diff --git a/backport-Add-check-of-performance-of-ipv6-check.patch b/backport-Add-check-of-performance-of-ipv6-check.patch new file mode 100644 index 0000000..177697b --- /dev/null +++ b/backport-Add-check-of-performance-of-ipv6-check.patch @@ -0,0 +1,28 @@ +From e514826eea15f2b62bbc13da407b71552ef5ff4c Mon Sep 17 00:00:00 2001 +From: Jonathan Huot +Date: Fri, 2 Sep 2022 23:22:17 +0200 +Subject: [PATCH] Add check of performance of ipv6 check + +--- + tests/test_uri_validate.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py +index 3489d95..1ef8b1f 100644 +--- a/tests/test_uri_validate.py ++++ b/tests/test_uri_validate.py +@@ -31,3 +31,11 @@ class UriValidateTest(TestCase): + self.assertIsNone(is_absolute_uri('wrong')) + self.assertIsNone(is_absolute_uri('http://[:1]:38432/path')) + self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/')) ++ ++ def test_recursive_regex(self): ++ from datetime import datetime ++ t0 = datetime.now() ++ self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path')) ++ t1 = datetime.now() ++ spent = t1 - t0 ++ self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected") +-- +2.33.0 + diff --git a/backport-CVE-2022-36087.patch b/backport-CVE-2022-36087.patch new file mode 100644 index 0000000..c8c5ceb --- /dev/null +++ b/backport-CVE-2022-36087.patch @@ -0,0 +1,115 @@ +From 5d85c61998692643dd9d17e05d2646e06ce391e8 Mon Sep 17 00:00:00 2001 +From: Jonathan Huot +Date: Tue, 6 Sep 2022 21:56:40 +0200 +Subject: [PATCH] Fix IPV6 regex used to check redirect_uri + +--- + oauthlib/uri_validate.py | 2 +- + tests/test_uri_validate.py | 51 +++++++++++++++++++++++++++++++++++--- + 2 files changed, 48 insertions(+), 5 deletions(-) + +diff --git a/oauthlib/uri_validate.py b/oauthlib/uri_validate.py +index 8a6d9c2..a6fe0fb 100644 +--- a/oauthlib/uri_validate.py ++++ b/oauthlib/uri_validate.py +@@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s + ) + + # IPv6address +-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+" ++IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}" + + # IPvFuture = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" ) + IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals() +diff --git a/tests/test_uri_validate.py b/tests/test_uri_validate.py +index 1ef8b1f..6a9f8ea 100644 +--- a/tests/test_uri_validate.py ++++ b/tests/test_uri_validate.py +@@ -1,4 +1,4 @@ +-import oauthlib ++import unittest + from oauthlib.uri_validate import is_absolute_uri + + from tests.unittest import TestCase +@@ -7,7 +7,6 @@ from tests.unittest import TestCase + class UriValidateTest(TestCase): + + def test_is_absolute_uri(self): +- + self.assertIsNotNone(is_absolute_uri('schema://example.com/path')) + self.assertIsNotNone(is_absolute_uri('https://example.com/path')) + self.assertIsNotNone(is_absolute_uri('https://example.com')) +@@ -17,16 +16,60 @@ class UriValidateTest(TestCase): + self.assertIsNotNone(is_absolute_uri('http://example.com')) + self.assertIsNotNone(is_absolute_uri('http://example.com/path')) + self.assertIsNotNone(is_absolute_uri('http://example.com:80/path')) +- self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/')) ++ ++ def test_query(self): ++ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo')) ++ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar')) ++ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana')) ++ ++ def test_fragment_forbidden(self): ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo')) ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar')) ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana')) ++ ++ def test_combined_forbidden(self): ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar')) ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit')) ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana')) ++ self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo')) ++ ++ def test_custom_scheme(self): ++ self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://')) ++ ++ def test_ipv6_bracket(self): + self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path')) + self.assertIsNotNone(is_absolute_uri('http://[::1]/path')) + self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path')) + self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path')) + self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path')) ++ self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path')) ++ ++ @unittest.skip("ipv6 edge-cases not supported") ++ def test_ipv6_edge_cases(self): ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8::')) ++ self.assertIsNotNone(is_absolute_uri('http://::1234:5678')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF')) ++ self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path')) ++ self.assertIsNotNone(is_absolute_uri('http://::')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102')) ++ ++ @unittest.skip("ipv6 dual ipv4 not supported") ++ def test_ipv6_dual(self): ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4')) ++ self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123')) ++ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56')) ++ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4')) ++ self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8')) ++ ++ def test_ipv4(self): + self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/')) + self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/')) + self.assertIsNotNone(is_absolute_uri('http://127.1:38432/')) + ++ def test_failures(self): + self.assertIsNone(is_absolute_uri('http://example.com:notaport/path')) + self.assertIsNone(is_absolute_uri('wrong')) + self.assertIsNone(is_absolute_uri('http://[:1]:38432/path')) +@@ -35,7 +78,7 @@ class UriValidateTest(TestCase): + def test_recursive_regex(self): + from datetime import datetime + t0 = datetime.now() +- self.assertIsNone(is_absolute_uri('http://[::::::::::::::::::::::::::]/path')) ++ is_absolute_uri('http://[::::::::::::::::::::::::::]/path') + t1 = datetime.now() + spent = t1 - t0 + self.assertGreater(0.1, spent.total_seconds(), "possible recursive loop detected") +-- +2.33.0 + diff --git a/python-oauthlib.spec b/python-oauthlib.spec index b25efd9..296aadf 100644 --- a/python-oauthlib.spec +++ b/python-oauthlib.spec @@ -1,11 +1,15 @@ %global _empty_manifest_terminate_build 0 Name: python-oauthlib Version: 3.2.0 -Release: 1 +Release: 2 Summary: A generic, spec-compliant, thorough implementation of the OAuth request-signing logic License: BSD URL: https://github.com/oauthlib/oauthlib Source0: https://files.pythonhosted.org/packages/6e/7e/a43cec8b2df28b6494a865324f0ac4be213cb2edcf1e2a717547a93279b0/oauthlib-3.2.0.tar.gz + +Patch6000: backport-Add-check-of-performance-of-ipv6-check.patch +Patch6001: backport-CVE-2022-36087.patch + BuildArch: noarch %description AuthLib is a framework which implements the logic of OAuth1 or OAuth2 @@ -54,7 +58,7 @@ maintainer of such a library, write a thin veneer on top of OAuthLib and get OAuth support for very little effort. %prep -%autosetup -n oauthlib-%{version} +%autosetup -n oauthlib-%{version} -p1 %build %py3_build @@ -98,6 +102,12 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Sep 26 2022 zhuofeng - 3.2.0-2 +- Type:CVE +- CVE:CVE-2022-36087 +- SUG:NA +- DESC:fix CVE-2022-36087 + * Tue Jul 05 2022 OpenStack_SIG - 3.2.0-1 - Upgrade package python3-oauthlib to version 3.2.0