Merge branch 'main' into 2.0

Author: jslobodzian

SPECS/python3/CVE-2024-0397.patch

@@ -0,0 +1,174 @@
+From 732c7d512e7cdf656a3f02a38c329b14a14a8573 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Fri, 19 Apr 2024 11:21:40 -0700
+Subject: [PATCH] [3.9] gh-114572: Fix locking in cert_store_stats and
+ get_ca_certs
+
+---
+ ...-04-19-11-21-13.gh-issue-114572.t1QMQD.rst |  4 +
+ Modules/_ssl.c                                | 91 ++++++++++++++++++-
+ 2 files changed, 92 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst b/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
+new file mode 100644
+index 00000000000000..b4f9fe64db0615
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2024-04-19-11-21-13.gh-issue-114572.t1QMQD.rst
+@@ -0,0 +1,4 @@
++:meth:`ssl.SSLContext.cert_store_stats` and
++:meth:`ssl.SSLContext.get_ca_certs` now correctly lock access to the
++certificate store, when the :class:`ssl.SSLContext` is shared across
++multiple threads.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 3f95d3e10374d8..5e0be34d6f3fe3 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -166,6 +166,10 @@ extern const SSL_METHOD *TLSv1_2_method(void);
+ #  define PY_OPENSSL_1_1_API 1
+ #endif
+ 
++#if (OPENSSL_VERSION_NUMBER >= 0x30300000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#  define OPENSSL_VERSION_3_3 1
++#endif
++
+ /* SNI support (client- and server-side) appeared in OpenSSL 1.0.0 and 0.9.8f
+  * This includes the SSL_set_SSL_CTX() function.
+  */
+@@ -210,6 +214,16 @@ extern const SSL_METHOD *TLSv1_2_method(void);
+ #define HAVE_OPENSSL_CRYPTO_LOCK
+ #endif
+ 
++/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */
++#ifdef OPENSSL_VERSION_1_1
++#define HAVE_OPENSSL_X509_STORE_LOCK
++#endif
++
++/* OpenSSL 3.3 added the X509_STORE_get1_objects API */
++#ifdef OPENSSL_VERSION_3_3
++#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
++#endif
++
+ #if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
+ #define OPENSSL_NO_SSL2
+ #endif
+@@ -4675,6 +4689,54 @@ set_sni_callback(PySSLContext *self, PyObject *arg, void *c)
+ #endif
+ }
+ 
++/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3
++ * Only available with the X509_STORE_lock() API */
++#if defined(HAVE_OPENSSL_X509_STORE_LOCK) && !defined(OPENSSL_VERSION_3_3)
++#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
++
++static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj)
++{
++    int ok;
++    X509_OBJECT *ret = X509_OBJECT_new();
++    if (ret == NULL) {
++        return NULL;
++    }
++    switch (X509_OBJECT_get_type(obj)) {
++        case X509_LU_X509:
++            ok = X509_OBJECT_set1_X509(ret, X509_OBJECT_get0_X509(obj));
++            break;
++        case X509_LU_CRL:
++            /* X509_OBJECT_get0_X509_CRL was not const-correct prior to 3.0.*/
++            ok = X509_OBJECT_set1_X509_CRL(
++                ret, X509_OBJECT_get0_X509_CRL((X509_OBJECT *)obj));
++            break;
++        default:
++            /* We cannot duplicate unrecognized types in a polyfill, but it is
++             * safe to leave an empty object. The caller will ignore it. */
++            ok = 1;
++            break;
++    }
++    if (!ok) {
++        X509_OBJECT_free(ret);
++        return NULL;
++    }
++    return ret;
++}
++
++static STACK_OF(X509_OBJECT) *
++X509_STORE_get1_objects(X509_STORE *store)
++{
++    STACK_OF(X509_OBJECT) *ret;
++    if (!X509_STORE_lock(store)) {
++        return NULL;
++    }
++    ret = sk_X509_OBJECT_deep_copy(X509_STORE_get0_objects(store),
++                                   x509_object_dup, X509_OBJECT_free);
++    X509_STORE_unlock(store);
++    return ret;
++}
++#endif
++
+ PyDoc_STRVAR(PySSLContext_sni_callback_doc,
+ "Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.\n\
+ \n\
+@@ -4704,7 +4766,15 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
+     int x509 = 0, crl = 0, ca = 0, i;
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
++#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
++    objs = X509_STORE_get1_objects(store);
++    if (objs == NULL) {
++        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
++        return NULL;
++    }
++#else
+     objs = X509_STORE_get0_objects(store);
++#endif
+     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+         obj = sk_X509_OBJECT_value(objs, i);
+         switch (X509_OBJECT_get_type(obj)) {
+@@ -4718,12 +4788,13 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
+                 crl++;
+                 break;
+             default:
+-                /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
+-                 * As far as I can tell they are internal states and never
+-                 * stored in a cert store */
++                /* Ignore unrecognized types. */
+                 break;
+         }
+     }
++#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
++#endif
+     return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
+         "x509_ca", ca);
+ }
+@@ -4755,7 +4826,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
+     }
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
++#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
++    objs = X509_STORE_get1_objects(store);
++    if (objs == NULL) {
++        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
++        return NULL;
++    }
++#else
+     objs = X509_STORE_get0_objects(store);
++#endif
+     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+         X509_OBJECT *obj;
+         X509 *cert;
+@@ -4783,9 +4862,15 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
+         }
+         Py_CLEAR(ci);
+     }
++#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
++#endif
+     return rlist;
+ 
+   error:
++#if HAVE_OPENSSL_X509_STORE_GET1_OBJECTS
++    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
++#endif
+     Py_XDECREF(ci);
+     Py_XDECREF(rlist);
+     return NULL;

