packages/python-aiosmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!23 [sync] PR-19: Update to 1.4.6 for fix CVE-2024-34083

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2024-05-29 06:08:30 +00:00 committed by Gitee
commit ed1b81737a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
9 changed files with 7 additions and 5093 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2009
0001-Implement-Unthreaded-Controller-256.patch
View File

File diff suppressed because it is too large Load Diff

2725
0002-Code-Hygiene-259.patch
View File

File diff suppressed because it is too large Load Diff

24
0003-URGENT-Fix-RTD-docs-gen.patch
View File

@ -1,24 +0,0 @@
From b50563035ebf72502e25488367b46fccce5d6991 Mon Sep 17 00:00:00 2001
From: Pandu E POLUAN <pepoluan@gmail.com>
Date: Wed, 24 Mar 2021 11:03:53 +0700
Subject: [PATCH 3/4] URGENT: Fix RTD docs gen
---
aiosmtpd/docs/RTD-requirements.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/aiosmtpd/docs/RTD-requirements.txt b/aiosmtpd/docs/RTD-requirements.txt
index 42c1f7b..cfdaa48 100644
--- a/aiosmtpd/docs/RTD-requirements.txt
+++ b/aiosmtpd/docs/RTD-requirements.txt
@@ -4,6 +4,7 @@ sphinx-autofixture
sphinx_rtd_theme
# Required by Sphinx.autodoc
pytest>=6.0
+pytest-mock
# aiosmtpd deps
atpublic
--
2.32.0

