diff mbox series

[kirkstone] python3-requests: fix CVE-2024-35195

Message ID 20241204084850.3040057-1-jiaying.song.cn@windriver.com
State Accepted, archived
Commit 8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c
Delegated to: Steve Sakoman
Headers show
Series [kirkstone] python3-requests: fix CVE-2024-35195 | expand

Commit Message

Song, Jiaying (CN) Dec. 4, 2024, 8:48 a.m. UTC 
From: Jiaying Song <jiaying.song.cn@windriver.com>

Requests is a HTTP library. Prior to 2.32.0, when making requests
through a Requests `Session`, if the first request is made with
`verify=False` to disable cert verification, all subsequent requests to
the same host will continue to ignore cert verification regardless of
changes to the value of `verify`. This behavior will continue for the
lifecycle of the connection in the connection pool. This vulnerability
is fixed in 2.32.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-35195

Upstream patches:
https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
---
 ...-python3-requests-fix-CVE-2024-35195.patch | 171 ++++++++++++++++++
 .../python3-requests/CVE-2024-35195.patch     |  22 +--
 2 files changed, 182 insertions(+), 11 deletions(-)
 create mode 100644 meta/recipes-devtools/python/0001-python3-requests-fix-CVE-2024-35195.patch

Comments

patchtest@automation.yoctoproject.org Dec. 4, 2024, 8:01 a.m. UTC | #1 
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/kirkstone-python3-requests-fix-CVE-2024-35195.patch

FAIL: test Upstream-Status presence: Added patch file is missing Upstream-Status: <Valid status> in the commit message (test_patch.TestPatch.test_upstream_status_presence_format)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: pretest src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.pretest_src_uri_left_files)
SKIP: test CVE check ignore: No modified recipes or older target branch, skipping test (test_metadata.TestMetadata.test_cve_check_ignore)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum modified not mentioned: No modified recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test src uri left files: No modified recipes, skipping pretest (test_metadata.TestMetadata.test_src_uri_left_files)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
diff mbox series

