!33 Address DoS via the Tudoor mechanism (CVE-2023-29483)

From: @lilong88 
Reviewed-by: @yangzhao_kl 
Signed-off-by: @yangzhao_kl

Address-DoS-via-the-Tudoor-mechanism.patch

@@ -0,0 +1,104 @@
+From 51e3c4928d4938beb576eff34f3bf97e6e64e6b4 Mon Sep 17 00:00:00 2001
+From: Kelvin J Li <72498127+kelvin-j-li@users.noreply.github.com>
+Date: Mon, 19 Feb 2024 21:42:27 +0800
+Subject: [PATCH] Dnspython 2.6.1 - Address DoS via the Tudoor mechanism
+ (CVE-2023-29483)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix for (CVE-2023-29483) and handling of truncated exceptions in greendns.py provided by Bob Halley from https://github.com/rthalley/eventlet/tree/tudoor
+
+Do not eat legitimate Truncated exceptions.
+---------
+Co-authored-by: Bob Halley <halley@play-bow.org>
+Co-authored-by: Hervé Beraud <hberaud@redhat.com>
+---
+ eventlet/support/greendns.py | 56 ++++++++++++++++++++++++------------
+ 1 file changed, 38 insertions(+), 18 deletions(-)
+
+diff --git a/eventlet/support/greendns.py b/eventlet/support/greendns.py
+index 626214235..365664f24 100644
+--- a/eventlet/support/greendns.py
++++ b/eventlet/support/greendns.py
+@@ -713,7 +713,7 @@ def _net_write(sock, data, expiration):
+ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
+         af=None, source=None, source_port=0, ignore_unexpected=False,
+         one_rr_per_rrset=False, ignore_trailing=False,
+-        raise_on_truncation=False, sock=None):
++        raise_on_truncation=False, sock=None, ignore_errors=False):
+     """coro friendly replacement for dns.query.udp
+     Return the response obtained after sending a query via UDP.
+ 
+@@ -752,7 +752,10 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
+     query.  If None, the default, a socket is created.  Note that
+     if a socket is provided, it must be a nonblocking datagram socket,
+     and the source and source_port are ignored.
+-    @type sock: socket.socket | None"""
++    @type sock: socket.socket | None
++    @param ignore_errors: if various format errors or response mismatches occur,
++    continue listening.
++    @type ignore_errors: bool"""
+ 
+     wire = q.to_wire()
+     if af is None:
+@@ -816,26 +819,43 @@ def udp(q, where, timeout=DNS_QUERY_TIMEOUT, port=53,
+                 addr = from_address[0]
+                 addr = dns.ipv6.inet_ntoa(dns.ipv6.inet_aton(addr))
+                 from_address = (addr, from_address[1], from_address[2], from_address[3])
+-            if from_address == destination:
++            if from_address != destination:
++                if ignore_unexpected:
++                    continue
++                else:
++                    raise dns.query.UnexpectedSource(
++                        'got a response from %s instead of %s'
++                        % (from_address, destination))
++            try:
++                if _handle_raise_on_truncation:
++                    r = dns.message.from_wire(wire,
++                                              keyring=q.keyring,
++                                              request_mac=q.mac,
++                                              one_rr_per_rrset=one_rr_per_rrset,
++                                              ignore_trailing=ignore_trailing,
++                                              raise_on_truncation=raise_on_truncation)
++                else:
++                    r = dns.message.from_wire(wire,
++                                              keyring=q.keyring,
++                                              request_mac=q.mac,
++                                              one_rr_per_rrset=one_rr_per_rrset,
++                                              ignore_trailing=ignore_trailing)
++                if not q.is_response(r):
++                    raise dns.query.BadResponse()
+                 break
+-            if not ignore_unexpected:
+-                raise dns.query.UnexpectedSource(
+-                    'got a response from %s instead of %s'
+-                    % (from_address, destination))
++            except dns.message.Truncated as e:
++                if ignore_errors and not q.is_response(e.message()):
++                    continue
++                else:
++                    raise
++            except Exception:
++                if ignore_errors:
++                    continue
++                else:
++                    raise
+     finally:
+         s.close()
+ 
+-    if _handle_raise_on_truncation:
+-        r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+-                                  one_rr_per_rrset=one_rr_per_rrset,
+-                                  ignore_trailing=ignore_trailing,
+-                                  raise_on_truncation=raise_on_truncation)
+-    else:
+-        r = dns.message.from_wire(wire, keyring=q.keyring, request_mac=q.mac,
+-                                  one_rr_per_rrset=one_rr_per_rrset,
+-                                  ignore_trailing=ignore_trailing)
+-    if not q.is_response(r):
+-        raise dns.query.BadResponse()
+     return r
+ 
+ 