120
0004-Make-Sphinx-RTD-deps-SSOT.patch
View File

@ -1,120 +0,0 @@
From 215b854447e2567bbc5e3665d9a648d7b1fa2c82 Mon Sep 17 00:00:00 2001
From: Pandu POLUAN <pepoluan@gmail.com>
Date: Wed, 24 Mar 2021 12:14:03 +0700
Subject: [PATCH 4/4] Make Sphinx/RTD deps SSOT
Previously we can accidentally forgot to sync between tox.ini, GA yml,
and RTD-requirements.txt.
Now tox.ini and GA yml actually refers to RTD-requirements.txt, so we
have achieved SSOT (Single Source Of Truth) for Sphinx/RTD deps.
---
.github/workflows/unit-testing-and-coverage.yml | 7 +++++--
aiosmtpd/docs/RTD-requirements.txt | 11 +++++++----
aiosmtpd/docs/conf.py | 7 ++++---
tox.ini | 11 +----------
4 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/.github/workflows/unit-testing-and-coverage.yml b/.github/workflows/unit-testing-and-coverage.yml
index ebc2248..eb8daa1 100644
--- a/.github/workflows/unit-testing-and-coverage.yml
+++ b/.github/workflows/unit-testing-and-coverage.yml
@@ -37,6 +37,8 @@ jobs:
run: |
python -m pip install --upgrade pip setuptools wheel
python setup.py develop
+ # Common deps
+ pip install colorama
- name: "flake8 Style Checking"
shell: bash
# language=bash
@@ -48,12 +50,13 @@ jobs:
"config.read('tox.ini');"
"print(config['flake8_plugins']['deps']);"
)
- pip install colorama flake8 $(python -c "${grab_f8_plugins[*]}")
+ pip install flake8 $(python -c "${grab_f8_plugins[*]}")
python -m flake8 aiosmtpd setup.py housekeep.py release.py
- name: "Docs Checking"
# language=bash
run: |
- pip install colorama pytest pytest-mock sphinx sphinx-autofixture sphinx_rtd_theme
+ # Prepare sphinx and the deps for sphinx extensions
+ pip install -r aiosmtpd/docs/RTD-requirements.txt
sphinx-build --color -b doctest -d build/.doctree aiosmtpd/docs build/doctest
sphinx-build --color -b html -d build/.doctree aiosmtpd/docs build/html
sphinx-build --color -b man -d build/.doctree aiosmtpd/docs build/man
diff --git a/aiosmtpd/docs/RTD-requirements.txt b/aiosmtpd/docs/RTD-requirements.txt
index cfdaa48..e26dc75 100644
--- a/aiosmtpd/docs/RTD-requirements.txt
+++ b/aiosmtpd/docs/RTD-requirements.txt
@@ -1,11 +1,14 @@
-# Sphinx deps
-sphinx>=2.1
+### Sphinx deps
+pickle5 ; python_version < '3.8'
+# Sync the ver limit below with conf.py
+sphinx>=3.2
sphinx-autofixture
sphinx_rtd_theme
-# Required by Sphinx.autodoc
+
+### Required by Sphinx.autodoc
pytest>=6.0
pytest-mock
-# aiosmtpd deps
+### aiosmtpd deps
atpublic
attrs
diff --git a/aiosmtpd/docs/conf.py b/aiosmtpd/docs/conf.py
index d3273f1..689e4a7 100644
--- a/aiosmtpd/docs/conf.py
+++ b/aiosmtpd/docs/conf.py
@@ -50,6 +50,8 @@ syspath_insert(repo_root / "aiosmtpd")
# :classmethod: needs Sphinx>=2.1
# :noindex: needs Sphinx>=3.2
needs_sphinx = "3.2"
+# If you change the above, don't forget to change the version limit in
+# `RTD-requirements.txt`
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
@@ -62,9 +64,8 @@ extensions = [
"autoprogramm",
"sphinx_rtd_theme"
]
-# IMPORTANT: If you edit this, also edit the following:
-# - aiosmtpd/docs/RTD-requirements.txt
-# - tox.ini
+# IMPORTANT: If you edit the above list, check if you need to edit the deps list
+# in `RTD-requirements.txt`
# Add any paths that contain templates here, relative to this directory.
templates_path = ["_templates"]
diff --git a/tox.ini b/tox.ini
index eb2f4f6..e5ac6a3 100644
--- a/tox.ini
+++ b/tox.ini
@@ -124,17 +124,8 @@ commands =
sphinx-build --color -b html -d build/.doctree aiosmtpd/docs build/html
sphinx-build --color -b man -d build/.doctree aiosmtpd/docs build/man
deps:
- # IMPORTANT: If you edit this, also edit the files:
- # - .github/workflows/unit-testing-and-coverage.yml
- # - aiosmtpd/docs/RTD-requirements.txt
colorama
- sphinx
- sphinx-autofixture
- sphinx_rtd_theme
- pickle5 ; python_version < '3.8'
- # The below used as deps, need to be installed so autofixture work properly
- pytest
- pytest-mock
+ -raiosmtpd/docs/RTD-requirements.txt
[testenv:static]
basepython = python3
--
2.32.0

BIN
1.4.2.tar.gz
View File

Binary file not shown.

46
284.patch
View File

@ -1,46 +0,0 @@
From e302182240ea59f4cf65c7d4b128be29417f33a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
Date: Thu, 23 Sep 2021 15:55:02 +0200
Subject: [PATCH] Avoid SSLError: Cannot create a client socket with a
PROTOCOL_TLS_SERVER context
When we build mailman3 in Fedora with Python 3.10.0rc2,
we see the following problem:
Traceback (most recent call last):
File "/builddir/build/BUILD/mailman-3.3.4/src/mailman/testing/layers.py", line 297, in setUp
cls.smtpd.start()
File "/builddir/build/BUILD/mailman-3.3.4/src/mailman/testing/mta.py", line 177, in start
super().start()
File "/usr/lib/python3.10/site-packages/aiosmtpd/controller.py", line 288, in start
self._trigger_server()
File "/usr/lib/python3.10/site-packages/aiosmtpd/controller.py", line 481, in _trigger_server
InetMixin._trigger_server(self)
File "/usr/lib/python3.10/site-packages/aiosmtpd/controller.py", line 428, in _trigger_server
s = stk.enter_context(self.ssl_context.wrap_socket(s))
File "/usr/lib64/python3.10/ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib64/python3.10/ssl.py", line 1061, in _create
self._sslobj = self._context._wrap_socket(
ssl.SSLError: Cannot create a client socket with a PROTOCOL_TLS_SERVER context (_ssl.c:801)
This makes the problem go away.
Disclaimer: I have no idea what I'm doing here.
---
aiosmtpd/controller.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/aiosmtpd/controller.py b/aiosmtpd/controller.py
index 79bdbd04..30fd4a11 100644
--- a/aiosmtpd/controller.py
+++ b/aiosmtpd/controller.py
@@ -424,7 +424,7 @@ def _trigger_server(self):
hostname = self.hostname or self._localhost
with ExitStack() as stk:
s = stk.enter_context(create_connection((hostname, self.port), 1.0))
- if self.ssl_context:
+ if self.ssl_context and self.ssl_context.protocol != ssl.PROTOCOL_TLS_SERVER:
s = stk.enter_context(self.ssl_context.wrap_socket(s))
s.recv(1024)

