python : CVE-2015-20107 findmatch() function does not sanitise the se…

…cond argument Source: python/cpython#91993 MR: 117410 Type: Security Fix Disposition: Backport from python/cpython@c3e7f13 ChangeID: 6101cf28d6a5288fe07c654df016c3f5810c705a Description: CVE-2015-20107 python(mailcap): findmatch() function does not sanitise the second argument. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
MontaVista-OpenSourceTechnology · Jun 6, 2022 · 85aeec7 · 85aeec7
1 parent d221118
commit 85aeec7
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 1 deletion.
diff --git a/meta/recipes-devtools/python/python3/0001-CVE-2015-20107.patch b/meta/recipes-devtools/python/python3/0001-CVE-2015-20107.patch
@@ -0,0 +1,115 @@
+From 4b38833b21a8f0aa44dc1b33460e6eea063ebb84 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 3 Jun 2022 10:31:51 +0530
+Subject: [PATCH] CVE-2015-20107
+
+Upstream-Status: Backport from https://github.com/python/cpython/pull/91993/commits/c3e7f139b440d7424986204e9f3fc2275aea3377
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Lib/mailcap.py           | 26 ++++++++++++++++++++++++--
+ Lib/test/test_mailcap.py |  8 ++++++--
+ 2 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index bd0fc09..2d35b96 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+
+ import os
+ import warnings
++import re
+
+ __all__ = ["getcaps","findmatch"]
+
+@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+
+ # Part 1: top-level interface.
+
+@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+
+ def lookup(caps, MIMEtype, key=None):
+@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index a85c691..d26ae64 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -122,7 +122,8 @@ class HelperFunctionTest(unittest.TestCase):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -206,7 +207,10 @@ class FindmatchTest(unittest.TestCase):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3_3.5.9.bb b/meta/recipes-devtools/python/python3_3.5.9.bb
@@ -19,7 +19,7 @@ file://tweak-MULTIARCH-for-powerpc-linux-gnuspe.patch \
 file://support_SOURCE_DATE_EPOCH_in_py_compile.patch \
 ${DISTRO_SRC_URI} \
 "
-
+PR .= ".1"
 SRC_URI += "\
             file://03-fix-tkinter-detection.patch \
             file://avoid_warning_about_tkinter.patch \
@@ -48,6 +48,7 @@ SRC_URI += "\
 	    file://CVE-2019-20907.patch \
 	    file://CVE-2019-17514.patch \
 	    file://CVE-2021-3426.patch \
+	    file://0001-CVE-2015-20107.patch \
            "
 
 SRC_URI[md5sum] = "ef7f82485e83c7f8f8bcb920a9c2457b"