[PATCH] [3.11] gh-100884: email/_header_value_parser: don't encode list separators (GH-100885) (GH-115593)
ListSeparator should not be encoded. This could happen when a long line
pushes its separator to the next line, which would have been encoded.
(cherry picked from commit 09fab93c3d857496c0bd162797fab816c311ee48)
bpo-45436: Fix tkinter tests with Tcl/Tk 8.6.11+ (GH-29077) (GH-29081)
Since v8.6.11, a few configuration options seem to accept an empty value
where they did not previously; particularly the `type` of a `Menu`
widget, and the `compound` of any ttk widget with a label. Providing an
explicit expected error message to `checkEnumParam` bypasses the check
of an empty value, which no longer raises `TclError`.
(cherry picked from commit 4fe454c6f54b0948af67b53af6c2f35af6377e69)
Co-authored-by: Zachary Ware <zach@python.org>
Gbp-Pq: Name 0030-bpo-45436-Fix-tkinter-tests-with-Tcl-Tk-8.6.11-GH-29.patch
[3.9] Fix tests for XMLPullParser with Expat 2.6.0 (GH-115133) (GH-115535)
Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0029-3.9-Fix-tests-for-XMLPullParser-with-Expat-2.6.0-GH-.patch
bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31469)
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
Co-authored-by: Sebastian Pipping <sebastian@pipping.org> Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
Gbp-Pq: Name 0028-bpo-46811-Make-test-suite-support-Expat-2.4.5-GH-314.patch
Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0027-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch
[3.9] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122610)
Per RFC 2047:
> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects
It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.
This should fail for custom fold() implementations that aren't careful
about newlines.
Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0023-3.9-gh-121650-Encode-newlines-in-headers-and-verify-.patch
Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0022-3.9-gh-121285-Remove-backtracking-when-parsing-tarfi.patch
The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).
This patch updates the ranges with what was missing or otherwise
incorrect.
100.64.0.0/10 is left alone, for now, as it's been made special in [1].
The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.
In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.
For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
---------
Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
Gbp-Pq: Name 0021-3.9-gh-113171-gh-65056-Fix-private-non-global-IP-add.patch
[3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915)
Raise BadZipFile when try to read an entry that overlaps with other entry or
central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0020-3.9-gh-109858-Protect-zipfile-from-quoted-overlap-zi.patch
Łukasz Langa [Thu, 24 Aug 2023 10:09:11 +0000 (12:09 +0200)]
[3.9] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407)
* In preauth tests of test_ssl, explicitly break reference cycles
invoving SingleConnectionTestServerThread to make sure that the
thread is deleted. Otherwise, the test marks the environment as
altered because the threading module sees a "dangling thread"
(SingleConnectionTestServerThread). This test leak was introduced
by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
test_preauth_data_to_tls_client(): the server now waits until the
client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0018-3.9-gh-108342-Make-ssl-TestPreHandshakeClose-more-re.patch
[3.9] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351)
Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.
Łukasz Langa [Tue, 22 Aug 2023 17:57:10 +0000 (19:57 +0200)]
[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Gbp-Pq: Name 0016-3.9-gh-108310-Fix-CVE-2023-40217-Check-for-avoid-the.patch
Petr Viktorin [Fri, 6 Sep 2024 11:13:54 +0000 (13:13 +0200)]
[3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123769)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
Co-authored-by: Victor Stinner <vstinner@python.org> Co-Authored-By: Thomas Dwyer <github@tomd.tel>
Gbp-Pq: Name 0015-3.9-CVE-2023-27043-gh-102988-Reject-malformed-addres.patch
[3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593)
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
Gbp-Pq: Name 0013-3.9-gh-102153-Start-stripping-C0-control-and-space-c.patch
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0011-3.9-gh-98433-Fix-quadratic-time-idna-decoding.-GH-99.patch
[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0010-3.9-gh-97514-Don-t-use-Linux-abstract-sockets-for-mu.patch
bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated (GH-25099) (GH-25815)
Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
parsing even more strict. Like socket.inet_pton() any leading zero
is now treated as invalid input.
Signed-off-by: Christian Heimes <christian@python.org> Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 60ce8f0be6354ad565393ab449d8de5d713f35bc)
Gbp-Pq: Name 0009-bpo-36384-Leading-zeros-in-IPv4-addresses-are-no-lon.patch
gh-87389: Fix an open redirection vulnerability in http.server. (GH-93879) (GH-94093)
Fix an open redirection vulnerability in the `http.server` module when
an URI path starts with `//` that could produce a 301 Location header
with a misleading target. Vulnerability discovered, and logic fix
proposed, by Hamza Avvan (@hamzaavvan).
bpo-43285 Make ftplib not trust the PASV response. (GH-24838)
bpo-43285: Make ftplib not trust the PASV response.
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True.
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0007-bpo-43285-Make-ftplib-not-trust-the-PASV-response.-G.patch
bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) (GH-25247)
Fix Regular Expression Denial of Service (ReDoS) vulnerability in
urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on
the client side and needs remote attackers to control the HTTP server.
(cherry picked from commit 7215d1ae25525c92b026166f9d5cac85fb1defe1)
Co-authored-by: Yeting Li <liyt@ios.ac.cn> Co-authored-by: Yeting Li <liyt@ios.ac.cn>
Gbp-Pq: Name 0004-bpo-43075-Fix-ReDoS-in-urllib-AbstractBasicAuthHandl.patch
bpo-42988: Remove the pydoc getfile feature (GH-25015)
CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python
modules can contain sensitive data like passwords. Vulnerability
reported by David Schwörer.
(cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0003-bpo-42988-Remove-the-pydoc-getfile-feature-GH-25015.patch
[3.9] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96502)
* Correctly pre-check for int-to-str conversion (#96537)
Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)
The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.
The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```
In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$
From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org> Co-authored-by: Christian Heimes <christian@python.org> Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
Gbp-Pq: Name 0002-3.9-gh-95778-CVE-2020-10735-Prevent-DoS-by-very-larg.patch
Matthias Klose [Thu, 20 Mar 2025 02:07:39 +0000 (10:07 +0800)]
langpack-gettext
# DP: Description: support alternative gettext tree in
# DP: /usr/share/locale-langpack; if a file is present in both trees,
# DP: prefer the newer one
# DP: Upstream status: Ubuntu-Specific
# DP: Description: support alternative gettext tree in
# DP: /usr/share/locale-langpack; if a file is present in both trees,
# DP: prefer the newer one
# DP: Upstream status: Ubuntu-Specific
Matthias Klose [Thu, 20 Mar 2025 02:07:39 +0000 (10:07 +0800)]
distutils-sysconfig
# DP: Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from
# DP: the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set
# DP: in the environment.
# DP: Get CONFIGURE_CFLAGS, CONFIGURE_CPPFLAGS, CONFIGURE_LDFLAGS from
# DP: the python build, when CFLAGS, CPPFLAGS, LDSHARED) are not set
# DP: in the environment.
Matthias Klose [Thu, 20 Mar 2025 02:07:39 +0000 (10:07 +0800)]
distutils-install-layout
# DP: distutils: Add an option --install-layout=deb, which
# DP: - installs into $prefix/dist-packages instead of $prefix/site-packages.
# DP: - doesn't encode the python version into the egg name.
# DP: distutils: Add an option --install-layout=deb, which
# DP: - installs into $prefix/dist-packages instead of $prefix/site-packages.
# DP: - doesn't encode the python version into the egg name.
[ Bastien Roucariès ]
* Fix CVE-2025-0938:
The Python standard library functions `urllib.parse.urlsplit` and
`urlparse` accepted domain names that included square brackets
which isn't valid according to RFC 3986.
Square brackets are only meant to be used as delimiters for specifying
IPv6 and IPvFuture hosts in URLs. This could result in differential
parsing across the Python URL parser and other specification-compliant
URL parsers.
[ Sean Whitton ]
- Fix CVE-2022-0391: Missing input sanitisation when parsing URLs, which
could lead to injection accounts.
