summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-12-08 22:48:19 +0100
committerMarius Bakke <marius@gnu.org>2020-12-08 22:57:53 +0100
commitf936a300b48955faecce028ac9ac509b1b83906c (patch)
tree9bbd4b1c1c02bc89a10f5b4f77b06a7d37173073 /gnu
parent6d9b23cbf2a799b50aacde8d31ef4c3e45160856 (diff)
downloadguix-f936a300b48955faecce028ac9ac509b1b83906c.tar.gz
gnu: Python: Fix CVE-2020-26116.
* gnu/packages/patches/python-CVE-2020-26116.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/python.scm (python-3.8)[source](patches): Add it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/python-CVE-2020-26116.patch47
-rw-r--r--gnu/packages/python.scm1
3 files changed, 49 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 7f0b69cacf..897de3eaf9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1515,6 +1515,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-3-fix-tests.patch			\
   %D%/packages/patches/python-3.8-fix-tests.patch		\
   %D%/packages/patches/python-CVE-2018-14647.patch		\
+  %D%/packages/patches/python-CVE-2020-26116.patch		\
   %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch	\
   %D%/packages/patches/python-argcomplete-1.11.1-fish31.patch	\
   %D%/packages/patches/python-axolotl-AES-fix.patch		\
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch
new file mode 100644
index 0000000000..dc0571e964
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2020-26116.patch
@@ -0,0 +1,47 @@
+Fix CVE-2020-26116:
+
+https://cve.circl.lu/cve/CVE-2020-26116
+https://bugs.python.org/issue39603
+
+Taken from upstream (sans test and NEWS update):
+https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+         else:
+             raise CannotSendRequest(self.__state)
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+         # ASCII also helps prevent CVE-2019-9740.
+         return request.encode('ascii')
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                    f"method can't contain control characters. {method!r} "
++                    f"(found at least {match.group()!r})")
++
+     def _validate_path(self, url):
+         """Validate a url for putrequest."""
+         # Prevent CVE-2019-9740.
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 43704bccae..533b2bdeff 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -370,6 +370,7 @@ data types.")
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
+                        "python-CVE-2020-26116.patch"
                         "python-3-fix-tests.patch"
                         "python-3.8-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"