!14 fix CVE-2020-8492

Merge pull request !14 from chengquan/dev

CVE-2020-8492.patch

@@ -0,0 +1,45 @@
+From dbcfc664ee7ae6e9e97ca0d69ad6581a36871836 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Thu, 30 Jan 2020 16:13:03 +0100
+Subject: [PATCH] bpo-39503: Fix urllib basic auth regex
+
+The AbstractBasicAuthHandler class of the urllib.request module uses
+an inefficient regular expression which can be exploited by an
+attacker to cause a denial of service. Fix the regex to prevent the
+catastrophic backtracking.
+
+Vulnerability reported by Matt Schwager.
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ Lib/urllib2.py                                                | 2 +-
+ .../next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst    | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+
+diff --git a/Lib/urllib2.py b/Lib/urllib2.py
+index fd19e1a..1596a51 100644
+--- a/Lib/urllib2.py
++++ b/Lib/urllib2.py
+@@ -858,7 +858,7 @@ class AbstractBasicAuthHandler:
+ 
+     # allow for double- and single-quoted realm values
+     # (single quotes are a violation of the RFC, but appear in the wild)
+-    rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+'
++    rx = re.compile('(?:[^,]*,)*[ \t]*([^ \t]+)[ \t]+'
+                     'realm=(["\']?)([^"\']*)\\2', re.I)
+ 
+     # XXX could pre-emptively send auth info already accepted (RFC 2617,
+diff --git a/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+new file mode 100644
+index 0000000..92f186d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-01-30-16-15-29.bpo-39503.B299Yq.rst
+@@ -0,0 +1,4 @@
++CVE-2020-8492: The :class:`~urllib.request.AbstractBasicAuthHandler` class of the
++:mod:`urllib.request` module uses an inefficient regular expression which can
++be exploited by an attacker to cause a denial of service. Fix the regex to
++prevent the catastrophic backtracking. Vulnerability reported by Matt Schwager.
+-- 
+2.23.0
+

python2.spec

@@ -15,7 +15,7 @@
 %undefine _debuginfo_subpackages
 Name:      python2
 Version:   2.7.16
-Release:   14
+Release:   15
 Summary:   Python is an interpreted, interactive object-oriented programming language suitable
 License:   Python
 URL:       https://www.python.org/
@@ -73,33 +73,33 @@ Patch189:  00189-use-rpm-wheels.patch
 Patch191: 00191-disable-NOOP.patch
 Patch193:  00193-enable-loading-sqlite-extensions.patch
 Patch289: 00289-disable-nis-detection.patch
-Patch04000: 04000-modularity-disable-tk.patch
-Patch5000: 05000-autotool-intermediates.patch
-#upstream patches
-Patch6035: 0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch
-Patch6036: 0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch
-Patch6037: 0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch
-Patch6038: 0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch
-Patch6039: 0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch
-Patch6040: 0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch
-Patch6041: 0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch
-Patch6042: 0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch
-Patch6044: python2-CVE-2019-9948-1.patch
-Patch6045: python2-CVE-2019-9948-2.patch
-Patch6047: CVE-2019-9740.patch
-Patch9000: python2-add-generic-os-supportr.patch
-Patch6048: bugfix-linux_distribution-skip-link-file.patch
-Patch6049: bugfix-test_locale-and-test_codecs.patch
-Patch6050: CVE-2019-9636-bpo-36216-Add-check-for-characters.patch
-Patch6051: CVE-2019-10160-1.patch
-Patch6052: CVE-2019-10160-2.patch
-Patch6053: CVE-2019-10160-3.patch
-Patch6054: CVE-2019-16056.patch
-Patch6055: CVE-2018-20852.patch
-Patch6056: CVE-2019-16935.patch
-Patch6057: CVE-2019-17514.patch
-Patch6058: CVE-2017-18207.patch
-Patch6059: bugfix-excessive-memory-usage-when-using-regular-expressions.patch
+Patch290: 04000-modularity-disable-tk.patch
+Patch291: 05000-autotool-intermediates.patch
+Patch342: 0342-bpo-36126-Fix-ref-count-leakage-in-structseq_repr.-G.patch
+Patch349: 0349-2.7-bpo-13096-Fix-memory-leak-in-ctypes-POINTER-hand.patch
+Patch350: 0350-2.7-bpo-36179-Fix-ref-leaks-in-_hashopenssl-GH-12158.patch
+Patch351: 0351-2.7-bpo-36149-Fix-potential-use-of-uninitialized-mem.patch
+Patch353: 0353-2.7-bpo-36186-Fix-linuxaudiodev.linux_audio_device-e.patch
+Patch354: 0354-bpo-36147-Fix-a-memory-leak-in-ctypes-s_get-GH-12102.patch
+Patch357: 0357-bpo-36140-Fix-an-incorrect-check-in-msidb_getsummary.patch
+Patch358: 0358-2.7-IDLE-Fix-typo-in-keybindingDialog.py-GH-2322-GH-.patch
+Patch359: python2-CVE-2019-9948-1.patch
+Patch360: python2-CVE-2019-9948-2.patch
+Patch361: CVE-2019-9740.patch
+Patch362: python2-add-generic-os-supportr.patch
+Patch363: bugfix-linux_distribution-skip-link-file.patch
+Patch364: bugfix-test_locale-and-test_codecs.patch
+Patch365: CVE-2019-9636-bpo-36216-Add-check-for-characters.patch
+Patch366: CVE-2019-10160-1.patch
+Patch367: CVE-2019-10160-2.patch
+Patch368: CVE-2019-10160-3.patch
+Patch369: CVE-2019-16056.patch
+Patch370: CVE-2018-20852.patch
+Patch371: CVE-2019-16935.patch
+Patch372: CVE-2019-17514.patch
+Patch373: CVE-2017-18207.patch
+Patch374: bugfix-excessive-memory-usage-when-using-regular-expressions.patch
+Patch375: CVE-2020-8492.patch
 
 BuildRequires: libdb-devel libffi-devel valgrind-devel ncurses-devel expat-devel readline-devel
 BuildRequires: openssl-devel libtirpc-devel tcl-devel tk-devel glibc-devel libnsl2-devel
@@ -634,6 +634,12 @@ sed -e "s|LIBRARY_PATH|%{_libdir}/%{py_INSTSONAME_debug}|" %{SOURCE1} \
 %{dynload_dir}/_testcapimodule_d.so
 
 %changelog
+* Fri Mar 6 2020 hanxinke<hanxinke@huawei.com> - 2.7.16-15
+- Type:cves
+- ID:CVE-2020-8492
+- SUG:NA
+- DESC:fix CVE-2020-8492
+
 * Sat Feb 29 2020 hanxinke<hanxinke@huawei.com> - 2.7.16-14
 - Type:bugfix
 - ID:NA