8000 core/python3: fix CVE-2024-8088 · bell-sw/alpaquita-aports@4618dc5 · GitHub
[go: up one dir, main page]
Skip to content

Commit 4618dc5

Browse files
Daniel Nérikonfetka1989
Daniel Néri
authored and
konfetka1989
committed
core/python3: fix CVE-2024-8088
[ commit be30c12bfd365f7f008f53c6c1031560ef019bf1 ] Add patch to fix CVE-2024-8088: Infinite loop when iterating over zip archive entry names. - python/cpython#122905 - https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
1 parent 102e989 commit 4618dc5

File tree

2 files changed

+128
-1
lines changed

2 files changed

+128
-1
lines changed

core/python3/APKBUILD

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ pkgname=python3
55
# the python3-tkinter's pkgver needs to be synchronized with this.
66
pkgver=3.12.5
77
_basever="${pkgver%.*}"
8-
pkgrel=0
8+
pkgrel=1
99
pkgdesc="Python programming language"
1010
url="https://www.python.org/"
1111
arch="all"
@@ -47,6 +47,7 @@ source="https://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
4747
musl:musl-find_library.patch
4848
musl:test_posix-nodev-disable.patch
4949
fix-run_fileexflags-test.patch
50+
CVE-2024-8088.patch
5051
5152
0100-test_urllib-skip-test_url_host_with_-test-cases.patch
5253
0101-Unset-BASH_XTRACEFD-in-tests.patch
@@ -56,6 +57,8 @@ options="net" # Required for tests
5657
builddir="$srcdir/Python-$pkgver"
5758

5859
# secfixes:
60+
# 3.12.5-r1:
61+
# - CVE-2024-8088
5962
# 3.11.7-r2:
6063
# - CVE-2023-27043
6164
# 3.11.5-r0:
@@ -263,6 +266,7 @@ sha512sums="
263266
ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2 musl-find_library.patch
264267
606cf7b3df0c81c90571c6bc65e4f07e065867739fa0d36e9c8e1ad2d6bcd64d265f90c4a7881880fc7e0c85eed94d1f72655a5c70d92ca63e5cc4bd3be8f145 test_posix-nodev-disable.patch
265268
0e1155b1976be46d68fe50161b9644ac272d95c51f44ada51a0fd67a0154df89833752e97cfc85e977b384fca82b58907c30405a103f3a33a1483b9f76ce632f fix-run_fileexflags-test.patch
269+
60a3482b219154312d1ae929ba2b409627c9b08a387e0d7ed4c73e0ff97640a2b8a50eb9d347fb8dda136b7764617464826d14a988af789a1f032ed0badcdaf5 CVE-2024-8088.patch
266270
942f13ecef2efa251b948b5ad4a58cb9b7237e399a05b184ddbfad62419d60f2f810478097d2fb58997543540c55035469b3df394ff0cb87c99da11007454d2e 0100-test_urllib-skip-test_url_host_with_-test-cases.patch
267271
77d3a4cfe57f9ca8cfae748f9164a8977b7c6af4d6de06d2593945716b9c71a7cdc5e4425b4019c8c2c5730bf84f1c207d2d2e8efae8afe9d782920c2275f220 0101-Unset-BASH_XTRACEFD-in-tests.patch
268272
fc767cd3a8a2c7d3658e4f6446849715846f11f02940641a36e2239e0439aab7af04657a88cc2314a051b1e730266496a5b97d317ea4de69ce7d4eda3d55cac7 0102-CVE-2023-27043.patch

core/python3/CVE-2024-8088.patch

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
From ee9f40523d9766f43ddf2c69a4b610dd09668375 Mon Sep 17 00:00:00 2001
2+
From: "Jason R. Coombs" <jaraco@jaraco.com>
3+
Date: Sun, 11 Aug 2024 19:48:50 -0400
4+
Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906)
5+
6+
Ported from zipp 3.19.1; ref jaraco/zippGH-119.
7+
(cherry picked from commit 9cd03263100ddb1657826cc4a71470786cab3932)
8+
9+
Co-authored-by: Jason R. Coombs <jaraco@jaraco.com>
10+
---
11+
Lib/test/test_zipfile/_path/test_path.py | 17 +++++
12+
Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++-
13+
...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 +
14+
3 files changed, 81 insertions(+), 1 deletion(-)
15+
create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
16+
17+
diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
18+
index 06d5aab69bd6d4..90885dbbe39b92 100644
19+
--- a/Lib/test/test_zipfile/_path/test_path.py
20+
+++ b/Lib/test/test_zipfile/_path/test_path.py
21+
@@ -577,3 +577,20 @@ def test_getinfo_missing(self, alpharep):
22+
zipfile.Path(alpharep)
23+
with self.assertRaises(KeyError):
24+
alpharep.getinfo('does-not-exist')
25+
+
26+
+ def test_malformed_paths(self):
27+
+ """
28+
+ Path should handle malformed paths.
29+
+ """
30+
+ data = io.BytesIO()
31+
+ zf = zipfile.ZipFile(data, "w")
32+
+ zf.writestr("/one-slash.txt", b"content")
33+
+ zf.writestr("//two-slash.txt", b"content")
34+
+ zf.writestr("../parent.txt", b"content")
35+
+ zf.filename = ''
36+
+ root = zipfile.Path(zf)
37+
+ assert list(map(str, root.iterdir())) == [
38+
+ 'one-slash.txt',
39+
+ 'two-slash.txt',
40+
+ 'parent.txt',
41+
+ ]
42+
diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
43+
index 78c413563bb2b1..42f9fded21198e 100644
44+
--- a/Lib/zipfile/_path/__init__.py
45+
+++ b/Lib/zipfile/_path/__init__.py
46+
@@ -83,7 +83,69 @@ def __setstate__(self, state):
47+
super().__init__(*args, **kwargs)
48+
49+
50+
-class CompleteDirs(InitializedState, zipfile.ZipFile):
51+
+class SanitizedNames:
52+
+ """
53+
+ ZipFile mix-in to ensure names are sanitized.
54+
+ """
55+
+
56+
+ def namelist(self):
57+
+ return list(map(self._sanitize, super().namelist()))
58+
+
59+
+ @staticmethod
60+
+ def _sanitize(name):
61+
+ r"""
62+
+ Ensure a relative path with posix separators and no dot names.
63+
+
64+
+ Modeled after
65+
+ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
66+
+ but provides consistent cross-platform behavior.
67+
+
68+
+ >>> san = SanitizedNames._sanitize
69+
+ >>> san('/foo/bar')
70+
+ 'foo/bar'
71+
+ >>> san('//foo.txt')
72+
+ 'foo.txt'
73+
+ >>> san('foo/.././bar.txt')
74+
+ 'foo/bar.txt'
75+
+ >>> san('foo../.bar.txt')
76+
+ 'foo../.bar.txt'
77+
+ >>> san('\\foo\\bar.txt')
78+
+ 'foo/bar.txt'
79+
+ >>> san('D:\\foo.txt')
80+
+ 'D/foo.txt'
81+
+ >>> san('\\\\server\\share\\file.txt')
82+
+ 'server/share/file.txt'
83+
+ >>> san('\\\\?\\GLOBALROOT\\Volume3')
84+
+ '?/GLOBALROOT/Volume3'
85+
+ >>> san('\\\\.\\PhysicalDrive1\\root')
86+
+ 'PhysicalDrive1/root'
87+
+
88+
+ Retain any trailing slash.
89+
+ >>> san('abc/')
90+
+ 'abc/'
91+
+
92+
+ Raises a ValueError if the result is empty.
93+
+ >>> san('../..')
94+
+ Traceback (most recent call last):
95+
+ ...
96+
+ ValueError: Empty filename
97+
+ """
98+
+
99+
+ def allowed(part):
100+
+ return part and part not in {'..', '.'}
101+
+
102+
+ # Remove the drive letter.
103+
+ # Don't use ntpath.splitdrive, because that also strips UNC paths
104+
+ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
105+
+ clean = bare.replace('\\', '/')
106+
+ parts = clean.split('/')
107+
+ joined = '/'.join(filter(allowed, parts))
108+
+ if not joined:
109+
+ raise ValueError("Empty filename")
110+
+ return joined + '/' * name.endswith('/')
111+
+
112+
+
113+
+class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
114+
"""
115+
A ZipFile subclass that ensures that implied directories
116+
are always included in the namelist.
117+
diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
118+
new file mode 100644
119+
index 00000000000000..1be44c906c4f30
120+
--- /dev/null
121+
+++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst
122+
@@ -0,0 +1 @@
123+
+:class:`zipfile.Path` objects now sanitize names from the zipfile.

0 commit comments

Comments
 (0)
0