Patchwork [1/2] python: fix security vulnerability

login
register
mail settings
Submitter Nitin A Kamble
Date July 21, 2011, 9:29 a.m.
Message ID <db0eff4b964055b18ca5f91e55b7cf0d4a55c832.1311240498.git.nitin.a.kamble@intel.com>
Download mbox | patch
Permalink /patch/8219/
State New, archived
Headers show

Comments

Nitin A Kamble - July 21, 2011, 9:29 a.m.
From: Nitin A Kamble <nitin.a.kamble@intel.com>

This Fixes bug: [Yocto #1254]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015

Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
  now collapsed within the url properly before looking in cgi_directories.

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
---
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 3 files changed, 187 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch
Khem Raj - July 21, 2011, 6:55 p.m.
On Thu, Jul 21, 2011 at 2:29 AM,  <nitin.a.kamble@intel.com> wrote:
> From: Nitin A Kamble <nitin.a.kamble@intel.com>
>
> This Fixes bug: [Yocto #1254]
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015
>
> Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
>  now collapsed within the url properly before looking in cgi_directories.
>
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> ---
>  meta/recipes-devtools/python/python.inc            |    2 +-
>  .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
>  meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
>  3 files changed, 187 insertions(+), 2 deletions(-)
>  create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch
>
> diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
> index 25a458e..a6cc917 100644
> --- a/meta/recipes-devtools/python/python.inc
> +++ b/meta/recipes-devtools/python/python.inc
> @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
>  LICENSE = "PSF"
>  SECTION = "devel/python"
>  # bump this on every change in contrib/python/generate-manifest-2.6.py
> -INC_PR = "nk2"
> +INC_PR = "r2"
>
>  DEFAULT_PREFERENCE = "-26"
>
> diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> new file mode 100644
> index 0000000..0d2274a
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> @@ -0,0 +1,184 @@
> +UpstreamStatus: Backport

This should be Upstream-Status I guess to match other patches that
said there are few more anomalies

meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-2.6.patch:
"Upstream Status"
meta/recipes-devtools/btrfs-tools/btrfs-tools/fix_use_of_gcc.patch:UpstreamStatus:
Pending
meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-4.7.patch:UpstreamStatus:
pending


> +http://svn.python.org/view?view=revision&revision=71303
> +
> +Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> +  now collapsed within the url properly before looking in cgi_directories.
> +Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
> +2011/07/19
> +
> +Index: Python-2.6.6/Lib/CGIHTTPServer.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
> ++++ Python-2.6.6/Lib/CGIHTTPServer.py
> +@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
> +
> +     def is_cgi(self):
> +-        """Test whether self.path corresponds to a CGI script,
> +-        and return a boolean.
> ++        """Test whether self.path corresponds to a CGI script.
> +
> +-        This function sets self.cgi_info to a tuple (dir, rest)
> +-        when it returns True, where dir is the directory part before
> +-        the CGI script name.  Note that rest begins with a
> +-        slash if it is not empty.
> +-
> +-        The default implementation tests whether the path
> +-        begins with one of the strings in the list
> +-        self.cgi_directories (and the next character is a '/'
> +-        or the end of the string).
> ++        Returns True and updates the cgi_info attribute to the tuple
> ++        (dir, rest) if self.path requires running a CGI script.
> ++        Returns False otherwise.
> ++
> ++        The default implementation tests whether the normalized url
> ++        path begins with one of the strings in self.cgi_directories
> ++        (and the next character is a '/' or the end of the string).
> +         """
> +-
> +-        path = self.path
> +-
> +-        for x in self.cgi_directories:
> +-            i = len(x)
> +-            if path[:i] == x and (not path[i:] or path[i] == '/'):
> +-                self.cgi_info = path[:i], path[i+1:]
> +-                return True
> ++        splitpath = _url_collapse_path_split(self.path)
> ++        if splitpath[0] in self.cgi_directories:
> ++            self.cgi_info = splitpath
> ++            return True
> +         return False
> +
> +     cgi_directories = ['/cgi-bin', '/htbin']
> +@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +                 self.log_message("CGI script exited OK")
> +
> +
> ++# TODO(gregory.p.smith): Move this into an appropriate library.
> ++def _url_collapse_path_split(path):
> ++    """
> ++    Given a URL path, remove extra '/'s and '.' path elements and collapse
> ++    any '..' references.
> ++
> ++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
> ++
> ++    Returns: A tuple of (head, tail) where tail is everything after the final /
> ++    and head is everything before it.  Head will always start with a '/' and,
> ++    if it contains anything else, never have a trailing '/'.
> ++
> ++    Raises: IndexError if too many '..' occur within the path.
> ++    """
> ++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
> ++    # path semantics rather than local operating system semantics.
> ++    path_parts = []
> ++    for part in path.split('/'):
> ++        if part == '.':
> ++            path_parts.append('')
> ++        else:
> ++            path_parts.append(part)
> ++    # Filter out blank non trailing parts before consuming the '..'.
> ++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
> ++    if path_parts:
> ++        tail_part = path_parts.pop()
> ++    else:
> ++        tail_part = ''
> ++    head_parts = []
> ++    for part in path_parts:
> ++        if part == '..':
> ++            head_parts.pop()
> ++        else:
> ++            head_parts.append(part)
> ++    if tail_part and tail_part == '..':
> ++        head_parts.pop()
> ++        tail_part = ''
> ++    return ('/' + '/'.join(head_parts), tail_part)
> ++
> ++
> + nobody = None
> +
> + def nobody_uid():
> +Index: Python-2.6.6/Lib/test/test_httpservers.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/test/test_httpservers.py
> ++++ Python-2.6.6/Lib/test/test_httpservers.py
> +@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
> + from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
> + from SimpleHTTPServer import SimpleHTTPRequestHandler
> + from CGIHTTPServer import CGIHTTPRequestHandler
> ++import CGIHTTPServer
> +
> + import os
> + import sys
> +@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         finally:
> +             BaseTestCase.tearDown(self)
> +
> ++    def test_url_collapse_path_split(self):
> ++        test_vectors = {
> ++            '': ('/', ''),
> ++            '..': IndexError,
> ++            '/.//..': IndexError,
> ++            '/': ('/', ''),
> ++            '//': ('/', ''),
> ++            '/\\': ('/', '\\'),
> ++            '/.//': ('/', ''),
> ++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            'a': ('/', 'a'),
> ++            '/a': ('/', 'a'),
> ++            '//a': ('/', 'a'),
> ++            './a': ('/', 'a'),
> ++            './C:/': ('/C:', ''),
> ++            '/a/b': ('/a', 'b'),
> ++            '/a/b/': ('/a/b', ''),
> ++            '/a/b/c/..': ('/a/b', ''),
> ++            '/a/b/c/../d': ('/a/b', 'd'),
> ++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
> ++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
> ++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
> ++            '../a/b/c/../d/e/.././././..//f': IndexError,
> ++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
> ++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
> ++            '/a/b/c/../d/e/../../../../../f': IndexError,
> ++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
> ++        }
> ++        for path, expected in test_vectors.iteritems():
> ++            if isinstance(expected, type) and issubclass(expected, Exception):
> ++                self.assertRaises(expected,
> ++                                  CGIHTTPServer._url_collapse_path_split, path)
> ++            else:
> ++                actual = CGIHTTPServer._url_collapse_path_split(path)
> ++                self.assertEquals(expected, actual,
> ++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
> ++                                  path, actual, expected))
> ++
> +     def test_headers_and_content(self):
> +         res = self.request('/cgi-bin/file1.py')
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +              (res.read(), res.getheader('Content-type'), res.status))
> +
> ++    def test_no_leading_slash(self):
> ++        # http://bugs.python.org/issue2254
> ++        res = self.request('cgi-bin/file1.py')
> ++        self.assertEquals(('Hello World\n', 'text/html', 200),
> ++             (res.read(), res.getheader('Content-type'), res.status))
> ++
> +
> + def test_main(verbose=None):
> +     cwd = os.getcwd()
> +Index: Python-2.6.6/Misc/NEWS
> +===================================================================
> +--- Python-2.6.6.orig/Misc/NEWS
> ++++ Python-2.6.6/Misc/NEWS
> +@@ -137,6 +137,9 @@ C-API
> + Library
> + -------
> +
> ++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> ++  now collapsed within the url properly before looking in cgi_directories.
> ++
> + - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
> +   the interpreter executable.  This fixes a failure of test_httpservers
> +   on OS X.
> diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
> index 800ba04..d5e7d22 100644
> --- a/meta/recipes-devtools/python/python_2.6.6.bb
> +++ b/meta/recipes-devtools/python/python_2.6.6.bb
> @@ -1,7 +1,7 @@
>  require python.inc
>  DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
>  DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
> -PR = "${INC_PR}.8"
> +PR = "${INC_PR}.9"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
>
>  DISTRO_SRC_URI ?= "file://sitecustomize.py"
> @@ -18,6 +18,7 @@ SRC_URI = "\
>   file://99-ignore-optimization-flag.patch \
>   ${DISTRO_SRC_URI} \
>   file://multilib.patch \
> +  file://security_issue_2254_fix.patch \
>  "
>
>  SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
> --
> 1.7.6
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
>
Nitin A Kamble - July 22, 2011, 3:32 a.m.
> devtools/python/python/security_issue_2254_fix.patch
> > @@ -0,0 +1,184 @@
> > +UpstreamStatus: Backport
> 
> This should be Upstream-Status I guess to match other patches that
> said there are few more anomalies
> 
> meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-
> 2.6.patch:
> "Upstream Status"
> meta/recipes-devtools/btrfs-tools/btrfs-
> tools/fix_use_of_gcc.patch:UpstreamStatus:
> Pending
> meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-
> 4.7.patch:UpstreamStatus:
> pending
> 

