!262 fix CVE-2022-48566

From: @dongyuzhen Reviewed-by: @gaoruoshu, @zhuofeng6 Signed-off-by: @gaoruoshu
2023-09-08 01:16:21 +00:00 · 2023-09-08 01:16:21 +00:00 · 0c2365c059
commit 0c2365c059
parent ec918da7f6 2919414988
2 changed files with 39 additions and 1 deletions
--- a/backport-CVE-2022-48566.patch
+++ b/backport-CVE-2022-48566.patch
@ -0,0 +1,30 @@
+From 31729366e2bc09632e78f3896dbce0ae64914f28 Mon Sep 17 00:00:00 2001
+From: Devin Jeanpierre <jeanpierreda@google.com>
+Date: Sat, 21 Nov 2020 01:55:23 -0700
+Subject: [PATCH] bpo-40791: Make compare_digest more constant-time. (GH-20444)
+
+* bpo-40791: Make compare_digest more constant-time.
+
+The existing volatile `left`/`right` pointers guarantee that the reads will all occur, but does not guarantee that they will be _used_. So a compiler can still short-circuit the loop, saving e.g. the overhead of doing the xors and especially the overhead of the data dependency between `result` and the reads. That would change performance depending on where the first unequal byte occurs. This change removes that optimization.
+
+(This is change #1 from https://bugs.python.org/issue40791 .)
+---
+ Modules/_operator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Modules/_operator.c b/Modules/_operator.c
+index 51daa1f..7fff654 100644
+--- a/Modules/_operator.c
+++ b/Modules/_operator.c
+@@ -735,7 +735,7 @@ _tscmp(const unsigned char *a, const unsigned char *b,
+     volatile const unsigned char *left;
+     volatile const unsigned char *right;
+     Py_ssize_t i;
+-    unsigned char result;
+    volatile unsigned char result;
+ 
+     /* loop count depends on length of b */
+     length = len_b;
+-- 
+2.33.0
+
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/

 Version: 3.7.9
-Release: 34
+Release: 35
 License: Python-2.0

 %global branchversion 3.7
@ -168,6 +168,7 @@ Patch6058:  backport-CVE-2022-37454.patch
 Patch6059:  backport-bpo-44434-Don-t-call-PyThread_exit_thread-explicitly.patch
 Patch6060:  backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch
 Patch6061:  backport-CVE-2022-48565.patch
+Patch6062:  backport-CVE-2022-48566.patch

 patch9000:  Don-t-override-PYTHONPATH-which-is-already-set.patch
 patch9001:  add-the-sm3-method-for-obtaining-the-salt-value.patch
@ -324,6 +325,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6059 -p1
 %patch6060 -p1
 %patch6061 -p1
+%patch6062 -p1

 %patch9000 -p1
 %patch9001 -p1
@ -929,6 +931,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*

 %changelog
+* Wed Sep 06 2023 dongyuzhen <dongyuzhen@h-partners.com> - 3.7.9-35
+- Type:CVE
+- CVE:CVE-2022-48566
+- SUG:NA
+- DESC:fix CVE-2022-48566
+
 * Tue Sep 05 2023 dongyuzhen <dongyuzhen@h-partners.com> - 3.7.9-34
 - Type:CVE
 - CVE:CVE-2022-48565