fix CVE-2022-48565

backport-CVE-2022-48565.patch

@@ -0,0 +1,72 @@
+From e512bc799e3864fe3b1351757261762d63471efc Mon Sep 17 00:00:00 2001
+From: Ned Deily <nad@python.org>
+Date: Mon, 19 Oct 2020 22:36:27 -0400
+Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files
+ (#22760) (GH-22801)
+
+Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
+---
+ Lib/plistlib.py           |  7 +++++++
+ Lib/test/test_plistlib.py | 18 ++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/Lib/plistlib.py b/Lib/plistlib.py
+index 33b79a1..b273a15 100644
+--- a/Lib/plistlib.py
++++ b/Lib/plistlib.py
+@@ -257,9 +257,16 @@ class _PlistParser:
+         self.parser.StartElementHandler = self.handle_begin_element
+         self.parser.EndElementHandler = self.handle_end_element
+         self.parser.CharacterDataHandler = self.handle_data
++        self.parser.EntityDeclHandler = self.handle_entity_decl
+         self.parser.ParseFile(fileobj)
+         return self.root
+ 
++    def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name):
++        # Reject plist files with entity declarations to avoid XML vulnerabilies in expat.
++        # Regular plist files don't contain those declerations, and Apple's plutil tool does not
++        # accept them either.
++        raise InvalidFileException("XML entity declarations are not supported in plist files")
++
+     def handle_begin_element(self, element, attrs):
+         self.data = []
+         handler = getattr(self, "begin_" + element, None)
+diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py
+index 8d8e0a7..bfe06fd 100644
+--- a/Lib/test/test_plistlib.py
++++ b/Lib/test/test_plistlib.py
+@@ -90,6 +90,19 @@ TESTDATA={
+         xQHHAsQC0gAAAAAAAAIBAAAAAAAAADkAAAAAAAAAAAAAAAAAAALs'''),
+ }
+ 
++XML_PLIST_WITH_ENTITY=b'''\
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd" [
++   <!ENTITY entity "replacement text">
++  ]>
++<plist version="1.0">
++  <dict>
++    <key>A</key>
++    <string>&entity;</string>
++  </dict>
++</plist>
++'''
++
+ 
+ class TestPlistlib(unittest.TestCase):
+ 
+@@ -443,6 +456,11 @@ class TestPlistlib(unittest.TestCase):
+                 pl2 = plistlib.loads(data)
+                 self.assertEqual(dict(pl), dict(pl2))
+ 
++    def test_xml_plist_with_entity_decl(self):
++        with self.assertRaisesRegex(plistlib.InvalidFileException,
++                                    "XML entity declarations are not supported"):
++            plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML)
++
+ 
+ class TestBinaryPlistlib(unittest.TestCase):
+ 
+-- 
+2.33.0
+

python3.spec

@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.7.9
-Release: 33
+Release: 34
 License: Python-2.0
 
 %global branchversion 3.7
@@ -167,6 +167,7 @@ Patch6057:  backport-CVE-2022-45061.patch
 Patch6058:  backport-CVE-2022-37454.patch
 Patch6059:  backport-bpo-44434-Don-t-call-PyThread_exit_thread-explicitly.patch
 Patch6060:  backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
+Patch6061:  backport-CVE-2022-48565.patch
 
 patch9000:  Don-t-override-PYTHONPATH-which-is-already-set.patch
 patch9001:  add-the-sm3-method-for-obtaining-the-salt-value.patch
@@ -322,6 +323,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6058 -p1
 %patch6059 -p1
 %patch6060 -p1
+%patch6061 -p1
 
 %patch9000 -p1
 %patch9001 -p1
@@ -927,6 +929,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Tue Sep 05 2023 dongyuzhen <dongyuzhen@h-partners.com> - 3.7.9-34
+- Type:CVE
+- CVE:CVE-2022-48565
+- SUG:NA
+- DESC:fix CVE-2022-48565
+
 * Thu Apr 06 2023 shixuantong <shixuantong1@huawei.com>- 3.7.9-33
 - Type:CVE
 - CVE:CVE-2023-24329