python3: CVE-2018-1061

* CVE-2018-1060 Prevent low-grade poplib REDOS: The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. * CVE-2018-1061 Prevent difflib REDOS The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Affects < 3.5.6rc1 CVE: CVE-2018-1060 CVE: CVE-2018-1061 Ref: https://access.redhat.com/security/cve/cve-2018-1060 Ref: https://access.redhat.com/security/cve/cve-2018-1061 (From OE-Core rev: 1461bcc72e6649920ecf4226e006e5667c48a21c) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-02-15 21:23:04 +01:00 · 2018-10-05 00:39:08 +00:00
parent 536412ec4d
commit 97ee1f8087
2 changed files with 166 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3_3.5.5.bb
+++ b/meta/recipes-devtools/python/python3_3.5.5.bb
@@ -37,6 +37,7 @@ SRC_URI += "\
            file://configure.ac-fix-LIBPL.patch \
            file://0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch \
            file://pass-missing-libraries-to-Extension-for-mul.patch \
+            file://CVE-2018-1061.patch \
           "
 SRC_URI[md5sum] = "f3763edf9824d5d3a15f5f646083b6e0"
 SRC_URI[sha256sum] = "063d2c3b0402d6191b90731e0f735c64830e7522348aeb7ed382a83165d45009"