diff mbox series

package/python3: add upstream security fix for CVE-2022-45061

Message ID 20221122201826.49696-1-peter@korsgaard.com
State Accepted
Headers show
Series package/python3: add upstream security fix for CVE-2022-45061 | expand

Commit Message

Peter Korsgaard Nov. 22, 2022, 8:18 p.m. UTC 
Fixes the following security issue:

CVE-2022-45061: An issue was discovered in Python before 3.11.1.  An
unnecessary quadratic algorithm exists in one path when processing some
inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably
long name being presented to the decoder could lead to a CPU denial of
service.  Hostnames are often supplied by remote servers that could be
controlled by a malicious actor; in such a scenario, they could trigger
excessive CPU consumption on the client attempting to make use of an
attacker-supplied supposed hostname.  For example, the attack payload could
be placed in the Location header of an HTTP response with status code 302.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...x-quadratic-time-idna-decoding.-GH-9.patch | 86 +++++++++++++++++++
 package/python3/python3.mk                    |  3 +
 2 files changed, 89 insertions(+)
 create mode 100644 package/python3/0033-3.11-gh-98433-Fix-quadratic-time-idna-decoding.-GH-9.patch

Comments

Peter Korsgaard Nov. 23, 2022, 10:03 a.m. UTC | #1 
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 > CVE-2022-45061: An issue was discovered in Python before 3.11.1.  An
 > unnecessary quadratic algorithm exists in one path when processing some
 > inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably
 > long name being presented to the decoder could lead to a CPU denial of
 > service.  Hostnames are often supplied by remote servers that could be
 > controlled by a malicious actor; in such a scenario, they could trigger
 > excessive CPU consumption on the client attempting to make use of an
 > attacker-supplied supposed hostname.  For example, the attack payload could
 > be placed in the Location header of an HTTP response with status code 302.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.
Peter Korsgaard Nov. 26, 2022, 6:42 p.m. UTC | #2 
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
 >> Fixes the following security issue:
 >> CVE-2022-45061: An issue was discovered in Python before 3.11.1.  An
 >> unnecessary quadratic algorithm exists in one path when processing some
 >> inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably
 >> long name being presented to the decoder could lead to a CPU denial of
 >> service.  Hostnames are often supplied by remote servers that could be
 >> controlled by a malicious actor; in such a scenario, they could trigger
 >> excessive CPU consumption on the client attempting to make use of an
 >> attacker-supplied supposed hostname.  For example, the attack payload could
 >> be placed in the Location header of an HTTP response with status code 302.

 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

 > Committed, thanks.

Committed to 2022.08.x and 2022.02.x, thanks.
diff mbox series

Patch

diff --git a/package/python3/0033-3.11-gh-98433-Fix-quadratic-time-idna-decoding.-GH-9.patch b/package/python3/0033-3.11-gh-98433-Fix-quadratic-time-idna-decoding.-GH-9.patch
new file mode 100644
index 0000000000..d281e7261d
--- /dev/null
+++ b/package/python3/0033-3.11-gh-98433-Fix-quadratic-time-idna-decoding.-GH-9.patch
@@ -0,0 +1,86 @@ 
+From 9bb8e18ca46fe66fa6802602f8a7228a24dd785f Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 7 Nov 2022 19:23:16 -0800
+Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092)
+ (GH-99222)
+
+There was an unnecessary quadratic loop in idna decoding. This restores
+the behavior to linear.
+
+(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d)
+
+(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15)
+
+Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+[Peter: drop NEWS.d/*]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ Lib/encodings/idna.py                         | 32 +++++++++----------
+ Lib/test/test_codecs.py                       |  6 ++++
+ 2 files changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py
+index ea4058512f..bf98f51336 100644
+--- a/Lib/encodings/idna.py
++++ b/Lib/encodings/idna.py
+@@ -39,23 +39,21 @@ def nameprep(label):
+ 
+     # Check bidi
+     RandAL = [stringprep.in_table_d1(x) for x in label]
+-    for c in RandAL:
+-        if c:
+-            # There is a RandAL char in the string. Must perform further
+-            # tests:
+-            # 1) The characters in section 5.8 MUST be prohibited.
+-            # This is table C.8, which was already checked
+-            # 2) If a string contains any RandALCat character, the string
+-            # MUST NOT contain any LCat character.
+-            if any(stringprep.in_table_d2(x) for x in label):
+-                raise UnicodeError("Violation of BIDI requirement 2")
+-
+-            # 3) If a string contains any RandALCat character, a
+-            # RandALCat character MUST be the first character of the
+-            # string, and a RandALCat character MUST be the last
+-            # character of the string.
+-            if not RandAL[0] or not RandAL[-1]:
+-                raise UnicodeError("Violation of BIDI requirement 3")
++    if any(RandAL):
++        # There is a RandAL char in the string. Must perform further
++        # tests:
++        # 1) The characters in section 5.8 MUST be prohibited.
++        # This is table C.8, which was already checked
++        # 2) If a string contains any RandALCat character, the string
++        # MUST NOT contain any LCat character.
++        if any(stringprep.in_table_d2(x) for x in label):
++            raise UnicodeError("Violation of BIDI requirement 2")
++        # 3) If a string contains any RandALCat character, a
++        # RandALCat character MUST be the first character of the
++        # string, and a RandALCat character MUST be the last
++        # character of the string.
++        if not RandAL[0] or not RandAL[-1]:
++            raise UnicodeError("Violation of BIDI requirement 3")
+ 
+     return label
+ 
+diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py
+index 8edd5ac063..2407567261 100644
+--- a/Lib/test/test_codecs.py
++++ b/Lib/test/test_codecs.py
+@@ -1535,6 +1535,12 @@ def test_builtin_encode(self):
+         self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org")
+         self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.")
+ 
++    def test_builtin_decode_length_limit(self):
++        with self.assertRaisesRegex(UnicodeError, "too long"):
++            (b"xn--016c"+b"a"*1100).decode("idna")
++        with self.assertRaisesRegex(UnicodeError, "too long"):
++            (b"xn--016c"+b"a"*70).decode("idna")
++
+     def test_stream(self):
+         r = codecs.getreader("idna")(io.BytesIO(b"abc"))
+         r.read(3)
+-- 
+2.30.2
+
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index 4131941e11..2e17104102 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -13,6 +13,9 @@  PYTHON3_LICENSE_FILES = LICENSE
 PYTHON3_CPE_ID_VENDOR = python
 PYTHON3_CPE_ID_PRODUCT = python
 
+# 0033-3.11-gh-98433-Fix-quadratic-time-idna-decoding.-GH-9.patch
+PYTHON3_IGNORE_CVES += CVE-2022-45061
+
 # This host Python is installed in $(HOST_DIR), as it is needed when
 # cross-compiling third-party Python modules.