SPECS/python3/python3.spec

@@ -12,7 +12,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.9.19
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,6 +22,7 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t
 Patch0:         cgi3.patch
 # Backport https://github.com/python/cpython/commit/069fefdaf42490f1e00243614fb5f3d5d2614b81 from 3.10 to 3.9
 Patch1:         0001-gh-95231-Disable-md5-crypt-modules-if-FIPS-is-enable.patch
+Patch2:         CVE-2024-0397.patch
 # Patch for setuptools, resolved in 65.5.1
 Patch1000:      CVE-2022-40897.patch
 Patch1001:      CVE-2024-6345.patch
@@ -161,6 +162,7 @@ The test package contains all regression tests for Python as well as the modules
 # We use the CI to validate the toolchain manifests, which means we need to parse this .spec file
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 # Remove GCC specs and build environment linker scripts
@@ -316,6 +318,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Tue Jul 23 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.9.19-3
+- Patch for CVE-2024-0397
+
 * Mon Jul 22 2024 Sindhu Karri <lakarri@microsoft.com> - 3.9.19-2
 - Patch for CVE-2024-6345
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-17.cm2.noarch.rpm
 ca-certificates-2.0.0-17.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
 unzip-6.0-20.cm2.aarch64.rpm
-python3-3.9.19-2.cm2.aarch64.rpm
-python3-devel-3.9.19-2.cm2.aarch64.rpm
-python3-libs-3.9.19-2.cm2.aarch64.rpm
-python3-setuptools-3.9.19-2.cm2.noarch.rpm
+python3-3.9.19-3.cm2.aarch64.rpm
+python3-devel-3.9.19-3.cm2.aarch64.rpm
+python3-libs-3.9.19-3.cm2.aarch64.rpm
+python3-setuptools-3.9.19-3.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.aarch64.rpm
 libselinux-3.2-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -237,10 +237,10 @@ ca-certificates-base-2.0.0-17.cm2.noarch.rpm
 ca-certificates-2.0.0-17.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
 unzip-6.0-20.cm2.x86_64.rpm
-python3-3.9.19-2.cm2.x86_64.rpm
-python3-devel-3.9.19-2.cm2.x86_64.rpm
-python3-libs-3.9.19-2.cm2.x86_64.rpm
-python3-setuptools-3.9.19-2.cm2.noarch.rpm
+python3-3.9.19-3.cm2.x86_64.rpm
+python3-devel-3.9.19-3.cm2.x86_64.rpm
+python3-libs-3.9.19-3.cm2.x86_64.rpm
+python3-setuptools-3.9.19-3.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 which-2.21-8.cm2.x86_64.rpm
 libselinux-3.2-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -510,28 +510,28 @@ procps-ng-devel-3.3.17-2.cm2.aarch64.rpm
 procps-ng-lang-3.3.17-2.cm2.aarch64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.aarch64.rpm