python-eventlet.spec

@@ -1,43 +1,53 @@
 %global _empty_manifest_terminate_build 0
-Name:		python-eventlet
-Version:	0.30.0
-Release:	1
-Summary:	Highly concurrent networking library
-License:	MIT License
-URL:		https://github.com/eventlet/eventlet
-Source0:	https://files.pythonhosted.org/packages/0c/dd/cda72b013472d570f9d5670b9260a6d6491829bd4b7697829e8591a24168/eventlet-0.30.0.tar.gz
-BuildArch:	noarch
+Name:           python-eventlet
+Version:        0.33.3
+Release:        2
+Summary:        Highly concurrent networking library
+License:        MIT
+URL:            http://eventlet.net
+Source0:        https://files.pythonhosted.org/packages/source/e/eventlet/eventlet-%{version}.tar.gz
+BuildArch:      noarch
 
-Requires:	python3-dnspython
-Requires:	python3-greenlet
-Requires:	python3-six
-Requires:	python3-monotonic
+Patch0001:	Address-DoS-via-the-Tudoor-mechanism.patch
 
 %description
-Concurrent networking library for Python
+Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.
 
 %package -n python3-eventlet
-Summary:	Highly concurrent networking library
-Provides:	python-eventlet
-BuildRequires:	python3-devel
-BuildRequires:	python3-setuptools
+Summary:        Highly concurrent networking library
+Provides:       python-eventlet
+# Base build requires
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-pbr
+BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
+# General requires
+BuildRequires:  python3-dns
+BuildRequires:  python3-greenlet
+BuildRequires:  python3-six
+# General requires
+Requires:       python3-dns
+Requires:       python3-greenlet
+Requires:       python3-six
 %description -n python3-eventlet
-Concurrent networking library for Python
+Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.
 
 %package help
-Summary:	Development documents and examples for eventlet
-Provides:	python3-eventlet-doc
+Summary:        Highly concurrent networking library
+Provides:       python3-eventlet-doc
 %description help
-Concurrent networking library for Python
+Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it.
 
 %prep
-%autosetup -n eventlet-0.30.0
+%autosetup -n eventlet-%{version} -p1
 
 %build
 %py3_build
 
 %install
 %py3_install
+
 install -d -m755 %{buildroot}/%{_pkgdocdir}
 if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi
 if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi
@@ -45,25 +55,26 @@ if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi
 if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi
 pushd %{buildroot}
 if [ -d usr/lib ]; then
-	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
+    find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/lib64 ]; then
-	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
+    find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/bin ]; then
-	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
+    find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 if [ -d usr/sbin ]; then
-	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
+    find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst
 fi
 touch doclist.lst
 if [ -d usr/share/man ]; then
-	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
+    find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst
 fi
 popd
 mv %{buildroot}/filelist.lst .
 mv %{buildroot}/doclist.lst .
 
+
 %files -n python3-eventlet -f filelist.lst
 %dir %{python3_sitelib}/*
 
@@ -71,8 +82,24 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Sun Apr 28 2024 lilong <lilong@kylinos.cn> - 0.33.3-2
+- Address DoS via the Tudoor mechanism (CVE-2023-29483)
+
+* Sat May 06 2023 xu_ping <707078654@qq.com> - 0.33.3-1
+- Update to 0.33.3
+
+* Wed Aug 03 2022 liukuo <liukuo@kylinos.cn> - 0.33.1-1
+- Update to 0.33.1
+
+* Wed May 18 2022 OpenStack_SIG <openstack@openeuler.org> - 0.33.0-1
+- Upgrade package python3-eventlet to version 0.33.0
+
+* Mon Jul 26 2021 OpenStack_SIG <openstack@openeuler.org> - 0.30.2-1
+- update to 0.30.2
+
 * Fri Jan 15 2021 Python_Bot <Python_Bot@openeuler.org>
 - Package Spec generated
 
 * Thu Mar 12 2020 zoushuangshuang <zoushuangshuang@huawei.com> - 0.23.0-3
 - Package init
+

python37.patch

@@ -1,140 +0,0 @@
-From 0d4e7bcb90800d6700b2c81c41c9770ee5f94358 Mon Sep 17 00:00:00 2001
-From: Marcel Plch <mplch@redhat.com>
-Date: Mon, 9 Jul 2018 16:45:45 +0200
-Subject: [PATCH] Fix for Python 3.7
-
----
- eventlet/green/ssl.py | 46 ++++++++++++++++++++++++++++++++++++++++------
- tests/debug_test.py   | 14 ++++++++++++--
- tests/hub_test.py     |  4 +++-
- 3 files changed, 55 insertions(+), 9 deletions(-)
-
-diff --git a/eventlet/green/ssl.py b/eventlet/green/ssl.py
-index 53ee9a3c..df72869e 100644
---- a/eventlet/green/ssl.py
-+++ b/eventlet/green/ssl.py
-@@ -24,6 +24,7 @@
-     'create_default_context', '_create_default_https_context']
- 
- _original_sslsocket = __ssl.SSLSocket
-+_original_wrap_socket = __ssl.wrap_socket
- 
- 
- class GreenSSLSocket(_original_sslsocket):
-@@ -57,11 +58,41 @@ def __init__(self, sock, keyfile=None, certfile=None,
-             # this assignment
-             self._timeout = sock.gettimeout()
- 
--        # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
--        # even when it's on
--        super(GreenSSLSocket, self).__init__(
--            sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
--            ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
-+        if sys.version_info >= (3, 7):
-+            # Monkey-patch the sslsocket so our modified self gets
-+            # injected into its _create method.
-+            def fake_new(self, cls, *args, **kwargs):
-+                return self
-+
-+            orig_new = _original_sslsocket.__new__
-+            try:
-+                _original_sslsocket.__new__ = fake_new.__get__(self, GreenSSLSocket)
-+
-+                self = _original_wrap_socket(
-+                    sock=sock.fd,
-+                    keyfile=keyfile,
-+                    certfile=certfile,
-+                    server_side=server_side,
-+                    cert_reqs=cert_reqs,
-+                    ssl_version=ssl_version,
-+                    ca_certs=ca_certs,
-+                    do_handshake_on_connect=do_handshake_on_connect and six.PY2,
-+                    *args, **kw
-+                )
-+                self.keyfile = keyfile
-+                self.certfile = certfile
-+                self.cert_reqs = cert_reqs
-+                self.ssl_version = ssl_version
-+                self.ca_certs = ca_certs
-+            finally:
-+                # Unpatch
-+                _original_sslsocket.__new__ = orig_new
-+        else:
-+            # nonblocking socket handshaking on connect got disabled so let's pretend it's disabled
-+            # even when it's on
-+            super(GreenSSLSocket, self).__init__(
-+                sock.fd, keyfile, certfile, server_side, cert_reqs, ssl_version,
-+                ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
- 
-         # the superclass initializer trashes the methods so we remove
-         # the local-object versions of them and let the actual class
-@@ -323,7 +354,10 @@ def connect(self, addr):
-         except NameError:
-             self._sslobj = sslobj
-         else:
--            self._sslobj = SSLObject(sslobj, owner=self)
-+            if sys.version_info < (3, 7):
-+                self._sslobj = SSLObject(sslobj, owner=self)
-+            else:
-+                self._sslobj = sslobj
- 
-         if self.do_handshake_on_connect:
-             self.do_handshake()
-diff --git a/tests/debug_test.py b/tests/debug_test.py
-index 8299dede..82b3a834 100644
---- a/tests/debug_test.py
-+++ b/tests/debug_test.py
-@@ -29,6 +29,11 @@ def test_unspew(self):
-         assert self.tracer is None
- 
-     def test_line(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         sys.stdout = six.StringIO()
-         s = debug.Spew()
-         f = sys._getframe()
-@@ -36,7 +41,7 @@ def test_line(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
- 
-     def test_line_nofile(self):
-         sys.stdout = six.StringIO()
-@@ -51,6 +56,11 @@ def test_line_nofile(self):
-         assert "VM instruction #" in output, output
- 
-     def test_line_global(self):
-+        if sys.version_info >= (3, 7):
-+            frame_str = "f=<frame at"
-+        else:
-+            frame_str = "f=<frame object at"
-+
-         global GLOBAL_VAR
-         sys.stdout = six.StringIO()
-         GLOBAL_VAR = debug.Spew()
-@@ -59,7 +69,7 @@ def test_line_global(self):
-         lineno = f.f_lineno - 1  # -1 here since we called with frame f in the line above
-         output = sys.stdout.getvalue()
-         assert "%s:%i" % (__name__, lineno) in output, "Didn't find line %i in %s" % (lineno, output)
--        assert "f=<frame object at" in output
-+        assert frame_str in output
-         assert "GLOBAL_VAR" in f.f_globals
-         assert "GLOBAL_VAR=<eventlet.debug.Spew object at" in output
-         del GLOBAL_VAR
-diff --git a/tests/hub_test.py b/tests/hub_test.py
-index 61b5b0b9..024f7a52 100644
---- a/tests/hub_test.py
-+++ b/tests/hub_test.py
-@@ -400,4 +400,6 @@ def fail_import(name, *args, **kwargs):
- '''
-         self.write_to_tempfile('newmod', module_source)
-         output, _ = self.launch_subprocess('newmod.py')
--        self.assertEqual(output, 'kqueue tried\nok\n')
-+        # Should be equal, but this will do until
-+        # the imp deprecation warning is fixed.
-+        self.assertTrue(output.endswith('kqueue tried\nok\n'))