Sun Sep 27 14:57:22 2020 UTC ()
python27: Add reference to CVE-2020-26116 in patches for bpo-39603


(leot)
diff -r1.80 -r1.81 pkgsrc/lang/python27/distinfo
diff -r1.2 -r1.3 pkgsrc/lang/python27/patches/patch-Lib_httplib.py
diff -r1.2 -r1.3 pkgsrc/lang/python27/patches/patch-Lib_test_test__httplib.py
cvs diff -r1.80 -r1.81 pkgsrc/lang/python27/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/python27/distinfo 2020/09/20 12:50:26 1.80
+++ pkgsrc/lang/python27/distinfo 2020/09/27 14:57:22 1.81
@@ -1,35 +1,35 @@ @@ -1,35 +1,35 @@
1$NetBSD: distinfo,v 1.80 2020/09/20 12:50:26 mgorny Exp $ 1$NetBSD: distinfo,v 1.81 2020/09/27 14:57:22 leot Exp $
2 2
3SHA1 (Python-2.7.18.tar.xz) = 678d4cf483a1c92efd347ee8e1e79326dc82810b 3SHA1 (Python-2.7.18.tar.xz) = 678d4cf483a1c92efd347ee8e1e79326dc82810b
4RMD160 (Python-2.7.18.tar.xz) = 40a514bb05c9e631454ea8466e28f5bb229428ad 4RMD160 (Python-2.7.18.tar.xz) = 40a514bb05c9e631454ea8466e28f5bb229428ad
5SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c 5SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
6Size (Python-2.7.18.tar.xz) = 12854736 bytes 6Size (Python-2.7.18.tar.xz) = 12854736 bytes
7SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54 7SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
8SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320 8SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
9SHA1 (patch-Lib_ctypes_____init____.py) = 31dd0546bbe29ad1b1d481edc525ba43479c06da 9SHA1 (patch-Lib_ctypes_____init____.py) = 31dd0546bbe29ad1b1d481edc525ba43479c06da
10SHA1 (patch-Lib_ctypes_util.py) = 6fa516c7b43f08992427a0afcbe80c17bcc070f1 10SHA1 (patch-Lib_ctypes_util.py) = 6fa516c7b43f08992427a0afcbe80c17bcc070f1
11SHA1 (patch-Lib_distutils_command_build__ext.py) = ea4feba4e93dbcff07050c82a00d591bb650e934 11SHA1 (patch-Lib_distutils_command_build__ext.py) = ea4feba4e93dbcff07050c82a00d591bb650e934
12SHA1 (patch-Lib_distutils_command_install.py) = e6aef090b444b455fe351308d251e670329b7dc3 12SHA1 (patch-Lib_distutils_command_install.py) = e6aef090b444b455fe351308d251e670329b7dc3
13SHA1 (patch-Lib_distutils_command_install__egg__info.py) = ec7f9e0cd04489b1f6497c44d75bff6864ad1047 13SHA1 (patch-Lib_distutils_command_install__egg__info.py) = ec7f9e0cd04489b1f6497c44d75bff6864ad1047
14SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb 14SHA1 (patch-Lib_distutils_unixccompiler.py) = db16c9aca2f29730945f28247b88b18828739bbb
15SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa 15SHA1 (patch-Lib_distutils_util.py) = 5bcfad96f8e490351160f1a7c1f4ece7706a33fa
16SHA1 (patch-Lib_httplib.py) = f4c781427342dc65096345da779e4d8c22b83986 16SHA1 (patch-Lib_httplib.py) = 375d80eb79209f53046c62db128d8d3f64d9e765
17SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2 17SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
18SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803 18SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
19SHA1 (patch-Lib_plistlib.py) = 96ae702995d434e2d7ec0ac62e37427a90b61d13 19SHA1 (patch-Lib_plistlib.py) = 96ae702995d434e2d7ec0ac62e37427a90b61d13
20SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5cbfec279a05945dffafea1b1131a76f0e 20SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5cbfec279a05945dffafea1b1131a76f0e
21SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde 21SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
22SHA1 (patch-Lib_test_test__httplib.py) = 1103089fe06fc2091be60caa5688cd5acc792ca0 22SHA1 (patch-Lib_test_test__httplib.py) = 9d37263e36110838e0b5f413ff4747deb3966dfe
23SHA1 (patch-Lib_test_test__urllib2.py) = 09013a0b4a3e6064cbfe96572e47464c5d6ef047 23SHA1 (patch-Lib_test_test__urllib2.py) = 09013a0b4a3e6064cbfe96572e47464c5d6ef047
24SHA1 (patch-Lib_urllib2.py) = 33a85593da702447fa3ea74b4e3d36d0016f70b5 24SHA1 (patch-Lib_urllib2.py) = 33a85593da702447fa3ea74b4e3d36d0016f70b5
25SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201 25SHA1 (patch-Makefile.pre.in) = ceaf34237588b527478ce1f9163c9168382fa201
26SHA1 (patch-Modules___multiprocessing_multiprocessing.h) = 7ca8fe22ba4bdcde6d39dd50fe2e86c25994c146 26SHA1 (patch-Modules___multiprocessing_multiprocessing.h) = 7ca8fe22ba4bdcde6d39dd50fe2e86c25994c146
27SHA1 (patch-Modules___multiprocessing_semaphore.c) = 03b9c33ef38da383d5f7c2c84c17fe38cdd2911e 27SHA1 (patch-Modules___multiprocessing_semaphore.c) = 03b9c33ef38da383d5f7c2c84c17fe38cdd2911e
28SHA1 (patch-Modules__ssl.c) = 6e68f88ad205106691900f091a897ffe0a4c363c 28SHA1 (patch-Modules__ssl.c) = 6e68f88ad205106691900f091a897ffe0a4c363c
29SHA1 (patch-Modules_getaddrinfo.c) = aa699d257f1bc98b9a3183a21324053e134409d1 29SHA1 (patch-Modules_getaddrinfo.c) = aa699d257f1bc98b9a3183a21324053e134409d1
30SHA1 (patch-Modules_getpath.c) = 9bb2c040895ad6bbe4d0b5807803723b5437d47b 30SHA1 (patch-Modules_getpath.c) = 9bb2c040895ad6bbe4d0b5807803723b5437d47b
31SHA1 (patch-Modules_makesetup) = 9aad78714c4fe1a21cf66a6627d97d164ecea196 31SHA1 (patch-Modules_makesetup) = 9aad78714c4fe1a21cf66a6627d97d164ecea196
32SHA1 (patch-Modules_nismodule.c) = 129ef7b32779944c2f1827c6b078a3aafab60729 32SHA1 (patch-Modules_nismodule.c) = 129ef7b32779944c2f1827c6b078a3aafab60729
33SHA1 (patch-Modules_posixmodule.c) = 5105d380cd49bf49b8adbd9aa5ffb245195728ed 33SHA1 (patch-Modules_posixmodule.c) = 5105d380cd49bf49b8adbd9aa5ffb245195728ed
34SHA1 (patch-Modules_selectmodule.c) = 01e113b0bd251978b555caaaa60b79c372edebce 34SHA1 (patch-Modules_selectmodule.c) = 01e113b0bd251978b555caaaa60b79c372edebce
35SHA1 (patch-Modules_socketmodule.c) = 16848d90947b3de1f921a0813fa5c317f76961d4 35SHA1 (patch-Modules_socketmodule.c) = 16848d90947b3de1f921a0813fa5c317f76961d4
cvs diff -r1.2 -r1.3 pkgsrc/lang/python27/patches/patch-Lib_httplib.py (expand / switch to unified diff)

