aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2020-01-14 07:21:08 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2020-01-14 10:34:56 +0000
commit5372bc29f308df62681eb2d705259cd5cc9b5448 (patch)
tree454cbff851fff1ab81ba7987e5a4848567b86cd5
parent0ce1a6da9a4112a52103c4bd0441b3cc8ed4131c (diff)
downloadaports-5372bc29f308df62681eb2d705259cd5cc9b5448.tar.gz
aports-5372bc29f308df62681eb2d705259cd5cc9b5448.tar.bz2
aports-5372bc29f308df62681eb2d705259cd5cc9b5448.tar.xz
main/python2: security fix (CVE-2019-16935)
fixes #10872
-rw-r--r--main/python2/APKBUILD6
-rw-r--r--main/python2/CVE-2019-16935.patch92
2 files changed, 96 insertions, 2 deletions
diff --git a/main/python2/APKBUILD b/main/python2/APKBUILD
index 986fbf52ed..e66422fb7c 100644
--- a/main/python2/APKBUILD
+++ b/main/python2/APKBUILD
@@ -4,7 +4,7 @@ pkgname=python2
# the python2-tkinter's pkgver needs to be synchronized with this.
pkgver=2.7.15
_verbase=${pkgver%.*}
-pkgrel=2
+pkgrel=3
pkgdesc="A high-level scripting language"
url="http://www.python.org"
arch="all"
@@ -21,6 +21,7 @@ source="http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
CVE-2018-14647.patch
CVE-2019-9636.patch
CVE-2019-9948.patch
+ CVE-2019-16935.patch
"
builddir="$srcdir/Python-$pkgver"
@@ -137,4 +138,5 @@ ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e9
5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82 unchecked-ioctl.patch
6ea4cde4483250bd3ecbf46214935c80ecd79958d09d7fab4f5ba0b80d73ff0a1433f7b6fbd9a5c42d4f2a3dda877cde6a3264a5c832c1e8f4ee3eb2405a624e CVE-2018-14647.patch
54086e7b4d3597969b945b1460fe578ff3a13289703d58d79b8f00f644eccc4acc11fc6128b7b114f022a6f6cedc91e02eead6373bac0d36e22eb580a1becb53 CVE-2019-9636.patch
-2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch"
+2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f CVE-2019-9948.patch
+758a897f01665149a23cbc3898fe060c043647d6fe6d22d8ca9038554b4ef1c7b2ac638d37eaed265167cd50f9329be2518f07464dccb7a7ab34ec9be4710095 CVE-2019-16935.patch"
diff --git a/main/python2/CVE-2019-16935.patch b/main/python2/CVE-2019-16935.patch
new file mode 100644
index 0000000000..632a3e77b3
--- /dev/null
+++ b/main/python2/CVE-2019-16935.patch
@@ -0,0 +1,92 @@
+From 8eb64155ff26823542ccf0225b3d57b6ae36ea89 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Tue, 1 Oct 2019 19:58:01 +0900
+Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
+ (GH-16447)
+
+Escape the server title of DocXMLRPCServer.DocXMLRPCServer
+when rendering the document page as HTML.
+---
+ Lib/DocXMLRPCServer.py | 13 +++++++++++-
+ Lib/test/test_docxmlrpc.py | 20 +++++++++++++++++++
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
+index 4064ec2e48d4d..90b037dd35d6b 100644
+--- a/Lib/DocXMLRPCServer.py
++++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@
+ CGIXMLRPCRequestHandler,
+ resolve_dotted_attribute)
+
++
++def _html_escape_quote(s):
++ s = s.replace("&", "&amp;") # Must be done first!
++ s = s.replace("<", "&lt;")
++ s = s.replace(">", "&gt;")
++ s = s.replace('"', "&quot;")
++ s = s.replace('\'', "&#x27;")
++ return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+ """Class used to generate pydoc HTML document for a server"""
+
+@@ -210,7 +220,8 @@ def generate_html_documentation(self):
+ methods
+ )
+
+- return documenter.page(self.server_title, documentation)
++ title = _html_escape_quote(self.server_title)
++ return documenter.page(title, documentation)
+
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+ """XML-RPC and documentation request handler class.
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 4dff4159e2466..c45b892b8b3e7 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self):
+ self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
+ response.read())
+
++ def test_server_title_escape(self):
++ """Test that the server title and documentation
++ are escaped for HTML.
++ """
++ self.serv.set_server_title('test_title<script>')
++ self.serv.set_server_documentation('test_documentation<script>')
++ self.assertEqual('test_title<script>', self.serv.server_title)
++ self.assertEqual('test_documentation<script>',
++ self.serv.server_documentation)
++
++ generated = self.serv.generate_html_documentation()
++ title = re.search(r'<title>(.+?)</title>', generated).group()
++ documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++ self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
++ title)
++ self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
++ documentation)
++
++
+ def test_main():
+ test_support.run_unittest(DocXMLRPCHTTPGETServer)
+
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000000..8f02baed9ebe5
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)