- Fix CVE-2025-1795: The implementation of e-mail header parsing and
folding would encode the comma used to separate list items which could
cause receiving applications to interpret two items in the list as
though they were one item.
bpo-45436: Fix tkinter tests with Tcl/Tk 8.6.11+ (GH-29077) (GH-29081)
Since v8.6.11, a few configuration options seem to accept an empty value
where they did not previously; particularly the `type` of a `Menu`
widget, and the `compound` of any ttk widget with a label. Providing an
explicit expected error message to `checkEnumParam` bypasses the check
of an empty value, which no longer raises `TclError`.
(cherry picked from commit 4fe454c6f54b0948af67b53af6c2f35af6377e69)
Co-authored-by: Zachary Ware <zach@python.org>
Gbp-Pq: Name 0030-bpo-45436-Fix-tkinter-tests-with-Tcl-Tk-8.6.11-GH-29.patch
[3.9] Fix tests for XMLPullParser with Expat 2.6.0 (GH-115133) (GH-115535)
Feeding the parser by too small chunks defers parsing to prevent
CVE-2023-52425. Future versions of Expat may be more reactive.
(cherry picked from commit 4a08e7b3431cd32a0daf22a33421cd3035343dc4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0029-3.9-Fix-tests-for-XMLPullParser-with-Expat-2.6.0-GH-.patch
bpo-46811: Make test suite support Expat >=2.4.5 (GH-31453) (GH-31469)
Curly brackets were never allowed in namespace URIs
according to RFC 3986, and so-called namespace-validating
XML parsers have the right to reject them a invalid URIs.
libexpat >=2.4.5 has become strcter in that regard due to
related security issues; with ET.XML instantiating a
namespace-aware parser under the hood, this test has no
future in CPython.
Co-authored-by: Sebastian Pipping <sebastian@pipping.org> Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
Gbp-Pq: Name 0028-bpo-46811-Make-test-suite-support-Expat-2.4.5-GH-314.patch
Co-authored-by: JohnJamesUtley <81572567+JohnJamesUtley@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0027-3.11-gh-103848-Adds-checks-to-ensure-that-bracketed-.patch
[3.9] gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233) (#122610)
Per RFC 2047:
> [...] these encoding schemes allow the
> encoding of arbitrary octet values, mail readers that implement this
> decoding should also ensure that display of the decoded data on the
> recipient's terminal will not cause unwanted side-effects
It seems that the "quoted-word" scheme is a valid way to include
a newline character in a header value, just like we already allow
undecodable bytes or control characters.
They do need to be properly quoted when serialized to text, though.
This should fail for custom fold() implementations that aren't careful
about newlines.
Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org> Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0023-3.9-gh-121650-Encode-newlines-in-headers-and-verify-.patch
Co-authored-by: Seth Michael Larson <seth@python.org> Co-authored-by: Kirill Podoprigora <kirill.bast9@mail.ru> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0022-3.9-gh-121285-Remove-backtracking-when-parsing-tarfi.patch
The _private_networks variables, used by various is_private
implementations, were missing some ranges and at the same time had
overly strict ranges (where there are more specific ranges considered
globally reachable by the IANA registries).
This patch updates the ranges with what was missing or otherwise
incorrect.
100.64.0.0/10 is left alone, for now, as it's been made special in [1].
The _address_exclude_many() call returns 8 networks for IPv4, 121
networks for IPv6.
In 3.10 and below, is_private checks whether the network and broadcast
address are both private.
In later versions (where the test wss backported from), it checks
whether they both are in the same private network.
For 0.0.0.0/0, both 0.0.0.0 and 255.225.255.255 are private,
but one is in 0.0.0.0/8 ("This network") and the other in
255.255.255.255/32 ("Limited broadcast").
---------
Co-authored-by: Jakub Stasiak <jakub@stasiak.at>
Gbp-Pq: Name 0021-3.9-gh-113171-gh-65056-Fix-private-non-global-IP-add.patch
[3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) (GH-113915)
Raise BadZipFile when try to read an entry that overlaps with other entry or
central directory.
