diff options
| author | Miro Hrončok <miro@hroncok.cz> | 2016-09-22 13:22:59 +0200 |
|---|---|---|
| committer | Miro Hrončok <miro@hroncok.cz> | 2016-09-26 10:20:44 +0200 |
| commit | 57f132be772c4585cbf8cfc6d8c8f326e986573e (patch) | |
| tree | 4bd27e302ffca915a61b97b49b37e07017098d61 | |
| parent | 6e5079ffe2e7329c542579f8ab549518b2a28aef (diff) | |
| download | python34-57f132be772c4585cbf8cfc6d8c8f326e986573e.tar.gz python34-57f132be772c4585cbf8cfc6d8c8f326e986573e.tar.xz python34-57f132be772c4585cbf8cfc6d8c8f326e986573e.zip | |
Updated to 3.4.5
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | 00102-lib64.patch | 102 | ||||
| -rw-r--r-- | 00199-alter-tests-to-reflect-sslv3-disabled.patch | 48 | ||||
| -rw-r--r-- | 00202-fix-undefined-behaviour-in-faulthandler.patch | 41 | ||||
| -rw-r--r-- | 00204-increase-dh-keys-size.patch | 49 | ||||
| -rw-r--r-- | 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch | 39 | ||||
| -rw-r--r-- | 00210-Raise-an-error-when-STARTTLS-fails.patch | 35 | ||||
| -rw-r--r-- | 00211-Disabled-HTTP-header-injections-in-http-client.patch | 162 | ||||
| -rw-r--r-- | python34.spec | 50 | ||||
| -rw-r--r-- | sources | 2 |
10 files changed, 79 insertions, 450 deletions
@@ -1 +1,2 @@ /Python-3.4.3.tar.xz +/Python-3.4.5.tar.xz diff --git a/00102-lib64.patch b/00102-lib64.patch index db5fd95..d59430a 100644 --- a/00102-lib64.patch +++ b/00102-lib64.patch @@ -1,6 +1,8 @@ ---- Python-3.4.0b1/Lib/distutils/command/install.py.lib64 2013-11-24 21:36:54.000000000 +0100 -+++ Python-3.4.0b1/Lib/distutils/command/install.py 2013-11-27 11:10:43.821150774 +0100 -@@ -45,14 +45,14 @@ else: +diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py +index d768dc5..a051164 100644 +--- a/Lib/distutils/command/install.py ++++ b/Lib/distutils/command/install.py +@@ -30,14 +30,14 @@ WINDOWS_SCHEME = { INSTALL_SCHEMES = { 'unix_prefix': { 'purelib': '$base/lib/python$py_version_short/site-packages', @@ -17,9 +19,11 @@ 'headers': '$base/include/python/$dist_name', 'scripts': '$base/bin', 'data' : '$base', ---- Python-3.4.0b1/Lib/distutils/sysconfig.py.lib64 2013-11-24 21:36:54.000000000 +0100 -+++ Python-3.4.0b1/Lib/distutils/sysconfig.py 2013-11-27 11:10:43.821150774 +0100 -@@ -141,8 +141,12 @@ +diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py +index a1452fe..795c559 100644 +--- a/Lib/distutils/sysconfig.py ++++ b/Lib/distutils/sysconfig.py +@@ -141,8 +141,12 @@ def get_python_lib(plat_specific=0, standard_lib=0, prefix=None): prefix = plat_specific and EXEC_PREFIX or PREFIX if os.name == "posix": @@ -33,9 +37,11 @@ if standard_lib: return libpython else: ---- Python-3.4.0b1/Lib/site.py.lib64 2013-11-24 21:36:54.000000000 +0100 -+++ Python-3.4.0b1/Lib/site.py 2013-11-27 11:10:43.822150773 +0100 -@@ -304,12 +304,16 @@ +diff --git a/Lib/site.py b/Lib/site.py +index 3c8584b..2e47052 100644 +--- a/Lib/site.py ++++ b/Lib/site.py +@@ -304,12 +304,16 @@ def getsitepackages(prefixes=None): seen.add(prefix) if os.sep == '/': @@ -52,9 +58,11 @@ sitepackages.append(os.path.join(prefix, "lib", "site-packages")) if sys.platform == "darwin": # for framework builds *only* we add the standard Apple ---- Python-3.4.0b1/Lib/sysconfig.py.lib64 2013-11-24 21:36:54.000000000 +0100 -+++ Python-3.4.0b1/Lib/sysconfig.py 2013-11-27 11:10:43.822150773 +0100 -@@ -20,10 +20,10 @@ +diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py +index dbf7767..dba45c7 100644 +--- a/Lib/sysconfig.py ++++ b/Lib/sysconfig.py +@@ -20,10 +20,10 @@ __all__ = [ _INSTALL_SCHEMES = { 'posix_prefix': { @@ -68,7 +76,7 @@ 'include': '{installed_base}/include/python{py_version_short}{abiflags}', 'platinclude': -@@ -61,10 +61,10 @@ +@@ -61,10 +61,10 @@ _INSTALL_SCHEMES = { 'data': '{userbase}', }, 'posix_user': { @@ -82,9 +90,11 @@ 'include': '{userbase}/include/python{py_version_short}', 'scripts': '{userbase}/bin', 'data': '{userbase}', ---- Python-3.4.0b1/Lib/test/test_site.py.lib64 2013-11-24 21:36:55.000000000 +0100 -+++ Python-3.4.0b1/Lib/test/test_site.py 2013-11-27 11:10:43.822150773 +0100 -@@ -244,12 +244,15 @@ +diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py +index f71cf73..28b5bb9 100644 +--- a/Lib/test/test_site.py ++++ b/Lib/test/test_site.py +@@ -243,12 +243,15 @@ class HelperFunctionsTests(unittest.TestCase): self.assertEqual(dirs[2], wanted) elif os.sep == '/': # OS X non-framwework builds, Linux, FreeBSD, etc @@ -103,9 +113,11 @@ else: # other platforms self.assertEqual(len(dirs), 2) ---- Python-3.4.0b1/Makefile.pre.in.lib64 2013-11-27 11:10:43.814150786 +0100 -+++ Python-3.4.0b1/Makefile.pre.in 2013-11-27 11:10:43.823150771 +0100 -@@ -115,7 +115,7 @@ +diff --git a/Makefile.pre.in b/Makefile.pre.in +index e19fc00..9a2538b 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -120,7 +120,7 @@ LIBDIR= @libdir@ MANDIR= @mandir@ INCLUDEDIR= @includedir@ CONFINCLUDEDIR= $(exec_prefix)/include @@ -114,9 +126,11 @@ ABIFLAGS= @ABIFLAGS@ # Detailed destination directories ---- Python-3.4.0b1/Modules/getpath.c.lib64 2013-11-24 21:36:56.000000000 +0100 -+++ Python-3.4.0b1/Modules/getpath.c 2013-11-27 11:17:33.619449704 +0100 -@@ -122,8 +122,8 @@ +diff --git a/Modules/getpath.c b/Modules/getpath.c +index 13e3817..a31ab0c 100644 +--- a/Modules/getpath.c ++++ b/Modules/getpath.c +@@ -118,8 +118,8 @@ #endif #ifndef PYTHONPATH @@ -127,7 +141,7 @@ #endif #ifndef LANDMARK -@@ -498,7 +498,7 @@ +@@ -494,7 +494,7 @@ calculate_path(void) _pythonpath = _Py_char2wchar(PYTHONPATH, NULL); _prefix = _Py_char2wchar(PREFIX, NULL); _exec_prefix = _Py_char2wchar(EXEC_PREFIX, NULL); @@ -136,7 +150,7 @@ if (!_pythonpath || !_prefix || !_exec_prefix || !lib_python) { Py_FatalError( -@@ -687,7 +687,7 @@ +@@ -683,7 +683,7 @@ calculate_path(void) } else wcsncpy(zip_path, _prefix, MAXPATHLEN); @@ -145,7 +159,7 @@ bufsz = wcslen(zip_path); /* Replace "00" with version */ zip_path[bufsz - 6] = VERSION[0]; zip_path[bufsz - 5] = VERSION[2]; -@@ -699,7 +699,7 @@ +@@ -695,7 +695,7 @@ calculate_path(void) fprintf(stderr, "Could not find platform dependent libraries <exec_prefix>\n"); wcsncpy(exec_prefix, _exec_prefix, MAXPATHLEN); @@ -154,9 +168,37 @@ } /* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */ ---- Python-3.4.0b1/setup.py.lib64 2013-11-24 21:36:56.000000000 +0100 -+++ Python-3.4.0b1/setup.py 2013-11-27 11:10:43.824150769 +0100 -@@ -441,7 +441,7 @@ +diff --git a/configure b/configure +index 7b91f91..9e830ed 100755 +--- a/configure ++++ b/configure +@@ -14030,7 +14030,7 @@ LDVERSION='$(VERSION)$(ABIFLAGS)' + $as_echo "$LDVERSION" >&6; } + + +-LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}" ++LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}" + + + # Check whether right shifting a negative integer extends the sign bit +diff --git a/configure.ac b/configure.ac +index 3394d84..1321c93 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4115,7 +4115,7 @@ AC_MSG_RESULT($LDVERSION) + + dnl define LIBPL after ABIFLAGS and LDVERSION is defined. + AC_SUBST(PY_ENABLE_SHARED) +-LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}" ++LIBPL='$(prefix)'"/lib64/python${VERSION}/config-${LDVERSION}" + AC_SUBST(LIBPL) + + # Check whether right shifting a negative integer extends the sign bit +diff --git a/setup.py b/setup.py +index 2779658..55e0bb8 100644 +--- a/setup.py ++++ b/setup.py +@@ -451,7 +451,7 @@ class PyBuildExt(build_ext): # directories (i.e. '.' and 'Include') must be first. See issue # 10520. if not cross_compiling: @@ -165,7 +207,7 @@ add_dir_to_list(self.compiler.include_dirs, '/usr/local/include') # only change this for cross builds for 3.3, issues on Mageia if cross_compiling: -@@ -718,11 +718,11 @@ +@@ -730,11 +730,11 @@ class PyBuildExt(build_ext): elif curses_library: readline_libs.append(curses_library) elif self.compiler.find_library_file(lib_dirs + @@ -179,7 +221,7 @@ extra_link_args=readline_extra_link_args, libraries=readline_libs) ) else: -@@ -759,8 +759,8 @@ +@@ -771,8 +771,8 @@ class PyBuildExt(build_ext): if krb5_h: ssl_incs += krb5_h ssl_libs = find_library_file(self.compiler, 'ssl',lib_dirs, diff --git a/00199-alter-tests-to-reflect-sslv3-disabled.patch b/00199-alter-tests-to-reflect-sslv3-disabled.patch deleted file mode 100644 index c7fb9ff..0000000 --- a/00199-alter-tests-to-reflect-sslv3-disabled.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up Python-3.4.2/Lib/test/test_ssl.py.ssl Python-3.4.2/Lib/test/test_ssl.py ---- Python-3.4.2/Lib/test/test_ssl.py.ssl 2014-12-11 12:25:21.886928225 +0100 -+++ Python-3.4.2/Lib/test/test_ssl.py 2014-12-11 12:25:00.284746529 +0100 -@@ -674,10 +674,7 @@ class ContextTests(unittest.TestCase): - @skip_if_broken_ubuntu_ssl - def test_options(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -- # OP_ALL | OP_NO_SSLv2 is the default value -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2, -- ctx.options) -- ctx.options |= ssl.OP_NO_SSLv3 -+ # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value - self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, - ctx.options) - if can_clear_options(): -@@ -2186,7 +2180,7 @@ else: - try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False) - if no_sslv2_implies_sslv3_hello(): - # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs -- try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True, -+ try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False, - client_options=ssl.OP_NO_SSLv2) - - @skip_if_broken_ubuntu_ssl -diff -up Python-3.4.3/Lib/test/test_ssl.py.foo Python-3.4.3/Lib/test/test_ssl.py ---- Python-3.4.3/Lib/test/test_ssl.py.foo 2015-03-12 10:08:58.268065970 +0100 -+++ Python-3.4.3/Lib/test/test_ssl.py 2015-03-12 10:10:09.733347118 +0100 -@@ -2168,17 +2168,17 @@ else: - " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n" - % str(x)) - if hasattr(ssl, 'PROTOCOL_SSLv3'): -- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True) -+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True) - - if hasattr(ssl, 'PROTOCOL_SSLv3'): -- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL) -+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL) - - if hasattr(ssl, 'PROTOCOL_SSLv3'): -- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED) -+ try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED) - try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED) - diff --git a/00202-fix-undefined-behaviour-in-faulthandler.patch b/00202-fix-undefined-behaviour-in-faulthandler.patch deleted file mode 100644 index b333e15..0000000 --- a/00202-fix-undefined-behaviour-in-faulthandler.patch +++ /dev/null @@ -1,41 +0,0 @@ - -# HG changeset patch -# User Victor Stinner <victor.stinner@gmail.com> -# Date 1423661015 -3600 -# Node ID 689092296ad31951f8f919fc06b49450e648e93d -# Parent 645f3d750be139ce0198e15e221da07b22289a92 -Issue #23433: Fix faulthandler._stack_overflow() - -Fix undefined behaviour: don't compare pointers. Use Py_uintptr_t type instead -of void*. It fixes test_faulthandler on Fedora 22 which now uses GCC 5. - -diff --git a/Modules/faulthandler.c b/Modules/faulthandler.c ---- a/Modules/faulthandler.c -+++ b/Modules/faulthandler.c -@@ -911,12 +911,12 @@ faulthandler_fatal_error_py(PyObject *se - } - - #if defined(HAVE_SIGALTSTACK) && defined(HAVE_SIGACTION) --static void* --stack_overflow(void *min_sp, void *max_sp, size_t *depth) -+static Py_uintptr_t -+stack_overflow(Py_uintptr_t min_sp, Py_uintptr_t max_sp, size_t *depth) - { - /* allocate 4096 bytes on the stack at each call */ - unsigned char buffer[4096]; -- void *sp = &buffer; -+ Py_uintptr_t sp = (Py_uintptr_t)&buffer; - *depth += 1; - if (sp < min_sp || max_sp < sp) - return sp; -@@ -929,7 +929,8 @@ static PyObject * - faulthandler_stack_overflow(PyObject *self) - { - size_t depth, size; -- char *sp = (char *)&depth, *stop; -+ Py_uintptr_t sp = (Py_uintptr_t)&depth; -+ Py_uintptr_t stop; - - depth = 0; - stop = stack_overflow(sp - STACK_OVERFLOW_MAX_SIZE, - diff --git a/00204-increase-dh-keys-size.patch b/00204-increase-dh-keys-size.patch deleted file mode 100644 index e75d992..0000000 --- a/00204-increase-dh-keys-size.patch +++ /dev/null @@ -1,49 +0,0 @@ - -# HG changeset patch -# User Benjamin Peterson <benjamin@python.org> -# Date 1427947446 14400 -# Node ID 1ad7c0253abe1252128d61c3d0127d22144cb354 -# Parent 47451f6e7e7528a6647dbdc435e9a9f5c13c0080 -replace 512 bit dh key with a 2014 bit one (closes #23844) - -Patch by Cédric Krier. - -diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem -new file mode 100644 ---- /dev/null -+++ b/Lib/test/dh1024.pem -@@ -0,0 +1,7 @@ -+-----BEGIN DH PARAMETERS----- -+MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt -+rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0 -+RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC -+-----END DH PARAMETERS----- -+ -+Generated with: openssl dhparam -out dh1024.pem 1024 -diff --git a/Lib/test/dh512.pem b/Lib/test/dh512.pem -deleted file mode 100644 ---- a/Lib/test/dh512.pem -+++ /dev/null -@@ -1,9 +0,0 @@ -------BEGIN DH PARAMETERS----- --MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak --XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC -------END DH PARAMETERS----- -- --These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols" --(http://www.skip-vpn.org/spec/numbers.html). --See there for how they were generated. --Note that g is not a generator, but this is not a problem since p is a safe prime. -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -64,7 +64,7 @@ BADKEY = data_file("badkey.pem") - NOKIACERT = data_file("nokia.pem") - NULLBYTECERT = data_file("nullbytecert.pem") - --DHFILE = data_file("dh512.pem") -+DHFILE = data_file("dh1024.pem") - BYTES_DHFILE = os.fsencode(DHFILE) - - - diff --git a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch b/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch deleted file mode 100644 index 587d6f9..0000000 --- a/00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ae99040f6c1f329d6b6c984f39c920f09d383925 Mon Sep 17 00:00:00 2001 -From: Charalampos Stratakis <cstratak@redhat.com> -Date: Mon, 11 Jul 2016 11:21:29 +0200 -Subject: [PATCH] CVE-2016-5636 fix - ---- - Modules/zipimport.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/Modules/zipimport.c b/Modules/zipimport.c -index 8fe9195..f72e89f 100644 ---- a/Modules/zipimport.c -+++ b/Modules/zipimport.c -@@ -1071,6 +1071,10 @@ get_data(PyObject *archive, PyObject *toc_entry) - &date, &crc)) { - return NULL; - } -+ if (data_size < 0) { -+ PyErr_Format(ZipImportError, "negative data size"); -+ return NULL; -+ } - - fp = _Py_fopen_obj(archive, "rb"); - if (!fp) { -@@ -1111,6 +1115,11 @@ get_data(PyObject *archive, PyObject *toc_entry) - } - file_offset += l; /* Start of file data */ - -+ if (data_size > LONG_MAX - 1) { -+ fclose(fp); -+ PyErr_NoMemory(); -+ return NULL; -+ } - bytes_size = compress == 0 ? data_size : data_size + 1; - if (bytes_size == 0) - bytes_size++; --- -2.7.4 - diff --git a/00210-Raise-an-error-when-STARTTLS-fails.patch b/00210-Raise-an-error-when-STARTTLS-fails.patch deleted file mode 100644 index 9083e61..0000000 --- a/00210-Raise-an-error-when-STARTTLS-fails.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001 -From: Tomas Orsava <torsava@redhat.com> -Date: Fri, 17 Jun 2016 16:08:11 +0200 -Subject: [PATCH] Raise an error when STARTTLS fails - -CVE-2016-0772 python: smtplib StartTLS stripping attack -rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 -rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 - -Based on an upstream change by Benjamin Peterson <benjamin@python.org> -- in changeset 101887:d590114c2394 3.4 -- https://hg.python.org/cpython/rev/d590114c2394 ---- - Lib/smtplib.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/Lib/smtplib.py b/Lib/smtplib.py -index 4756973..dfbf5f9 100755 ---- a/Lib/smtplib.py -+++ b/Lib/smtplib.py -@@ -773,6 +773,11 @@ class SMTP: - self.ehlo_resp = None - self.esmtp_features = {} - self.does_esmtp = 0 -+ else: -+ # RFC 3207: -+ # 501 Syntax error (no parameters allowed) -+ # 454 TLS not available due to temporary reason -+ raise SMTPResponseException(resp, reply) - return (resp, reply) - - def sendmail(self, from_addr, to_addrs, msg, mail_options=[], --- -2.5.5 - diff --git a/00211-Disabled-HTTP-header-injections-in-http-client.patch b/00211-Disabled-HTTP-header-injections-in-http-client.patch deleted file mode 100644 index 1dba41d..0000000 --- a/00211-Disabled-HTTP-header-injections-in-http-client.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 86589512cc1192e58343bbbc51bb4c09450dab90 Mon Sep 17 00:00:00 2001 -From: Tomas Orsava <torsava@redhat.com> -Date: Fri, 24 Jun 2016 12:35:26 +0200 -Subject: [PATCH] Disabled HTTP header injections in http.client. - -CVE-2016-5699 python: http protocol steam injection attack -rhbz#1303699 : https://bugzilla.redhat.com/show_bug.cgi?id=1303699 - -Based on an upstream change by Demian Brecht and Serhiy Storchaka -- in changeset 94952:bf3e1c9b80e9 3.4 -- https://hg.python.org/cpython/rev/bf3e1c9b80e9 ---- - Lib/http/client.py | 37 +++++++++++++++++++++++++++++++ - Lib/test/test_httplib.py | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 94 insertions(+) - -diff --git a/Lib/http/client.py b/Lib/http/client.py -index 6de4b0e..7ec5899 100644 ---- a/Lib/http/client.py -+++ b/Lib/http/client.py -@@ -70,6 +70,7 @@ import email.parser - import email.message - import io - import os -+import re - import socket - import collections - from urllib.parse import urlsplit -@@ -215,6 +216,34 @@ MAXAMOUNT = 1048576 - _MAXLINE = 65536 - _MAXHEADERS = 100 - -+# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2) -+# -+# VCHAR = %x21-7E -+# obs-text = %x80-FF -+# header-field = field-name ":" OWS field-value OWS -+# field-name = token -+# field-value = *( field-content / obs-fold ) -+# field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] -+# field-vchar = VCHAR / obs-text -+# -+# obs-fold = CRLF 1*( SP / HTAB ) -+# ; obsolete line folding -+# ; see Section 3.2.4 -+ -+# token = 1*tchar -+# -+# tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" -+# / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" -+# / DIGIT / ALPHA -+# ; any VCHAR, except delimiters -+# -+# VCHAR defined in http://tools.ietf.org/html/rfc5234#appendix-B.1 -+ -+# the patterns for both name and value