Update python39 to version 3.9.21 / rev 71 via SR 1244103

https://build.opensuse.org/request/show/1244103 by user mcepl + anag+factory - Add CVE-2025-0938-sq-brackets-domain-names.patch which disallows square brackets ([ and ]) in domain names for parsed URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
bmwiedemann · Feb 7, 2025 · e408562 · e408562
1 parent df96e8a
commit e408562
Show file tree

Hide file tree

Showing 5 changed files with 172 additions and 23 deletions.
diff --git a/packages/p/python39/.files b/packages/p/python39/.files
diff --git a/packages/p/python39/.rev b/packages/p/python39/.rev
@@ -1335,4 +1335,15 @@
       deemed unfixable without a large amount of work unsuitable</comment>
     <requestid>1228377</requestid>
   </revision>
+  <revision rev="71" vrev="2">
+    <srcmd5>232506abe6c55b85dcb5329c43359030</srcmd5>
+    <version>3.9.21</version>
+    <time>1738966012</time>
+    <user>anag+factory</user>
+    <comment>- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+</comment>
+    <requestid>1244103</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/p/python39/CVE-2025-0938-sq-brackets-domain-names.patch b/packages/p/python39/CVE-2025-0938-sq-brackets-domain-names.patch
@@ -0,0 +1,127 @@
+From d91e2c740890837edafaee24d68112b776cda9c5 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <[email protected]>
+Date: Fri, 31 Jan 2025 11:41:34 -0600
+Subject: [PATCH] gh-105704: Disallow square brackets (`[` and `]`) in domain
+ names for parsed URLs (GH-129418)
+
+* gh-105704: Disallow square brackets ( and ) in domain names for parsed URLs
+
+* Use Sphinx references
+
+Co-authored-by: Peter Bierma <[email protected]>
+
+* Add mismatched bracket test cases, fix news format
+
+* Add more test coverage for ports
+
+---------
+
+(cherry picked from commit d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a)
+
+Co-authored-by: Seth Michael Larson <[email protected]>
+Co-authored-by: Peter Bierma <[email protected]>
+---
+ Lib/test/test_urlparse.py                                                |   37 +++++++++-
+ Lib/urllib/parse.py                                                      |   20 ++++-
+ Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |    4 +
+ 3 files changed, 58 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
+         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
++        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
+
+     def test_splitting_bracketed_hosts(self):
+-        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
++        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
+         self.assertEqual(p1.hostname, 'v6a.ip')
+         self.assertEqual(p1.username, 'user')
+         self.assertEqual(p1.path, '/path')
++        self.assertEqual(p1.port, 1234)
+         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
+         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
+         self.assertEqual(p2.username, 'user')
+         self.assertEqual(p2.path, '/path')
++        self.assertIs(p2.port, None)
+         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
+         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
+         self.assertEqual(p3.username, 'user')
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -443,6 +443,23 @@ def _checknetloc(netloc):
+             raise ValueError("netloc '" + netloc + "' contains invalid " +
+                              "characters under NFKC normalization")
+
++def _check_bracketed_netloc(netloc):
++    # Note that this function must mirror the splitting
++    # done in NetlocResultMixins._hostinfo().
++    hostname_and_port = netloc.rpartition('@')[2]
++    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
++    if have_open_br:
++        # No data is allowed before a bracket.
++        if before_bracket:
++            raise ValueError("Invalid IPv6 URL")
++        hostname, _, port = bracketed.partition(']')
++        # No data is allowed after the bracket but before the port delimiter.
++        if port and not port.startswith(":"):
++            raise ValueError("Invalid IPv6 URL")
++    else:
++        hostname, _, port = hostname_and_port.partition(':')
++    _check_bracketed_host(hostname)
++
+ # Valid bracketed hosts are defined in
+ # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
+ def _check_bracketed_host(hostname):
+@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragm
+                 (']' in netloc and '[' not in netloc)):
+             raise ValueError("Invalid IPv6 URL")
+         if '[' in netloc and ']' in netloc:
+-            bracketed_host = netloc.partition('[')[2].partition(']')[0]
+-            _check_bracketed_host(bracketed_host)
++            _check_bracketed_netloc(netloc)
+     if allow_fragments and '#' in url:
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
+@@ -0,0 +1,4 @@
++When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
++parsing would not reject domain names containing square brackets (``[`` and
++``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
++`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.
diff --git a/packages/p/python39/python39.changes b/packages/p/python39/python39.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb  4 14:43:13 UTC 2025 - Matej Cepl <[email protected]>
+
+- Add CVE-2025-0938-sq-brackets-domain-names.patch which
+  disallows square brackets ([ and ]) in domain names for parsed
+  URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
+
 -------------------------------------------------------------------
 Wed Dec  4 19:51:41 UTC 2024 - Matej Cepl <[email protected]>
 

diff --git a/packages/p/python39/python39.spec b/packages/p/python39/python39.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python39
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -194,6 +194,9 @@ Patch50:        gh120226-fix-sendfile-test-kernel-610.patch
 # PATCH-FIX-UPSTREAM sphinx-802.patch [email protected]
 # status_iterator method moved between the Sphinx versions
 Patch51:        sphinx-802.patch
+# PATCH-FIX-UPSTREAM CVE-2025-0938-sq-brackets-domain-names.patch bsc#1236705 [email protected]
+# functions `urllib.parse.urlsplit` and `urlparse` accept domain names including square brackets
+Patch52:        CVE-2025-0938-sq-brackets-domain-names.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -433,39 +436,40 @@ other applications.
 %prep
 %setup -q -n %{tarname}
 
-%patch -P 02 -p1
-%patch -P 06 -p1
-%patch -P 07 -p1
-%patch -P 08 -p1
-%patch -P 09 -p1
-%patch -P 15 -p1
-%patch -P 25 -p1
-%patch -P 29 -p1
-%patch -P 32 -p1
+%patch -p1 -P 02
+%patch -p1 -P 06
+%patch -p1 -P 07
+%patch -p1 -P 08
+%patch -p1 -P 09
+%patch -p1 -P 15
+%patch -p1 -P 25
+%patch -p1 -P 29
+%patch -p1 -P 32
 
 %if 0%{?sle_version}
-%patch -P 33 -p1
-%patch -P 34 -p1
+%patch -p1 -P 33
+%patch -p1 -P 34
 %endif
 %if %{with mpdecimal}
-%patch -P 35 -p1
+%patch -p1 -P 35
 %endif
 
-%patch -P 40 -p1
-%patch -P 41 -p1
-%patch -P 42 -p1
-%patch -P 43 -p1
-%patch -P 44 -p1
-%patch -P 45 -p1
+%patch -p1 -P 40
+%patch -p1 -P 41
+%patch -p1 -P 42
+%patch -p1 -P 43
+%patch -p1 -P 44
+%patch -p1 -P 45
 
 %if 0%{?sle_version} && 0%{?sle_version} <= 150500
 %patch -p1 -P 46
 %endif
 
-%patch -P 47 -p1
-%patch -P 48 -p1
-%patch -P 50 -p1
-%patch -P 51 -p1
+%patch -p1 -P 47
+%patch -p1 -P 48
+%patch -p1 -P 50
+%patch -p1 -P 51
+%patch -p1 -P 52
 
 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac