diff -u python2.7-2.7.17/debian/changelog python2.7-2.7.17/debian/changelog --- python2.7-2.7.17/debian/changelog +++ python2.7-2.7.17/debian/changelog @@ -1,3 +1,21 @@ +python2.7 (2.7.17-1~18.04ubuntu1.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Misleading information + - debian/patches/CVE-2019-17514.patch: explain that the orderness of the + of the result is system-dependant in Doc/library/glob.rst. + - CVE-2019-17514 + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2019-9674.patch: add pitfalls to + zipfile module doc in Doc/library/zipfile.rst, + Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst. + - CVE-2019-9674 + * SECURITY UPDATE: Infinite loop + - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the + tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py. + - CVE-2019-20907 + + -- Leonidas S. Barbosa Mon, 20 Jul 2020 12:37:01 -0300 + python2.7 (2.7.17-1~18.04ubuntu1) bionic-security; urgency=medium * SECURITY UPDATE: CRLF injection diff -u python2.7-2.7.17/debian/patches/series.in python2.7-2.7.17/debian/patches/series.in --- python2.7-2.7.17/debian/patches/series.in +++ python2.7-2.7.17/debian/patches/series.in @@ -75,0 +76,3 @@ +CVE-2019-17514.patch +CVE-2019-20907.patch +CVE-2019-9674.patch only in patch2: unchanged: --- python2.7-2.7.17.orig/debian/patches/CVE-2019-17514.patch +++ python2.7-2.7.17/debian/patches/CVE-2019-17514.patch @@ -0,0 +1,19 @@ +From 5cffb1ed6a7f5afe74e4384d59f1670be29a7930 Mon Sep 17 00:00:00 2001 +From: elena +Date: Tue, 24 Apr 2018 13:44:30 +0300 +Subject: [PATCH] Explain that the orderness of the result is system-dependant + +Index: python2.7-2.7.17/Doc/library/glob.rst +=================================================================== +--- python2.7-2.7.17.orig/Doc/library/glob.rst ++++ python2.7-2.7.17/Doc/library/glob.rst +@@ -31,7 +31,8 @@ For example, ``'[?]'`` matches the chara + a string containing a path specification. *pathname* can be either absolute + (like :file:`/usr/src/Python-1.5/Makefile`) or relative (like + :file:`../../Tools/\*/\*.gif`), and can contain shell-style wildcards. Broken +- symlinks are included in the results (as in the shell). ++ symlinks are included in the results (as in the shell). Whether or not the ++ results are sorted depends on the file system. + + + .. function:: iglob(pathname) only in patch2: unchanged: --- python2.7-2.7.17.orig/debian/patches/CVE-2019-20907.patch +++ python2.7-2.7.17/debian/patches/CVE-2019-20907.patch @@ -0,0 +1,61 @@ +From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 15 Jul 2020 05:36:36 -0700 +Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module + (GH-21454) (#21485) + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) + +Co-authored-by: Rishi + +--- + Lib/tarfile.py | 2 ++ + Lib/test/test_tarfile.py | 7 +++++++ + .../next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst | 1 + + 3 files changed, 10 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index adf91d5..574a6bb 100644 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1400,6 +1400,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++ if length == 0: ++ raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + keyword = keyword.decode("utf8") +#diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +#index 89bd738..c61d02b 100644 +#--- a/Lib/test/test_tarfile.py +#+++ b/Lib/test/test_tarfile.py +#@@ -321,6 +321,13 @@ class CommonReadTest(ReadTest): +# with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"): +# tar.extractfile(t).read() +# +#+ def test_length_zero_header(self): +#+ # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail +#+ # with an exception +#+ with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"): +#+ with tarfile.open(support.findfile('recursion.tar')) as tar: +#+ pass +#+ +# +# class MiscReadTest(CommonReadTest): +# taropen = tarfile.TarFile.taropen +diff --git a/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +new file mode 100644 +index 0000000..ad26676 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +@@ -0,0 +1 @@ ++Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). +-- +2.25.1 + only in patch2: unchanged: --- python2.7-2.7.17.orig/debian/patches/CVE-2019-9674.patch +++ python2.7-2.7.17/debian/patches/CVE-2019-9674.patch @@ -0,0 +1,90 @@ +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 +From: JunWei Song +Date: Wed, 11 Sep 2019 23:04:12 +0800 +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation + (#13378) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-36260: Add pitfalls to zipfile module documentation + +We saw vulnerability warning description (including zip bomb) in Doc/library/xml.rst file. +This gave us the idea of documentation improvement. + +So, we moved a little bit forward :P +And the doc patch can be found (pr). + +* fix trailing whitespace + +* 📜🤖 Added by blurb_it. + +* Reformat text for consistency. + +--- + Doc/library/zipfile.rst | 41 +++++++++++++++++++ + .../2019-06-04-09-29-00.bpo-36260.WrGuc-.rst | 1 + + 2 files changed, 42 insertions(+) + create mode 100644 Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst + +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst +index ba613b3..c0da0aa 100644 +--- a/Doc/library/zipfile.rst ++++ b/Doc/library/zipfile.rst +@@ -554,4 +554,45 @@ Command-line options + Test whether the zipfile is valid or not. + + ++Decompression pitfalls ++---------------------- ++ ++The extraction in zipfile module might fail due to some pitfalls listed below. ++ ++From file itself ++~~~~~~~~~~~~~~~~ ++ ++Decompression may fail due to incorrect password / CRC checksum / ZIP format or ++unsupported compression method / decryption. ++ ++File System limitations ++~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Exceeding limitations on different file systems can cause decompression failed. ++Such as allowable characters in the directory entries, length of the file name, ++length of the pathname, size of a single file, and number of files, etc. ++ ++Resources limitations ++~~~~~~~~~~~~~~~~~~~~~ ++ ++The lack of memory or disk volume would lead to decompression ++failed. For example, decompression bombs (aka `ZIP bomb`_) ++apply to zipfile library that can cause disk volume exhaustion. ++ ++Interruption ++~~~~~~~~~~~~ ++ ++Interruption during the decompression, such as pressing control-C or killing the ++decompression process may result in incomplete decompression of the archive. ++ ++Default behaviors of extraction ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++Not knowing the default extraction behaviors ++can cause unexpected decompression results. ++For example, when extracting the same archive twice, ++it overwrites files without asking. ++ ++ ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb + .. _PKZIP Application Note: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +diff --git a/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +new file mode 100644 +index 0000000..9276516 +--- /dev/null ++++ b/Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst +@@ -0,0 +1 @@ ++Add decompression pitfalls to zipfile module documentation. +\ No newline at end of file +-- +2.25.1 +