(cherry picked from commit 66363b9a7b9fe7c99eba3a185b74c5fdbf842eba)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Gbp-Pq: Name 0020-3.9-gh-109858-Protect-zipfile-from-quoted-overlap-zi.patch
Łukasz Langa [Thu, 24 Aug 2023 10:09:11 +0000 (12:09 +0200)]
[3.9] gh-108342: Make ssl TestPreHandshakeClose more reliable (GH-108370) (#108407)
* In preauth tests of test_ssl, explicitly break reference cycles
invoving SingleConnectionTestServerThread to make sure that the
thread is deleted. Otherwise, the test marks the environment as
altered because the threading module sees a "dangling thread"
(SingleConnectionTestServerThread). This test leak was introduced
by the test added for the fix of issue gh-108310.
* Use support.SHORT_TIMEOUT instead of hardcoded 1.0 or 2.0 seconds
timeout.
* SingleConnectionTestServerThread.run() catchs TimeoutError
* Fix a race condition (missing synchronization) in
test_preauth_data_to_tls_client(): the server now waits until the
client connect() completed in call_after_accept().
* test_https_client_non_tls_response_ignored() calls server.join()
explicitly.
* Replace "localhost" with server.listener.getsockname()[0].
(cherry picked from commit 592bacb6fc0833336c0453e818e9b95016e9fd47)
Co-authored-by: Victor Stinner <vstinner@python.org>
Gbp-Pq: Name 0018-3.9-gh-108342-Make-ssl-TestPreHandshakeClose-more-re.patch
[3.9] gh-108342: Break ref cycle in SSLSocket._create() exc (GH-108344) (#108351)
Explicitly break a reference cycle when SSLSocket._create() raises an
exception. Clear the variable storing the exception, since the
exception traceback contains the variables and so creates a reference
cycle.
Łukasz Langa [Tue, 22 Aug 2023 17:57:10 +0000 (19:57 +0200)]
[3.9] gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw (#108320)
gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw
Instances of `ssl.SSLSocket` were vulnerable to a bypass of the TLS handshake
and included protections (like certificate verification) and treating sent
unencrypted data as if it were post-handshake TLS encrypted data.
The vulnerability is caused when a socket is connected, data is sent by the
malicious peer and stored in a buffer, and then the malicious peer closes the
socket within a small timing window before the other peers’ TLS handshake can
begin. After this sequence of events the closed socket will not immediately
attempt a TLS handshake due to not being connected but will also allow the
buffered data to be read as if a successful TLS handshake had occurred.
Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Gbp-Pq: Name 0016-3.9-gh-108310-Fix-CVE-2023-40217-Check-for-avoid-the.patch
Petr Viktorin [Fri, 6 Sep 2024 11:13:54 +0000 (13:13 +0200)]
[3.9] [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (GH-111116) (#123769)
Detect email address parsing errors and return empty tuple to
indicate the parsing error (old API). Add an optional 'strict'
parameter to getaddresses() and parseaddr() functions. Patch by
Thomas Dwyer.
Co-authored-by: Victor Stinner <vstinner@python.org> Co-Authored-By: Thomas Dwyer <github@tomd.tel>
Gbp-Pq: Name 0015-3.9-CVE-2023-27043-gh-102988-Reject-malformed-addres.patch
[3.9] gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508) (GH-104575) (GH-104592) (#104593)
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com> Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
Gbp-Pq: Name 0013-3.9-gh-102153-Start-stripping-C0-control-and-space-c.patch
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0011-3.9-gh-98433-Fix-quadratic-time-idna-decoding.-GH-99.patch
[3.9] gh-97514: Don't use Linux abstract sockets for multiprocessing (GH-98501) (#98504)
Linux abstract sockets are insecure as they lack any form of filesystem
permissions so their use allows anyone on the system to inject code into
the process.
This removes the default preference for abstract sockets in
multiprocessing introduced in Python 3.9+ via
https://github.com/python/cpython/pull/18866 while fixing
https://github.com/python/cpython/issues/84031.
Explicit use of an abstract socket by a user now generates a
RuntimeWarning. If we choose to keep this warning, it should be
backported to the 3.7 and 3.8 branches.
(cherry picked from commit 49f61068f49747164988ffc5a442d2a63874fc17)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Gbp-Pq: Name 0010-3.9-gh-97514-Don-t-use-Linux-abstract-sockets-for-mu.patch
projects / python3.9.git / log