-python3-3.9.19-2.cm2.aarch64.rpm
+python3-3.9.19-3.cm2.aarch64.rpm
 python3-audit-3.0.6-8.cm2.aarch64.rpm
 python3-cracklib-2.9.7-5.cm2.aarch64.rpm
-python3-curses-3.9.19-2.cm2.aarch64.rpm
+python3-curses-3.9.19-3.cm2.aarch64.rpm
 python3-Cython-0.29.33-2.cm2.aarch64.rpm
-python3-debuginfo-3.9.19-2.cm2.aarch64.rpm
-python3-devel-3.9.19-2.cm2.aarch64.rpm
+python3-debuginfo-3.9.19-3.cm2.aarch64.rpm
+python3-devel-3.9.19-3.cm2.aarch64.rpm
 python3-gpg-1.16.0-2.cm2.aarch64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
-python3-libs-3.9.19-2.cm2.aarch64.rpm
+python3-libs-3.9.19-3.cm2.aarch64.rpm
 python3-libxml2-2.10.4-3.cm2.aarch64.rpm
 python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-5.cm2.aarch64.rpm
-python3-pip-3.9.19-2.cm2.noarch.rpm
+python3-pip-3.9.19-3.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.aarch64.rpm
-python3-setuptools-3.9.19-2.cm2.noarch.rpm
-python3-test-3.9.19-2.cm2.aarch64.rpm
-python3-tools-3.9.19-2.cm2.aarch64.rpm
+python3-setuptools-3.9.19-3.cm2.noarch.rpm
+python3-test-3.9.19-3.cm2.aarch64.rpm
+python3-tools-3.9.19-3.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -516,28 +516,28 @@ procps-ng-devel-3.3.17-2.cm2.x86_64.rpm
 procps-ng-lang-3.3.17-2.cm2.x86_64.rpm
 pyproject-rpm-macros-1.0.0~rc1-4.cm2.noarch.rpm
 python-markupsafe-debuginfo-2.1.0-1.cm2.x86_64.rpm
-python3-3.9.19-2.cm2.x86_64.rpm
+python3-3.9.19-3.cm2.x86_64.rpm
 python3-audit-3.0.6-8.cm2.x86_64.rpm
 python3-cracklib-2.9.7-5.cm2.x86_64.rpm
-python3-curses-3.9.19-2.cm2.x86_64.rpm
+python3-curses-3.9.19-3.cm2.x86_64.rpm
 python3-Cython-0.29.33-2.cm2.x86_64.rpm
-python3-debuginfo-3.9.19-2.cm2.x86_64.rpm
-python3-devel-3.9.19-2.cm2.x86_64.rpm
+python3-debuginfo-3.9.19-3.cm2.x86_64.rpm
+python3-devel-3.9.19-3.cm2.x86_64.rpm
 python3-gpg-1.16.0-2.cm2.x86_64.rpm
 python3-jinja2-3.0.3-4.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
-python3-libs-3.9.19-2.cm2.x86_64.rpm
+python3-libs-3.9.19-3.cm2.x86_64.rpm
 python3-libxml2-2.10.4-3.cm2.x86_64.rpm
 python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-5.cm2.x86_64.rpm
-python3-pip-3.9.19-2.cm2.noarch.rpm
+python3-pip-3.9.19-3.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
 python3-rpm-4.18.0-4.cm2.x86_64.rpm
-python3-setuptools-3.9.19-2.cm2.noarch.rpm
-python3-test-3.9.19-2.cm2.x86_64.rpm
-python3-tools-3.9.19-2.cm2.x86_64.rpm
+python3-setuptools-3.9.19-3.cm2.noarch.rpm
+python3-test-3.9.19-3.cm2.x86_64.rpm
+python3-tools-3.9.19-3.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm