diff -Nru python3.5-3.5.2/debian/changelog python3.5-3.5.2/debian/changelog --- python3.5-3.5.2/debian/changelog 2020-10-09 13:38:55.000000000 +0000 +++ python3.5-3.5.2/debian/changelog 2021-01-26 15:33:24.000000000 +0000 @@ -1,3 +1,17 @@ +python3.5 (3.5.2-2ubuntu0~16.04.13) xenial-security; urgency=medium + + * SECURITY UPDATE: Code execution from content received via HTTP + - debian/patches/CVE-2020-27619.patch: no longer call eval() on + content received via HTTP in Lib/test/multibytecodec_support.py. + - CVE-2020-27619 + * SECURITY UPDATE: Buffer overflow + - debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode + formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py, + Modules/_ctypes/callproc.c. + - CVE-2021-3177 + + -- Leonidas Da Silva Barbosa Tue, 26 Jan 2021 10:30:48 -0300 + python3.5 (3.5.2-2ubuntu0~16.04.12) xenial-security; urgency=medium * SECURITY UPDATE: CRLF injection diff -Nru python3.5-3.5.2/debian/patches/CVE-2020-27619.patch python3.5-3.5.2/debian/patches/CVE-2020-27619.patch --- python3.5-3.5.2/debian/patches/CVE-2020-27619.patch 1970-01-01 00:00:00.000000000 +0000 +++ python3.5-3.5.2/debian/patches/CVE-2020-27619.patch 2021-01-26 14:57:19.000000000 +0000 @@ -0,0 +1,51 @@ +From e912e945f2960029d039d3390ea08835ad39374b Mon Sep 17 00:00:00 2001 +From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 19 Oct 2020 21:46:10 -0700 +Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP + in the CJK codec tests (GH-22566) (GH-22579) + +(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8) + +Co-authored-by: Serhiy Storchaka +diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py +index f9884c6..9431386 100644 +--- a/Lib/test/multibytecodec_support.py ++++ b/Lib/test/multibytecodec_support.py +@@ -300,29 +300,23 @@ def test_mapping_file(self): + self._test_mapping_file_plain() + + def _test_mapping_file_plain(self): +- unichrs = lambda s: ''.join(map(chr, map(eval, s.split('+')))) ++ def unichrs(s): ++ return ''.join(chr(int(x, 16)) for x in s.split('+')) ++ + urt_wa = {} + + with self.open_mapping_file() as f: + for line in f: + if not line: + break +- data = line.split('#')[0].strip().split() ++ data = line.split('#')[0].split() + if len(data) != 2: + continue + +- csetval = eval(data[0]) +- if csetval <= 0x7F: +- csetch = bytes([csetval & 0xff]) +- elif csetval >= 0x1000000: +- csetch = bytes([(csetval >> 24), ((csetval >> 16) & 0xff), +- ((csetval >> 8) & 0xff), (csetval & 0xff)]) +- elif csetval >= 0x10000: +- csetch = bytes([(csetval >> 16), ((csetval >> 8) & 0xff), +- (csetval & 0xff)]) +- elif csetval >= 0x100: +- csetch = bytes([(csetval >> 8), (csetval & 0xff)]) +- else: ++ if data[0][:2] != '0x': ++ self.fail("Invalid line: {}".format(line)) ++ csetch = bytes.fromhex(data[0][2:]) ++ if len(csetch) == 1 and 0x80 <= csetch[0]: + continue + + unich = unichrs(data[1]) diff -Nru python3.5-3.5.2/debian/patches/CVE-2021-3177.patch python3.5-3.5.2/debian/patches/CVE-2021-3177.patch --- python3.5-3.5.2/debian/patches/CVE-2021-3177.patch 1970-01-01 00:00:00.000000000 +0000 +++ python3.5-3.5.2/debian/patches/CVE-2021-3177.patch 2021-01-26 16:22:11.000000000 +0000 @@ -0,0 +1,161 @@ +Backported of: + +From 34df10a9a16b38d54421eeeaf73ec89828563be7 Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 15:11:46 -0600 +Subject: [PATCH] [3.6] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24250) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e56bccf..5d08c14 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -170,6 +170,49 @@ def from_param(cls, obj): + self.assertRaises(ArgumentError, func, 99) + + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^$") ++ self.assertEqual(repr(c_char.from_param(97)), "") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^$") ++ self.assertEqual(repr(c_byte.from_param(98)), "") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "") ++ self.assertEqual(repr(c_short.from_param(511)), "") ++ self.assertEqual(repr(c_ushort.from_param(511)), "") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1.5)), "") ++ self.assertEqual(repr(c_double.from_param(1e300)), "") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index 03a911f..f99130e 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -449,54 +449,49 @@ PyCArg_dealloc(PyCArgObject *self) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; ++ PyObject *f; ++ PyObject *result; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.b); + break; + case 'h': + case 'H': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.h); + break; + case 'i': + case 'I': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.i); + break; + case 'l': + case 'L': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.l); +- break; + + #ifdef HAVE_LONG_LONG + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "", +-#else +- "", +-#endif ++ return PyUnicode_FromFormat("", + self->tag, self->value.q); +- break; + #endif + case 'd': +- sprintf(buffer, "", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "", +- self->tag, self->value.f); +- break; ++ case 'f': { ++ f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ result = PyUnicode_FromFormat("", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + + case 'c': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.c); +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -505,16 +500,14 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "", ++ return PyUnicode_FromFormat("", + self->tag, self->value.p); + break; + + default: +- sprintf(buffer, "", +- self->tag, self); +- break; ++ return PyUnicode_FromFormat("", ++ (unsigned char)self->tag, (void *)self); + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { diff -Nru python3.5-3.5.2/debian/patches/series python3.5-3.5.2/debian/patches/series --- python3.5-3.5.2/debian/patches/series 2020-10-09 13:37:47.000000000 +0000 +++ python3.5-3.5.2/debian/patches/series 2021-01-26 16:22:11.000000000 +0000 @@ -65,3 +65,5 @@ CVE-2020-14422.patch CVE-2020-26116.patch skipping_broken_test_httphandlertest.patch +CVE-2020-27619.patch +CVE-2021-3177.patch