From e402b2417a0546548772eb5e2ae69fc1f254f69c Mon Sep 17 00:00:00 2001 From: Jiaying Song Date: Wed, 4 Dec 2024 17:28:01 +0800 Subject: python3-requests: fix CVE-2024-35195 Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-35195 Upstream patches: https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac (From OE-Core rev: 8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c) Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- .../python/python3-requests/CVE-2024-35195.patch | 121 +++++++++++++++++++++ .../python/python3-requests_2.27.1.bb | 4 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch new file mode 100644 index 0000000000..4e2605b922 --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch @@ -0,0 +1,121 @@ +From 5bedf76da0f76ab2d489972055a5d62066013427 Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. + +Upstream-Status: Backport +[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac] + +CVE: CVE-2024-35195 + +Signed-off-by: Jiaying Song +--- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 57 insertions(+), 1 deletion(-) + +diff --git a/requests/adapters.py b/requests/adapters.py +index fe22ff4..7ff6998 100644 +--- a/requests/adapters.py ++++ b/requests/adapters.py +@@ -10,6 +10,7 @@ and maintain connections. + + import os.path + import socket ++import typing + + from urllib3.poolmanager import PoolManager, proxy_from_url + from urllib3.response import HTTPResponse +@@ -47,12 +48,38 @@ except ImportError: + def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter(object): + """The Base Transport Adapter""" + +@@ -290,6 +317,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -410,7 +466,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb index 635a6af31f..689a1dffb7 100644 --- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb +++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb @@ -3,7 +3,9 @@ HOMEPAGE = "http://python-requests.org" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" -SRC_URI += "file://CVE-2023-32681.patch" +SRC_URI += "file://CVE-2023-32681.patch \ + file://CVE-2024-35195.patch \ + " SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" -- cgit v1.2.3-54-g00ecf