From 51df0370214af687aab0438db91c761ccda1a9a6 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Tue, 5 Sep 2023 18:41:44 +0800 Subject: [PATCH] fix CVE-2022-48565 --- backport-CVE-2022-48565.patch | 72 +++++++++++++++++++++++++++++++++++ python3.spec | 10 ++++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-48565.patch diff --git a/backport-CVE-2022-48565.patch b/backport-CVE-2022-48565.patch new file mode 100644 index 0000000..2df3531 --- /dev/null +++ b/backport-CVE-2022-48565.patch @@ -0,0 +1,72 @@ +From e512bc799e3864fe3b1351757261762d63471efc Mon Sep 17 00:00:00 2001 +From: Ned Deily +Date: Mon, 19 Oct 2020 22:36:27 -0400 +Subject: [PATCH] bpo-42051: Reject XML entity declarations in plist files + (#22760) (GH-22801) + +Co-authored-by: Ronald Oussoren +--- + Lib/plistlib.py | 7 +++++++ + Lib/test/test_plistlib.py | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/Lib/plistlib.py b/Lib/plistlib.py +index 33b79a1..b273a15 100644 +--- a/Lib/plistlib.py ++++ b/Lib/plistlib.py +@@ -257,9 +257,16 @@ class _PlistParser: + self.parser.StartElementHandler = self.handle_begin_element + self.parser.EndElementHandler = self.handle_end_element + self.parser.CharacterDataHandler = self.handle_data ++ self.parser.EntityDeclHandler = self.handle_entity_decl + self.parser.ParseFile(fileobj) + return self.root + ++ def handle_entity_decl(self, entity_name, is_parameter_entity, value, base, system_id, public_id, notation_name): ++ # Reject plist files with entity declarations to avoid XML vulnerabilies in expat. ++ # Regular plist files don't contain those declerations, and Apple's plutil tool does not ++ # accept them either. ++ raise InvalidFileException("XML entity declarations are not supported in plist files") ++ + def handle_begin_element(self, element, attrs): + self.data = [] + handler = getattr(self, "begin_" + element, None) +diff --git a/Lib/test/test_plistlib.py b/Lib/test/test_plistlib.py +index 8d8e0a7..bfe06fd 100644 +--- a/Lib/test/test_plistlib.py ++++ b/Lib/test/test_plistlib.py +@@ -90,6 +90,19 @@ TESTDATA={ + xQHHAsQC0gAAAAAAAAIBAAAAAAAAADkAAAAAAAAAAAAAAAAAAALs'''), + } + ++XML_PLIST_WITH_ENTITY=b'''\ ++ ++ ++ ]> ++ ++ ++ A ++ &entity; ++ ++ ++''' ++ + + class TestPlistlib(unittest.TestCase): + +@@ -443,6 +456,11 @@ class TestPlistlib(unittest.TestCase): + pl2 = plistlib.loads(data) + self.assertEqual(dict(pl), dict(pl2)) + ++ def test_xml_plist_with_entity_decl(self): ++ with self.assertRaisesRegex(plistlib.InvalidFileException, ++ "XML entity declarations are not supported"): ++ plistlib.loads(XML_PLIST_WITH_ENTITY, fmt=plistlib.FMT_XML) ++ + + class TestBinaryPlistlib(unittest.TestCase): + +-- +2.33.0 + diff --git a/python3.spec b/python3.spec index f9105d0..0a49c15 100644 --- a/python3.spec +++ b/python3.spec @@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language URL: https://www.python.org/ Version: 3.7.9 -Release: 33 +Release: 34 License: Python-2.0 %global branchversion 3.7 @@ -167,6 +167,7 @@ Patch6057: backport-CVE-2022-45061.patch Patch6058: backport-CVE-2022-37454.patch Patch6059: backport-bpo-44434-Don-t-call-PyThread_exit_thread-explicitly.patch Patch6060: backport-Make-urllib.parse.urlparse-enforce-that-a-scheme-mus.patch +Patch6061: backport-CVE-2022-48565.patch patch9000: Don-t-override-PYTHONPATH-which-is-already-set.patch patch9001: add-the-sm3-method-for-obtaining-the-salt-value.patch @@ -322,6 +323,7 @@ rm Lib/ensurepip/_bundled/*.whl %patch6058 -p1 %patch6059 -p1 %patch6060 -p1 +%patch6061 -p1 %patch9000 -p1 %patch9001 -p1 @@ -927,6 +929,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP" %{_mandir}/*/* %changelog +* Tue Sep 05 2023 dongyuzhen - 3.7.9-34 +- Type:CVE +- CVE:CVE-2022-48565 +- SUG:NA +- DESC:fix CVE-2022-48565 + * Thu Apr 06 2023 shixuantong - 3.7.9-33 - Type:CVE - CVE:CVE-2023-24329 -- Gitee