!154 fix CVE-2015-20107

From: @tong_1001 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2022-05-16 07:30:00 +00:00 · 2022-05-16 07:30:00 +00:00 · 2c3b23f8a8
commit 2c3b23f8a8
parent d51e8fcf67 ecb6eabcc0
2 changed files with 52 additions and 1 deletions
--- a/openEuler-CVE-2015-20107.patch
+++ b/openEuler-CVE-2015-20107.patch
@ -0,0 +1,43 @@
+From c7c5f7f272659981f4c6bbfa212257945c86d17c Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong@h-partners.com>
+Date: Sat, 14 May 2022 16:50:02 +0800
+Subject: [PATCH] fix CVE-2015-20107
+
+---
+ Lib/mailcap.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index bd0fc09..1ad3dd5 100644
+--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
+from shlex import quote
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -203,8 +204,6 @@ def subst(field, MIMEtype, filename, plist=[]):
+             c = field[i]; i = i+1
+             if c == '%':
+                 res = res + c
+-            elif c == 's':
+-                res = res + filename
+             elif c == 't':
+                 res = res + MIMEtype
+             elif c == '{':
+@@ -219,6 +218,9 @@ def subst(field, MIMEtype, filename, plist=[]):
+             # %F == list of alternating type and filename for parts
+             else:
+                 res = res + '%' + c
+    res = res.replace("'%s'", quote(filename))
+    res = res.replace('"%s"',quote(filename))
+    res = res.replace('%s',quote(filename))
+     return res
+ 
+ def findparam(name, plist):
+-- 
+1.8.3.1
+
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/

 Version: 3.10.2
-Release: 1
+Release: 2
 License: Python

 %global branchversion 3.10
@ -90,6 +90,7 @@ Patch251: 00251-change-user-install-location.patch
 Patch6000:  backport-bpo-46811-Make-test-suite-support-Expat-2.4.5.patch

 Patch9000:  add-the-sm3-method-for-obtaining-the-salt-value.patch
+Patch9001:  openEuler-CVE-2015-20107.patch

 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@ -177,6 +178,7 @@ rm configure pyconfig.h.in
 %patch6000 -p1

 %patch9000 -p1
+%patch9001 -p1

 %build
 autoconf
@ -793,6 +795,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*

 %changelog
+* Mon May 16 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-2
+- Type:CVE
+- CVE:CVE-2015-20107
+- SUG:NA
+- DESC:fix CVE-2015-20107
+
 * Wed Mar 09 2022 shixuantong <shixuantong@h-partners.com> - 3.10.2-1
 - Type:enhancement
 - CVE:NA