--- pkgsrc/lang/python27/patches/patch-Lib_httplib.py 2020/09/20 12:10:27 1.2
+++ pkgsrc/lang/python27/patches/patch-Lib_httplib.py 2020/09/27 14:57:22 1.3
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1$NetBSD: patch-Lib_httplib.py,v 1.2 2020/09/20 12:10:27 mgorny Exp $ 1$NetBSD: patch-Lib_httplib.py,v 1.3 2020/09/27 14:57:22 leot Exp $
2 2
3bpo-39603 (no CVE): header injection via HTTP method 3bpo-39603 (CVE-2020-26116): header injection via HTTP method
4 4
5taken from: 5taken from:
6https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 6https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4
7 7
8--- Lib/httplib.py.orig 2020-04-19 21:13:39.000000000 +0000 8--- Lib/httplib.py.orig 2020-04-19 21:13:39.000000000 +0000
9+++ Lib/httplib.py 9+++ Lib/httplib.py
10@@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.c 10@@ -257,6 +257,10 @@ _contains_disallowed_url_pchar_re = re.c
11 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") 11 # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
12 # We are more lenient for assumed real world compatibility purposes. 12 # We are more lenient for assumed real world compatibility purposes.
13  13
14+# These characters are not allowed within HTTP method names 14+# These characters are not allowed within HTTP method names
15+# to prevent http header injection. 15+# to prevent http header injection.
16+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') 16+_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
cvs diff -r1.2 -r1.3 pkgsrc/lang/python27/patches/patch-Lib_test_test__httplib.py (expand / switch to unified diff)

--- pkgsrc/lang/python27/patches/patch-Lib_test_test__httplib.py 2020/09/20 12:10:27 1.2
+++ pkgsrc/lang/python27/patches/patch-Lib_test_test__httplib.py 2020/09/27 14:57:22 1.3
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1$NetBSD: patch-Lib_test_test__httplib.py,v 1.2 2020/09/20 12:10:27 mgorny Exp $ 1$NetBSD: patch-Lib_test_test__httplib.py,v 1.3 2020/09/27 14:57:22 leot Exp $
2 2
3bpo-39603 (no CVE): header injection via HTTP method 3bpo-39603 (CVE-2020-26116): header injection via HTTP method
4 4
5taken from: 5taken from:
6https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4 6https://gitweb.gentoo.org/fork/cpython.git/commit/?h=gentoo-2.7-vanilla&id=138e2caeb4827ccfd1eaff2cf63afb79dfeeb3c4
7 7
8--- Lib/test/test_httplib.py.orig 2020-04-19 21:13:39.000000000 +0000 8--- Lib/test/test_httplib.py.orig 2020-04-19 21:13:39.000000000 +0000
9+++ Lib/test/test_httplib.py 9+++ Lib/test/test_httplib.py
10@@ -384,6 +384,26 @@ class HeaderTests(TestCase): 10@@ -384,6 +384,26 @@ class HeaderTests(TestCase):
11 with self.assertRaisesRegexp(ValueError, 'Invalid header'): 11 with self.assertRaisesRegexp(ValueError, 'Invalid header'):
12 conn.putheader(name, value) 12 conn.putheader(name, value)
13  13
14+ def test_invalid_method_names(self): 14+ def test_invalid_method_names(self):
15+ methods = ( 15+ methods = (
16+ 'GET\r', 16+ 'GET\r',