are more leniant than RFC -+# definitions to allow for backwards compatibility -+_is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch -+_is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search -+ - - class HTTPMessage(email.message.Message): - # XXX The only usage of this method is in -@@ -1058,12 +1087,20 @@ class HTTPConnection: - - if hasattr(header, 'encode'): - header = header.encode('ascii') -+ -+ if not _is_legal_header_name(header): -+ raise ValueError('Invalid header name %r' % (header,)) -+ - values = list(values) - for i, one_value in enumerate(values): - if hasattr(one_value, 'encode'): - values[i] = one_value.encode('latin-1') - elif isinstance(one_value, int): - values[i] = str(one_value).encode('ascii') -+ -+ if _is_illegal_header_value(values[i]): -+ raise ValueError('Invalid header value %r' % (values[i],)) -+ - value = b'\r\n\t'.join(values) - header = header + b': ' + value - self._output(header) -diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 3fc3466..d5037f0 100644 ---- a/Lib/test/test_httplib.py -+++ b/Lib/test/test_httplib.py -@@ -148,6 +148,33 @@ class HeaderTests(TestCase): - conn.putheader('Content-length', 42) - self.assertIn(b'Content-length: 42', conn._buffer) - -+ conn.putheader('Foo', ' bar ') -+ self.assertIn(b'Foo: bar ', conn._buffer) -+ conn.putheader('Bar', '\tbaz\t') -+ self.assertIn(b'Bar: \tbaz\t', conn._buffer) -+ conn.putheader('Authorization', 'Bearer mytoken') -+ self.assertIn(b'Authorization: Bearer mytoken', conn._buffer) -+ conn.putheader('IterHeader', 'IterA', 'IterB') -+ self.assertIn(b'IterHeader: IterA\r\n\tIterB', conn._buffer) -+ conn.putheader('LatinHeader', b'\xFF') -+ self.assertIn(b'LatinHeader: \xFF', conn._buffer) -+ conn.putheader('Utf8Header', b'\xc3\x80') -+ self.assertIn(b'Utf8Header: \xc3\x80', conn._buffer) -+ conn.putheader('C1-Control', b'next\x85line') -+ self.assertIn(b'C1-Control: next\x85line', conn._buffer) -+ conn.putheader('Embedded-Fold-Space', 'is\r\n allowed') -+ self.assertIn(b'Embedded-Fold-Space: is\r\n allowed', conn._buffer) -+ conn.putheader('Embedded-Fold-Tab', 'is\r\n\tallowed') -+ self.assertIn(b'Embedded-Fold-Tab: is\r\n\tallowed', conn._buffer) -+ conn.putheader('Key Space', 'value') -+ self.assertIn(b'Key Space: value', conn._buffer) -+ conn.putheader('KeySpace ', 'value') -+ self.assertIn(b'KeySpace : value', conn._buffer) -+ conn.putheader(b'Nonbreak\xa0Space', 'value') -+ self.assertIn(b'Nonbreak\xa0Space: value', conn._buffer) -+ conn.putheader(b'\xa0NonbreakSpace', 'value') -+ self.assertIn(b'\xa0NonbreakSpace: value', conn._buffer) -+ - def test_ipv6host_header(self): - # Default host header on IPv6 transaction should wrapped by [] if - # its actual IPv6 address -@@ -177,6 +204,36 @@ class HeaderTests(TestCase): - self.assertEqual(resp.getheader('First'), 'val') - self.assertEqual(resp.getheader('Second'), 'val') - -+ def test_invalid_headers(self): -+ conn = client.HTTPConnection('example.com') -+ conn.sock = FakeSocket('') -+ conn.putrequest('GET', '/') -+ -+ # http://tools.ietf.org/html/rfc7230#section-3.2.4, whitespace is no -+ # longer allowed in header names -+ cases = ( -+ (b'Invalid\r\nName', b'ValidValue'), -+ (b'Invalid\rName', b'ValidValue'), -+ (b'Invalid\nName', b'ValidValue'), -+ (b'\r\nInvalidName', b'ValidValue'), -+ (b'\rInvalidName', b'ValidValue'), -+ (b'\nInvalidName', b'ValidValue'), -+ (b' InvalidName', b'ValidValue'), -+ (b'\tInvalidName', b'ValidValue'), -+ (b'Invalid:Name', b'ValidValue'), -+ (b':InvalidName', b'ValidValue'), -+ (b'ValidName', b'Invalid\r\nValue'), -+ (b'ValidName', b'Invalid\rValue'), -+ (b'ValidName', b'Invalid\nValue'), -+ (b'ValidName', b'InvalidValue\r\n'), -+ (b'ValidName', b'InvalidValue\r'), -+ (b'ValidName', b'InvalidValue\n'), -+ ) -+ for name, value in cases: -+ with self.subTest((name, value)): -+ with self.assertRaisesRegex(ValueError, 'Invalid header'): -+ conn.putheader(name, value) -+ - - class BasicTest(TestCase): - def test_status_lines(self): --- -2.9.0 - diff --git a/python34.spec b/python34.spec index 10ea0ff..bf9e5f0 100644 --- a/python34.spec +++ b/python34.spec @@ -125,8 +125,8 @@ # ================== Summary: Version 3.4 of the Python programming language Name: python%{pyshortver} -Version: %{pybasever}.3 -Release: 11%{?dist} +Version: %{pybasever}.5 +Release: 1%{?dist} License: Python Group: Development/Languages @@ -671,10 +671,6 @@ Patch196: 00196-test-gdb-match-addr-before-builtin.patch # FIXED UPSTREAM # Patch197: 00197-fix-CVE-2014-4650.patch -# OpenSSL disabled SSLv3 in SSLv23 method -# This patch alters python tests to reflect this change -# Issue: http://bugs.python.org/issue22638 Upstream discussion about SSLv3 in Python -Patch199: 00199-alter-tests-to-reflect-sslv3-disabled.patch # 00200 # # Fix for gettext plural form headers (lines that begin with "#") @@ -688,42 +684,9 @@ Patch200: 00200-gettext-plural-fix.patch # Note: Backported from scl Patch201: 00201-fix-memory-leak-in-gdbm.patch -# 00202 # -# Fixes undefined behaviour in faulthandler which caused test to hang on x86_64 -# http://bugs.python.org/issue23433 -Patch202: 00202-fix-undefined-behaviour-in-faulthandler.patch - # test_threading fails in koji dues to it's handling of signals Patch203: 00203-disable-threading-test-koji.patch -# openssl requires DH keys to be > 768bits -Patch204: 00204-increase-dh-keys-size.patch - -# 00209 # -# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560 -# rhbz#1345859: https://bugzilla.redhat.com/show_bug.cgi?id=1345859 -# https://hg.python.org/cpython/rev/10dad6da1b28/ -# https://hg.python.org/cpython/rev/5533a9e02b21 -# Fix possible integer overflow and heap corruption in zipimporter.get_data() -# FIXED UPSTREAM: https://bugs.python.org/issue26171 -Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch - -# 00210 # -# CVE-2016-0772 python: smtplib StartTLS stripping attack -# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 -# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 -# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394 -# Raise an error when STARTTLS fails -Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch - -# 00211 # -# CVE-2016-5699 python: http protocol steam injection attack -# https://bugzilla.redhat.com/show_bug.cgi?id=1303699 -# FIXED UPSTREAM: https://hg.python.org/cpython/rev/bf3e1c9b80e9 -# Disabled HTTP header injections in http.client -# Resolves: rhbz#1331392 -Patch211: 00211-Disabled-HTTP-header-injections-in-http-client.patch - # 00212 # # Fix test breakage with version 2.2.0 of Expat # rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918 @@ -910,14 +873,8 @@ done # 00195: upstream as of Python 3.4.2 %patch196 -p1 # 00197: upstream as of Python 3.4.2 -%patch199 -p1 -%patch202 -p1 %patch203 -p1 -%patch204 -p1 -%patch209 -p1 -%patch210 -p1 -%patch211 -p1 %patch212 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there @@ -1469,5 +1426,8 @@ CheckPython optimized # ====================================================== %changelog +* Thu Sep 22 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.5-1 +- Updated to 3.4.5 + * Thu Aug 11 2016 Miro Hrončok <mhroncok@redhat.com> - 3.4.3-11 - Imported from F23 @@ -1 +1 @@ -7d092d1bba6e17f0d9bd21b49e441dd5 Python-3.4.3.tar.xz +5caaca47eead170070a856fae5f6e78c Python-3.4.5.tar.xz |