917872027ee991416d2623fc16ff1eed48f50 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Tue, 15 Jan 2019 23:47:42 +0100
-Subject: [PATCH] bpo-35746: Fix segfault in ssl's cert parser (GH-11569)
-
-Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
-distribution points with empty DP or URI correctly. A malicious or buggy
-certificate can result into segfault.
-
-Signed-off-by: Christian Heimes <christian@python.org>
-
-https://bugs.python.org/issue35746
-(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
-
-Co-authored-by: Christian Heimes <christian@python.org>
----
- Lib/test/talos-2019-0758.pem                  | 22 +++++++++++++++++++
- Lib/test/test_ssl.py                          | 22 +++++++++++++++++++
- .../2019-01-15-18-16-05.bpo-35746.nMSd0j.rst  |  3 +++
- Modules/_ssl.c                                |  4 ++++
- 4 files changed, 51 insertions(+)
- create mode 100644 Lib/test/talos-2019-0758.pem
- create mode 100644 Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
-
-diff --git a/Lib/test/talos-2019-0758.pem b/Lib/test/talos-2019-0758.pem
-new file mode 100644
-index 000000000000..13b95a77fd8a
---- /dev/null
-+++ b/Lib/test/talos-2019-0758.pem
-@@ -0,0 +1,22 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDqDCCApKgAwIBAgIBAjALBgkqhkiG9w0BAQswHzELMAkGA1UEBhMCVUsxEDAO
-+BgNVBAMTB2NvZHktY2EwHhcNMTgwNjE4MTgwMDU4WhcNMjgwNjE0MTgwMDU4WjA7
-+MQswCQYDVQQGEwJVSzEsMCoGA1UEAxMjY29kZW5vbWljb24tdm0tMi50ZXN0Lmxh
-+bC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC63fGB
-+J80A9Av1GB0bptslKRIUtJm8EeEu34HkDWbL6AJY0P8WfDtlXjlPaLqFa6sqH6ES
-+V48prSm1ZUbDSVL8R6BYVYpOlK8/48xk4pGTgRzv69gf5SGtQLwHy8UPBKgjSZoD
-+5a5k5wJXGswhKFFNqyyxqCvWmMnJWxXTt2XDCiWc4g4YAWi4O4+6SeeHVAV9rV7C
-+1wxqjzKovVe2uZOHjKEzJbbIU6JBPb6TRfMdRdYOw98n1VXDcKVgdX2DuuqjCzHP
-+WhU4Tw050M9NaK3eXp4Mh69VuiKoBGOLSOcS8reqHIU46Reg0hqeL8LIL6OhFHIF
-+j7HR6V1X6F+BfRS/AgMBAAGjgdYwgdMwCQYDVR0TBAIwADAdBgNVHQ4EFgQUOktp
-+HQjxDXXUg8prleY9jeLKeQ4wTwYDVR0jBEgwRoAUx6zgPygZ0ZErF9sPC4+5e2Io
-+UU+hI6QhMB8xCzAJBgNVBAYTAlVLMRAwDgYDVQQDEwdjb2R5LWNhggkA1QEAuwb7
-+2s0wCQYDVR0SBAIwADAuBgNVHREEJzAlgiNjb2Rlbm9taWNvbi12bS0yLnRlc3Qu
-+bGFsLmNpc2NvLmNvbTAOBgNVHQ8BAf8EBAMCBaAwCwYDVR0fBAQwAjAAMAsGCSqG
-+SIb3DQEBCwOCAQEAvqantx2yBlM11RoFiCfi+AfSblXPdrIrHvccepV4pYc/yO6p
-+t1f2dxHQb8rWH3i6cWag/EgIZx+HJQvo0rgPY1BFJsX1WnYf1/znZpkUBGbVmlJr
-+t/dW1gSkNS6sPsM0Q+7HPgEv8CPDNK5eo7vU2seE0iWOkxSyVUuiCEY9ZVGaLVit
-+p0C78nZ35Pdv4I+1cosmHl28+es1WI22rrnmdBpH8J1eY6WvUw2xuZHLeNVN0TzV
-+Q3qq53AaCWuLOD1AjESWuUCxMZTK9DPS4JKXTK8RLyDeqOvJGjsSWp3kL0y3GaQ+
-+10T1rfkKJub2+m9A9duin1fn6tHc2wSvB7m3DA==
-+-----END CERTIFICATE-----
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index e47603170253..9240184d98a4 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -72,6 +72,7 @@ def data_file(*name):
- BADKEY = data_file("badkey.pem")
- NOKIACERT = data_file("nokia.pem")
- NULLBYTECERT = data_file("nullbytecert.pem")
-+TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
- 
- DHFILE = data_file("ffdh3072.pem")
- BYTES_DHFILE = DHFILE.encode(sys.getfilesystemencoding())
-@@ -227,6 +228,27 @@ def test_parse_cert(self):
-         self.assertEqual(p['crlDistributionPoints'],
-                          ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
- 
-+    def test_parse_cert_CVE_2019_5010(self):
-+        p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
-+        if support.verbose:
-+            sys.stdout.write("\n" + pprint.pformat(p) + "\n")
-+        self.assertEqual(
-+            p,
-+            {
-+                'issuer': (
-+                    (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
-+                'notAfter': 'Jun 14 18:00:58 2028 GMT',
-+                'notBefore': 'Jun 18 18:00:58 2018 GMT',
-+                'serialNumber': '02',
-+                'subject': ((('countryName', 'UK'),),
-+                            (('commonName',
-+                              'codenomicon-vm-2.test.lal.cisco.com'),)),
-+                'subjectAltName': (
-+                    ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
-+                'version': 3
-+            }
-+        )
-+
-     def test_parse_cert_CVE_2013_4238(self):
-         p = ssl._ssl._test_decode_cert(NULLBYTECERT)
-         if support.verbose:
-diff --git a/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
-new file mode 100644
-index 000000000000..dffe347eec84
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-01-15-18-16-05.bpo-35746.nMSd0j.rst
-@@ -0,0 +1,3 @@
-+[CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did
-+not handle CRL distribution points with empty DP or URI correctly. A
-+malicious or buggy certificate can result into segfault.
-diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index a96c41926036..19bb1207b48f 100644
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -1223,6 +1223,10 @@ _get_crl_dp(X509 *certificate) {
-         STACK_OF(GENERAL_NAME) *gns;
- 
-         dp = sk_DIST_POINT_value(dps, i);
-+        if (dp->distpoint == NULL) {
-+            /* Ignore empty DP value, CVE-2019-5010 */
-+            continue;
-+        }
-         gns = dp->distpoint->name.fullname;
- 
-         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
author	Natanael Copa <ncopa@alpinelinux.org>	2019-04-16 18:48:54 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-05-06 21:30:31 +0200
commit	45bea4333be5abe733052c6122bc6eb77f85aa13 (patch)
tree	615a9731f11a98e936f738a292e0ede1cc7932fc
parent	1ea961c4c2a72cdf6383b2bba3c33f4e9faa26da (diff)