Thanks Khem for catching these. I have sending fixes for these.

Nitin

Patch

diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458e..a6cc917 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@  HOMEPAGE = "http://www.python.org"
 LICENSE = "PSF"
 SECTION = "devel/python"
 # bump this on every change in contrib/python/generate-manifest-2.6.py
-INC_PR = "nk2"
+INC_PR = "r2"
 
 DEFAULT_PREFERENCE = "-26"
 
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000..0d2274a
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@ 
+UpstreamStatus: Backport
+http://svn.python.org/view?view=revision&revision=71303
+
+Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
+  now collapsed within the url properly before looking in cgi_directories.
+Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 
+2011/07/19
+
+Index: Python-2.6.6/Lib/CGIHTTPServer.py
+===================================================================
+--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
++++ Python-2.6.6/Lib/CGIHTTPServer.py
+@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+ 
+     def is_cgi(self):
+-        """Test whether self.path corresponds to a CGI script,
+-        and return a boolean.
++        """Test whether self.path corresponds to a CGI script.
+ 
+-        This function sets self.cgi_info to a tuple (dir, rest)
+-        when it returns True, where dir is the directory part before
+-        the CGI script name.  Note that rest begins with a
+-        slash if it is not empty.
+-
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
++        Returns True and updates the cgi_info attribute to the tuple
++        (dir, rest) if self.path requires running a CGI script.
++        Returns False otherwise.
++
++        The default implementation tests whether the normalized url
++        path begins with one of the strings in self.cgi_directories
++        (and the next character is a '/' or the end of the string).
+         """
+-
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
++        splitpath = _url_collapse_path_split(self.path)
++        if splitpath[0] in self.cgi_directories:
++            self.cgi_info = splitpath
++            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+                 self.log_message("CGI script exited OK")
+ 
+ 
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++    """
++    Given a URL path, remove extra '/'s and '.' path elements and collapse
++    any '..' references.
++
++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++    Returns: A tuple of (head, tail) where tail is everything after the final /
++    and head is everything before it.  Head will always start with a '/' and,
++    if it contains anything else, never have a trailing '/'.
++
++    Raises: IndexError if too many '..' occur within the path.
++    """
++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++    # path semantics rather than local operating system semantics.
++    path_parts = []
++    for part in path.split('/'):
++        if part == '.':
++            path_parts.append('')
++        else:
++            path_parts.append(part)
++    # Filter out blank non trailing parts before consuming the '..'.
++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++    if path_parts:
++        tail_part = path_parts.pop()
++    else:
++        tail_part = ''
++    head_parts = []
++    for part in path_parts:
++        if part == '..':
++            head_parts.pop()
++        else:
++            head_parts.append(part)
++    if tail_part and tail_part == '..':
++        head_parts.pop()
++        tail_part = ''
++    return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+ 
+ def nobody_uid():
+Index: Python-2.6.6/Lib/test/test_httpservers.py
+===================================================================
+--- Python-2.6.6.orig/Lib/test/test_httpservers.py
++++ Python-2.6.6/Lib/test/test_httpservers.py
+@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
+ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+ from SimpleHTTPServer import SimpleHTTPRequestHandler
+ from CGIHTTPServer import CGIHTTPRequestHandler
++import CGIHTTPServer
+ 
+ import os
+ import sys
+@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
+         finally:
+             BaseTestCase.tearDown(self)
+ 
++    def test_url_collapse_path_split(self):
++        test_vectors = {
++            '': ('/', ''),
++            '..': IndexError,
++            '/.//..': IndexError,
++            '/': ('/', ''),
++            '//': ('/', ''),
++            '/\\': ('/', '\\'),
++            '/.//': ('/', ''),
++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            'a': ('/', 'a'),
++            '/a': ('/', 'a'),
++            '//a': ('/', 'a'),
++            './a': ('/', 'a'),
++            './C:/': ('/C:', ''),
++            '/a/b': ('/a', 'b'),
++            '/a/b/': ('/a/b', ''),
++            '/a/b/c/..': ('/a/b', ''),
++            '/a/b/c/../d': ('/a/b', 'd'),
++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
++            '../a/b/c/../d/e/.././././..//f': IndexError,
++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
++            '/a/b/c/../d/e/../../../../../f': IndexError,
++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
++        }
++        for path, expected in test_vectors.iteritems():
++            if isinstance(expected, type) and issubclass(expected, Exception):
++                self.assertRaises(expected,
++                                  CGIHTTPServer._url_collapse_path_split, path)
++            else:
++                actual = CGIHTTPServer._url_collapse_path_split(path)
++                self.assertEquals(expected, actual,
++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
++                                  path, actual, expected))
++
+     def test_headers_and_content(self):
+         res = self.request('/cgi-bin/file1.py')
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+              (res.read(), res.getheader('Content-type'), res.status))
+ 
++    def test_no_leading_slash(self):
++        # http://bugs.python.org/issue2254
++        res = self.request('cgi-bin/file1.py')
++        self.assertEquals(('Hello World\n', 'text/html', 200),
++             (res.read(), res.getheader('Content-type'), res.status))
++
+ 
+ def test_main(verbose=None):
+     cwd = os.getcwd()
+Index: Python-2.6.6/Misc/NEWS
+===================================================================
+--- Python-2.6.6.orig/Misc/NEWS
++++ Python-2.6.6/Misc/NEWS
+@@ -137,6 +137,9 @@ C-API
+ Library
+ -------
+ 
++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
++  now collapsed within the url properly before looking in cgi_directories.
++
+ - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
+   the interpreter executable.  This fixes a failure of test_httpservers
+   on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 800ba04..d5e7d22 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -1,7 +1,7 @@ 
 require python.inc
 DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
 DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
-PR = "${INC_PR}.8"
+PR = "${INC_PR}.9"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
 
 DISTRO_SRC_URI ?= "file://sitecustomize.py"
@@ -18,6 +18,7 @@  SRC_URI = "\
   file://99-ignore-optimization-flag.patch \
   ${DISTRO_SRC_URI} \
   file://multilib.patch \
+  file://security_issue_2254_fix.patch \
 "
 
 SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"