fix CVE-2021-3426

2021-05-31 20:24:09 +08:00 · 2021-05-31 20:24:09 +08:00 · d004b266e9
commit d004b266e9
parent f52241bbd6
2 changed files with 114 additions and 1 deletions
--- a/backport-CVE-2021-3426.patch
+++ b/backport-CVE-2021-3426.patch
@ -0,0 +1,105 @@
+From 7c2284f97d140c4e4a85382bfb3a42440be2464d Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 29 Mar 2021 08:39:05 -0700
+Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
+ (#25066)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reference:https://github.com/python/cpython/commit/7c2284f97d140c4e4a85382bfb3a42440be2464d
+
+CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
+could be abused to read arbitrary files on the disk (directory
+traversal vulnerability). Moreover, even source code of Python
+modules can contain sensitive data like passwords. Vulnerability
+reported by David Schwörer.
+(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+
+Co-authored-by: Victor Stinner <vstinner@python.org>
+---
+ Lib/pydoc.py                                   | 18 ------------------
+ Lib/test/test_pydoc.py                         |  6 ------
+ .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
+ 3 files changed, 4 insertions(+), 24 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+
+diff --git a/Lib/pydoc.py b/Lib/pydoc.py
+index 978e4cd0baa5ba..9677c0d0468db0 100644
+--- a/Lib/pydoc.py
+++ b/Lib/pydoc.py
+@@ -2348,9 +2348,6 @@ def page(self, title, contents):
+ %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
+ </body></html>''' % (title, css_link, html_navbar(), contents)
+ 
+-        def filelink(self, url, path):
+-            return '<a href="getfile?key=%s">%s</a>' % (url, path)
+-
+ 
+     html = _HTMLDoc()
+ 
+@@ -2436,19 +2433,6 @@ def bltinlink(name):
+             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
+         return 'Search Results', contents
+ 
+-    def html_getfile(path):
+-        """Get and display a source file listing safely."""
+-        path = urllib.parse.unquote(path)
+-        with tokenize.open(path) as fp:
+-            lines = html.escape(fp.read())
+-        body = '<pre>%s</pre>' % lines
+-        heading = html.heading(
+-            '<big><big><strong>File Listing</strong></big></big>',
+-            '#ffffff', '#7799ee')
+-        contents = heading + html.bigsection(
+-            'File: %s' % path, '#ffffff', '#ee77aa', body)
+-        return 'getfile %s' % path, contents
+-
+     def html_topics():
+         """Index of topic texts available."""
+ 
+@@ -2540,8 +2524,6 @@ def get_html_page(url):
+                 op, _, url = url.partition('=')
+                 if op == "search?key":
+                     title, content = html_search(url)
+-                elif op == "getfile?key":
+-                    title, content = html_getfile(url)
+                 elif op == "topic?key":
+                     # try topics first, then objects.
+                     try:
+diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
+index 198cea93eb52d7..baad8212c573dc 100644
+--- a/Lib/test/test_pydoc.py
+++ b/Lib/test/test_pydoc.py
+@@ -1049,18 +1049,12 @@ def test_url_requests(self):
+             ("topic?key=def", "Pydoc: KEYWORD def"),
+             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
+             ("foobar", "Pydoc: Error - foobar"),
+-            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
+             ]
+ 
+         with self.restrict_walk_packages():
+             for url, title in requests:
+                 self.call_url_handler(url, title)
+ 
+-            path = string.__file__
+-            title = "Pydoc: getfile " + path
+-            url = "getfile?key=" + path
+-            self.call_url_handler(url, title)
+-
+ 
+ class TestHelper(unittest.TestCase):
+     def test_keywords(self):
+diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+new file mode 100644
+index 00000000000000..4b42dd05305a83
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
+@@ -0,0 +1,4 @@
+CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
+could be abused to read arbitrary files on the disk (directory traversal
+vulnerability). Moreover, even source code of Python modules can contain
+sensitive data like passwords. Vulnerability reported by David Schwörer.
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/

 Version: 3.7.9
-Release: 13
+Release: 14
 License: Python

 %global branchversion 3.7
@ -141,6 +141,7 @@ Patch6032:  backport-35823-Allow-setsid-after-vfork-on-Linux.-GH-2294.patch
 Patch6033:  backport-42146-Fix-memory-leak-in-subprocess.Popen-in-cas.patch
 Patch6034:  backport-42146-Unify-cleanup-in-subprocess_fork_exec-GH-2.patch
 patch6035:  backport-Remove-thread-objects-which-finished-process-its-request.patch
+patch6036:  backport-CVE-2021-3426.patch

 Recommends: %{name}-help = %{version}-%{release}
 Provides: python%{branchversion} = %{version}-%{release}
@ -268,6 +269,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch6033 -p1
 %patch6034 -p1
 %patch6035 -p1
+%patch6036 -p1

 sed -i "s/generic_os/%{_vendor}/g" Lib/platform.py
 rm configure pyconfig.h.in
@ -869,6 +871,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*

 %changelog
+* Mon May 31 2021 shixuantong<shixuantong@huawei.com> - 3.7.9-14
+- Type:CVE
+- CVE:CVE-2021-3426
+- SUG:NA
+- DESC:fix CVE-2021-3426
+
 * Sat May 29 2021 BruceGW<gyl93216@163.com> -3.7.9-13
 - Type:bugfix
 - ID:NA