From patchwork Wed Dec 7 22:55:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Slater, Joseph" X-Patchwork-Id: 16489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F0E5C63703 for ; Wed, 7 Dec 2022 22:55:13 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.1151.1670453704377530337 for ; Wed, 07 Dec 2022 14:55:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=pps06212021 header.b=PDbtOc0O; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=93408defbe=joe.slater@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2B7MemkI010954 for ; Wed, 7 Dec 2022 14:55:04 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=PPS06212021; bh=dHR5wqmRhy4IG+ScIkCYFbTfai1ZZPkNDkcrnB/ChV0=; b=PDbtOc0Oeh0pn5KyH4gGA9ESatkt8+FCbN6p4lp8x8xfx0fbyVt3p8ETAsSyRqfcrdDg ZQYKmSwVmdU6zOzfV3DvxMVvhQVpfcLdyeLJD4KPWTAPgru1i0Rd0hxy2WKU/2APxXai ejkkbc/Et2Y7tUhkExQTF43bRKjWWL4vIYbZTPtf2vbtRdWCXxzQ9UBostPYG/TaymKt E7rNHjHFnC5ZCiiC7FYv4uizsiPQyyYUJ7Pf1cjA8Z6ug5xjuzZSdKCOQR5DU0bK59PZ Vtcm5hy2e2JcR7UF/Ht89k8MK125HcIuSI3FPfQUA0VLDtPchfxCUSwFvyNl+JSdH2A5 gQ== Received: from ala-exchng02.corp.ad.wrs.com (unknown-82-254.windriver.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3m82m6utdw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 07 Dec 2022 14:55:03 -0800 Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Wed, 7 Dec 2022 14:55:03 -0800 Received: from ala-lpggp5.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2242.12 via Frontend Transport; Wed, 7 Dec 2022 14:55:03 -0800 From: Joe Slater To: CC: , Subject: [v2][oe-core][kirkstone][PATCH 1/1] python3: advance to version 3.10.8 Date: Wed, 7 Dec 2022 14:55:03 -0800 Message-ID: <20221207225503.13556-1-joe.slater@windriver.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: xd-SkRuytklfSKmQZnWkgWKTXREc2UBJ X-Proofpoint-GUID: xd-SkRuytklfSKmQZnWkgWKTXREc2UBJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-07_11,2022-12-07_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 impostorscore=0 suspectscore=0 adultscore=0 phishscore=0 clxscore=1011 malwarescore=0 priorityscore=1501 mlxscore=0 bulkscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212070194 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Dec 2022 22:55:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/174370 Fixes CVE-2022-37460. Also add patch to fix CVE-2022-37454. Signed-off-by: Joe Slater --- .../python/python3/cve-2022-37454.patch | 108 ++++++++++++++++++ .../{python3_3.10.7.bb => python3_3.10.8.bb} | 4 +- 2 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-devtools/python/python3/cve-2022-37454.patch rename meta/recipes-devtools/python/{python3_3.10.7.bb => python3_3.10.8.bb} (99%) diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch new file mode 100644 index 0000000000..c019151a64 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37454.patch @@ -0,0 +1,108 @@ +From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001 +From: Theo Buehler +Date: Fri, 21 Oct 2022 21:26:01 +0200 +Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519) + +This is a port of the applicable part of XKCP's fix [1] for +CVE-2022-37454 and avoids the segmentation fault and the infinite +loop in the test cases published in [2]. + +[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a +[2]: https://mouha.be/sha-3-buffer-overflow/ + +Regression test added by: Gregory P. Smith [Google LLC] +--- + +Patch applied without modification. + +CVE: CVE-2022-37454 + +Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...] + +Signed-off-by: Joe Slater +--- + Lib/test/test_hashlib.py | 9 +++++++++ + .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 + + Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++------- + 3 files changed, 18 insertions(+), 7 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index ea31f8b..65330e1 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase): + def test_case_md5_uintmax(self, size): + self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') + ++ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') ++ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) ++ def test_sha3_update_overflow(self, size): ++ """Regression test for gh-98517 CVE-2022-37454.""" ++ h = hashlib.sha3_224() ++ h.update(b'\x01') ++ h.update(b'\x01'*0xffff_ffff) ++ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') ++ + # use the three examples from Federal Information Processing Standards + # Publication 180-1, Secure Hash Standard, 1995 April 17 + # http://www.itl.nist.gov/div897/pubs/fip180-1.htm +diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +new file mode 100644 +index 0000000..2d23a6a +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +@@ -0,0 +1 @@ ++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). +diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc +index e10739d..cf92e4d 100644 +--- a/Modules/_sha3/kcp/KeccakSponge.inc ++++ b/Modules/_sha3/kcp/KeccakSponge.inc +@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { + #ifdef SnP_FastLoop_Absorb + /* processing full blocks first */ + +@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat + } + else { + /* normal lane: using the message queue */ +- +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + #ifdef KeccakReference + displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); + #endif +@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { + for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { + SnP_Permute(instance->state); + SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); +@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte + SnP_Permute(instance->state); + instance->byteIOIndex = 0; + } +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + i += partialBlock; + + SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); +-- +2.32.0 + diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.8.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.10.7.bb rename to meta/recipes-devtools/python/python3_3.10.8.bb index 404a582135..7cc1ce53ca 100644 --- a/meta/recipes-devtools/python/python3_3.10.7.bb +++ b/meta/recipes-devtools/python/python3_3.10.8.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766" +LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -43,7 +43,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48" +SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar"