diff options
author | Joe Slater <joe.slater@windriver.com> | 2022-11-18 09:35:26 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-22 12:18:41 +0000 |
commit | 1a8836ed324f3f9abb2eabe357ffe2e05124857e (patch) | |
tree | 15c0a6bd255c9685619bc0e147fe67742ed65226 /meta/recipes-devtools | |
parent | 935ae419f51d911c73f5dc7b4a2e5e9a7b206985 (diff) | |
download | openembedded-core-1a8836ed324f3f9abb2eabe357ffe2e05124857e.tar.gz |
python3: Fix CVE-2022-37460
Apply patch created after the release of 3.11.0.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/python/python3/cve-2022-37460.patch | 95 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.11.0.bb | 1 |
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37460.patch b/meta/recipes-devtools/python/python3/cve-2022-37460.patch new file mode 100644 index 0000000000..12177684fd --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37460.patch @@ -0,0 +1,95 @@ +From 94582bb643f98bc58b1ff206d1d2a56f97c3a7e5 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Wed, 28 Sep 2022 16:46:11 -0700 +Subject: [PATCH] gh-97612: Fix shell injection in get-remote-certificate.py + (GH-97613) + +Fix a shell code injection vulnerability in the +get-remote-certificate.py example script. The script no longer uses a +shell to run "openssl" commands. Issue reported and initial fix by +Caleb Shortt. + +Remove the Windows code path to send "quit" on stdin to the "openssl +s_client" command: use DEVNULL on all platforms instead. + +Co-authored-by: Caleb Shortt <caleb@rgauge.com> +(cherry picked from commit 83a0f44ffd8b398673ae56c310cf5768d359c341) + +Co-authored-by: Victor Stinner <vstinner@python.org> +--- +CVE: CVE-2022-37460 + +Upstream-Status: Backport [https://github.com/python/cpython.git] + [commit 94582bb643... unmodified] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + ...2-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst | 3 +++ + Tools/scripts/get-remote-certificate.py | 25 ++++++------------- + 2 files changed, 10 insertions(+), 18 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst + +diff --git a/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst +new file mode 100644 +index 0000000000..2f113492d4 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-09-28-12-10-57.gh-issue-97612.y6NvOQ.rst +@@ -0,0 +1,3 @@ ++Fix a shell code injection vulnerability in the ``get-remote-certificate.py`` ++example script. The script no longer uses a shell to run ``openssl`` commands. ++Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner. +diff --git a/Tools/scripts/get-remote-certificate.py b/Tools/scripts/get-remote-certificate.py +index 38901286e1..68272fca83 100755 +--- a/Tools/scripts/get-remote-certificate.py ++++ b/Tools/scripts/get-remote-certificate.py +@@ -15,8 +15,8 @@ + def fetch_server_certificate (host, port): + + def subproc(cmd): +- from subprocess import Popen, PIPE, STDOUT +- proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True) ++ from subprocess import Popen, PIPE, STDOUT, DEVNULL ++ proc = Popen(cmd, stdout=PIPE, stderr=STDOUT, stdin=DEVNULL) + status = proc.wait() + output = proc.stdout.read() + return status, output +@@ -33,8 +33,8 @@ def strip_to_x509_cert(certfile_contents, outfile=None): + fp.write(m.group(1) + b"\n") + try: + tn2 = (outfile or tempfile.mktemp()) +- status, output = subproc(r'openssl x509 -in "%s" -out "%s"' % +- (tn, tn2)) ++ cmd = ['openssl', 'x509', '-in', tn, '-out', tn2] ++ status, output = subproc(cmd) + if status != 0: + raise RuntimeError('OpenSSL x509 failed with status %s and ' + 'output: %r' % (status, output)) +@@ -45,20 +45,9 @@ def strip_to_x509_cert(certfile_contents, outfile=None): + finally: + os.unlink(tn) + +- if sys.platform.startswith("win"): +- tfile = tempfile.mktemp() +- with open(tfile, "w") as fp: +- fp.write("quit\n") +- try: +- status, output = subproc( +- 'openssl s_client -connect "%s:%s" -showcerts < "%s"' % +- (host, port, tfile)) +- finally: +- os.unlink(tfile) +- else: +- status, output = subproc( +- 'openssl s_client -connect "%s:%s" -showcerts < /dev/null' % +- (host, port)) ++ cmd = ['openssl', 's_client', '-connect', '%s:%s' % (host, port), '-showcerts'] ++ status, output = subproc(cmd) ++ + if status != 0: + raise RuntimeError('OpenSSL connect failed with status %s and ' + 'output: %r' % (status, output)) +-- +2.38.1 + diff --git a/meta/recipes-devtools/python/python3_3.11.0.bb b/meta/recipes-devtools/python/python3_3.11.0.bb index 92a1f69320..93628c76ff 100644 --- a/meta/recipes-devtools/python/python3_3.11.0.bb +++ b/meta/recipes-devtools/python/python3_3.11.0.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ + file://cve-2022-37460.patch \ " SRC_URI:append:class-native = " \ |