Patch

diff --git a/meta/recipes-devtools/python/0001-python3-requests-fix-CVE-2024-35195.patch b/meta/recipes-devtools/python/0001-python3-requests-fix-CVE-2024-35195.patch
new file mode 100644
index 0000000000..e1654858c4
--- /dev/null
+++ b/meta/recipes-devtools/python/0001-python3-requests-fix-CVE-2024-35195.patch
@@ -0,0 +1,171 @@ 
+From 18792aaa0476efa64e88c7c45d627ae3cb28d0bc Mon Sep 17 00:00:00 2001
+From: Jiaying Song <jiaying.song.cn@windriver.com>
+Date: Tue, 3 Dec 2024 11:21:37 +0800
+Subject: [PATCH] python3-requests: fix CVE-2024-35195
+
+Requests is a HTTP library. Prior to 2.32.0, when making requests
+through a Requests `Session`, if the first request is made with
+`verify=False` to disable cert verification, all subsequent requests to
+the same host will continue to ignore cert verification regardless of
+changes to the value of `verify`. This behavior will continue for the
+lifecycle of the connection in the connection pool. This vulnerability
+is fixed in 2.32.0.
+
+References:
+https://nvd.nist.gov/vuln/detail/CVE-2024-35195
+
+Upstream patches:
+https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ .../python3-requests/CVE-2024-35195.patch     | 121 ++++++++++++++++++
+ .../python/python3-requests_2.27.1.bb         |   4 +-
+ 2 files changed, 124 insertions(+), 1 deletion(-)
+ create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+
+diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+new file mode 100644
+index 0000000000..be74ce60f3
+--- /dev/null
++++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+@@ -0,0 +1,121 @@
++From d3718bf834660e62649951e92970bda3e57740de Mon Sep 17 00:00:00 2001
++From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
++Date: Sun, 3 Mar 2024 07:00:49 -0600
++Subject: [PATCH] Use TLS settings in selecting connection pool
++
++Previously, if someone made a request with `verify=False` then made a
++request where they expected verification to be enabled to the same host,
++they would potentially reuse a connection where TLS had not been
++verified.
++
++This fixes that issue.
++
++Upstream-Status: Backport
++[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac]
++
++CVE: CVE-2024-35195
++
++Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
++---
++ requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++++-
++ 1 file changed, 57 insertions(+), 1 deletion(-)
++
++diff --git a/requests/adapters.py b/requests/adapters.py
++index d3b2d5b..0e5cf7c 100644
++--- a/requests/adapters.py
+++++ b/requests/adapters.py
++@@ -8,6 +8,7 @@ and maintain connections.
++ 
++ import os.path
++ import socket  # noqa: F401
+++import typing
++ 
++ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
++ from urllib3.exceptions import HTTPError as _HTTPError
++@@ -62,12 +63,38 @@ except ImportError:
++         raise InvalidSchema("Missing dependencies for SOCKS support.")
++ 
++ 
+++if typing.TYPE_CHECKING:
+++    from .models import PreparedRequest
+++
+++
++ DEFAULT_POOLBLOCK = False
++ DEFAULT_POOLSIZE = 10
++ DEFAULT_RETRIES = 0
++ DEFAULT_POOL_TIMEOUT = None
++ 
++ 
+++def _urllib3_request_context(
+++    request: "PreparedRequest", verify: "bool | str | None"
+++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
+++    host_params = {}
+++    pool_kwargs = {}
+++    parsed_request_url = urlparse(request.url)
+++    scheme = parsed_request_url.scheme.lower()
+++    port = parsed_request_url.port
+++    cert_reqs = "CERT_REQUIRED"
+++    if verify is False:
+++        cert_reqs = "CERT_NONE"
+++    if isinstance(verify, str):
+++        pool_kwargs["ca_certs"] = verify
+++    pool_kwargs["cert_reqs"] = cert_reqs
+++    host_params = {
+++        "scheme": scheme,
+++        "host": parsed_request_url.hostname,
+++        "port": port,
+++    }
+++    return host_params, pool_kwargs
+++
+++
++ class BaseAdapter:
++     """The Base Transport Adapter"""
++ 
++@@ -330,6 +357,35 @@ class HTTPAdapter(BaseAdapter):
++ 
++         return response
++ 
+++    def _get_connection(self, request, verify, proxies=None):
+++        # Replace the existing get_connection without breaking things and
+++        # ensure that TLS settings are considered when we interact with
+++        # urllib3 HTTP Pools
+++        proxy = select_proxy(request.url, proxies)
+++        try:
+++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
+++        except ValueError as e:
+++            raise InvalidURL(e, request=request)
+++        if proxy:
+++            proxy = prepend_scheme_if_needed(proxy, "http")
+++            proxy_url = parse_url(proxy)
+++            if not proxy_url.host:
+++                raise InvalidProxyURL(
+++                    "Please check proxy URL. It is malformed "
+++                    "and could be missing the host."
+++                )
+++            proxy_manager = self.proxy_manager_for(proxy)
+++            conn = proxy_manager.connection_from_host(
+++                **host_params, pool_kwargs=pool_kwargs
+++            )
+++        else:
+++            # Only scheme should be lower case
+++            conn = self.poolmanager.connection_from_host(
+++                **host_params, pool_kwargs=pool_kwargs
+++            )
+++
+++        return conn
+++
++     def get_connection(self, url, proxies=None):
++         """Returns a urllib3 connection for the given URL. This should not be
++         called from user code, and is only exposed for use when subclassing the
++@@ -453,7 +509,7 @@ class HTTPAdapter(BaseAdapter):
++         """
++ 
++         try:
++-            conn = self.get_connection(request.url, proxies)
+++            conn = self._get_connection(request, verify, proxies)
++         except LocationValueError as e:
++             raise InvalidURL(e, request=request)
++ 
++-- 
++2.25.1
++
+diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+index 635a6af31f..689a1dffb7 100644
+--- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb
++++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+@@ -3,7 +3,9 @@ HOMEPAGE = "http://python-requests.org"
+ LICENSE = "Apache-2.0"
+ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
+ 
+-SRC_URI += "file://CVE-2023-32681.patch"
++SRC_URI += "file://CVE-2023-32681.patch \
++            file://CVE-2024-35195.patch \
++           "
+ 
+ SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61"
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
index be74ce60f3..4e2605b922 100644
--- a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
@@ -1,4 +1,4 @@ 
-From d3718bf834660e62649951e92970bda3e57740de Mon Sep 17 00:00:00 2001
+From 5bedf76da0f76ab2d489972055a5d62066013427 Mon Sep 17 00:00:00 2001
 From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
 Date: Sun, 3 Mar 2024 07:00:49 -0600
 Subject: [PATCH] Use TLS settings in selecting connection pool
@@ -21,21 +21,21 @@  Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
  1 file changed, 57 insertions(+), 1 deletion(-)
 
 diff --git a/requests/adapters.py b/requests/adapters.py
-index d3b2d5b..0e5cf7c 100644
+index fe22ff4..7ff6998 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
-@@ -8,6 +8,7 @@ and maintain connections.
+@@ -10,6 +10,7 @@ and maintain connections.
  
  import os.path
- import socket  # noqa: F401
+ import socket
 +import typing
  
- from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
- from urllib3.exceptions import HTTPError as _HTTPError
-@@ -62,12 +63,38 @@ except ImportError:
+ from urllib3.poolmanager import PoolManager, proxy_from_url
+ from urllib3.response import HTTPResponse
+@@ -47,12 +48,38 @@ except ImportError:
+     def SOCKSProxyManager(*args, **kwargs):
          raise InvalidSchema("Missing dependencies for SOCKS support.")
  
- 
 +if typing.TYPE_CHECKING:
 +    from .models import PreparedRequest
 +
@@ -68,10 +68,10 @@  index d3b2d5b..0e5cf7c 100644
 +    return host_params, pool_kwargs
 +
 +
- class BaseAdapter:
+ class BaseAdapter(object):
      """The Base Transport Adapter"""
  
-@@ -330,6 +357,35 @@ class HTTPAdapter(BaseAdapter):
+@@ -290,6 +317,35 @@ class HTTPAdapter(BaseAdapter):
  
          return response
  
@@ -107,7 +107,7 @@  index d3b2d5b..0e5cf7c 100644
      def get_connection(self, url, proxies=None):
          """Returns a urllib3 connection for the given URL. This should not be
          called from user code, and is only exposed for use when subclassing the
-@@ -453,7 +509,7 @@ class HTTPAdapter(BaseAdapter):
+@@ -410,7 +466,7 @@ class HTTPAdapter(BaseAdapter):
          """
  
          try: