python27: add backported security fix for CVE-2022-45061

2023-01-08 00:54:29 +00:00 · 2023-01-08 00:54:29 +00:00 · 3adb59e442
commit 3adb59e442
parent d2340297f7
4 changed files with 73 additions and 3 deletions
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.104 2022/08/11 01:32:50 gutteridge Exp $
+# $NetBSD: Makefile,v 1.105 2023/01/08 00:54:29 gutteridge Exp $

 .include "dist.mk"

 PKGNAME=	python27-${PY_DISTVERSION}
-PKGREVISION=	9
+PKGREVISION=	10
 CATEGORIES=	lang python

 MAINTAINER=	pkgsrc-users@NetBSD.org
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.91 2022/08/11 01:32:50 gutteridge Exp $
+$NetBSD: distinfo,v 1.92 2023/01/08 00:54:29 gutteridge Exp $

 BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
 SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
@ -20,6 +20,7 @@ SHA1 (patch-Lib_distutils_command_install__egg__info.py) = ec7f9e0cd04489b1f6497
 SHA1 (patch-Lib_distutils_tests_test__build__ext.py) = 6b3c8c8d1d351836b239c049d34d132953bd4786
 SHA1 (patch-Lib_distutils_unixccompiler.py) = 4e2425ae15d9f0383f83779e77d8b6ebce374967
 SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
+SHA1 (patch-Lib_encodings_idna.py) = 47436d4c45599556f4861d062ce398702fc63325
 SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
 SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
 SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
@ -31,6 +32,7 @@ SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
 SHA1 (patch-Lib_test_mailcap.txt) = 80923517cb616f7de97df11ee8632465cce8d10c
 SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
 SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
+SHA1 (patch-Lib_test_test__codecs.py) = 825b5e5d57ffcb97542fc6eef149ac74c950f711
 SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
 SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
 SHA1 (patch-Lib_test_test__mailcap.py) = 6b869c9e9d9ef097d6fc4aef967e7b7bca3bd41c
--- a/lang/python27/patches/patch-Lib_encodings_idna.py
+++ b/lang/python27/patches/patch-Lib_encodings_idna.py
@ -0,0 +1,47 @@
+$NetBSD: patch-Lib_encodings_idna.py,v 1.1 2023/01/08 00:54:29 gutteridge Exp $
+
+Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/64f3700b7679f9f8a385d99e3862a758b14e1d28/f/00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
+
+--- Lib/encodings/idna.py.orig	2020-04-19 21:13:39.000000000 +0000
+++ Lib/encodings/idna.py
+@@ -39,23 +39,21 @@ def nameprep(label):
+ 
+     # Check bidi
+     RandAL = map(stringprep.in_table_d1, label)
+-    for c in RandAL:
+-        if c:
+-            # There is a RandAL char in the string. Must perform further
+-            # tests:
+-            # 1) The characters in section 5.8 MUST be prohibited.
+-            # This is table C.8, which was already checked
+-            # 2) If a string contains any RandALCat character, the string
+-            # MUST NOT contain any LCat character.
+-            if filter(stringprep.in_table_d2, label):
+-                raise UnicodeError("Violation of BIDI requirement 2")
+-
+-            # 3) If a string contains any RandALCat character, a
+-            # RandALCat character MUST be the first character of the
+-            # string, and a RandALCat character MUST be the last
+-            # character of the string.
+-            if not RandAL[0] or not RandAL[-1]:
+-                raise UnicodeError("Violation of BIDI requirement 3")
+    if any(RandAL):
+        # There is a RandAL char in the string. Must perform further
+        # tests:
+        # 1) The characters in section 5.8 MUST be prohibited.
+        # This is table C.8, which was already checked
+        # 2) If a string contains any RandALCat character, the string
+        # MUST NOT contain any LCat character.
+        if any(stringprep.in_table_d2(x) for x in label):
+            raise UnicodeError("Violation of BIDI requirement 2")
+        # 3) If a string contains any RandALCat character, a
+        # RandALCat character MUST be the first character of the
+        # string, and a RandALCat character MUST be the last
+        # character of the string.
+        if not RandAL[0] or not RandAL[-1]:
+            raise UnicodeError("Violation of BIDI requirement 3")
+ 
+     return label
+ 
--- a/lang/python27/patches/patch-Lib_test_test__codecs.py
+++ b/lang/python27/patches/patch-Lib_test_test__codecs.py
@ -0,0 +1,21 @@
+$NetBSD: patch-Lib_test_test__codecs.py,v 1.1 2023/01/08 00:54:29 gutteridge Exp $
+
+Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/64f3700b7679f9f8a385d99e3862a758b14e1d28/f/00394-cve-2022-45061-cpu-denial-of-service-via-inefficient-idna-decoder.patch
+
+--- Lib/test/test_codecs.py.orig	2020-04-19 21:13:39.000000000 +0000
+++ Lib/test/test_codecs.py
+@@ -1318,6 +1318,12 @@ class IDNACodecTest(unittest.TestCase):
+         self.assertEqual(u"pyth\xf6n.org".encode("idna"), "xn--pythn-mua.org")
+         self.assertEqual(u"pyth\xf6n.org.".encode("idna"), "xn--pythn-mua.org.")
+ 
+    def test_builtin_decode_length_limit(self):
+        with self.assertRaisesRegexp(UnicodeError, "too long"):
+            (b"xn--016c"+b"a"*1100).decode("idna")
+        with self.assertRaisesRegexp(UnicodeError, "too long"):
+            (b"xn--016c"+b"a"*70).decode("idna")
+
+     def test_stream(self):
+         import StringIO
+         r = codecs.getreader("idna")(StringIO.StringIO("abc"))