160
CVE-2024-27305.patch
View File

@ -1,160 +0,0 @@
From 24b6c79c8921cf1800e27ca144f4f37023982bbb Mon Sep 17 00:00:00 2001
From: Login <84237895+The-Login@users.noreply.github.com>
Date: Sat, 2 Mar 2024 15:55:13 +0100
Subject: [PATCH] Merge pull request from GHSA-pr2m-px7j-xg65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
* SMTP Smuggling Fix
Adapted adherence to RFC 5321 § 2.3.8 to fix SMTP smuggling issues (https://www.rfc-editor.org/rfc/rfc5321#section-2.3.8)
* Apply suggestions from code review
Co-authored-by: Sam Bull <git@sambull.org>
* Add files via upload
* Update test_smtpsmuggling.py
---------
Co-authored-by: Sam Bull <git@sambull.org>
---
aiosmtpd/smtp.py | 11 ++--
aiosmtpd/tests/test_smtpsmuggling.py | 79 ++++++++++++++++++++++++++++
2 files changed, 85 insertions(+), 5 deletions(-)
create mode 100644 aiosmtpd/tests/test_smtpsmuggling.py
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
index 39e70d8b..00902c1e 100644
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -87,7 +87,7 @@ class _DataState(enum.Enum):
EMPTY_BARR = bytearray()
EMPTYBYTES = b''
MISSING = _Missing()
-NEWLINE = '\n'
+NEWLINE = '\r\n'
VALID_AUTHMECH = re.compile(r"[A-Z0-9_-]+\Z")
# https://tools.ietf.org/html/rfc3207.html#page-3
@@ -1427,9 +1427,10 @@ async def smtp_DATA(self, arg: str) -> None:
# Since eof_received cancels this coroutine,
# readuntil() can never raise asyncio.IncompleteReadError.
try:
- line: bytes = await self._reader.readuntil()
+ # https://datatracker.ietf.org/doc/html/rfc5321#section-2.3.8
+ line: bytes = await self._reader.readuntil(b'\r\n')
log.debug('DATA readline: %s', line)
- assert line.endswith(b'\n')
+ assert line.endswith(b'\r\n')
except asyncio.CancelledError:
# The connection got reset during the DATA command.
log.info('Connection lost during DATA')
@@ -1446,7 +1447,7 @@ async def smtp_DATA(self, arg: str) -> None:
data *= 0
# Drain the stream anyways
line = await self._reader.read(e.consumed)
- assert not line.endswith(b'\n')
+ assert not line.endswith(b'\r\n')
# A lone dot in a line signals the end of DATA.
if not line_fragments and line == b'.\r\n':
break
@@ -1458,7 +1459,7 @@ async def smtp_DATA(self, arg: str) -> None:
# Discard data immediately to prevent memory pressure
data *= 0
line_fragments.append(line)
- if line.endswith(b'\n'):
+ if line.endswith(b'\r\n'):
# Record data only if state is "NOMINAL"
if state == _DataState.NOMINAL:
line = EMPTY_BARR.join(line_fragments)
diff --git a/aiosmtpd/tests/test_smtpsmuggling.py b/aiosmtpd/tests/test_smtpsmuggling.py
new file mode 100644
index 00000000..b5d37851
--- /dev/null
+++ b/aiosmtpd/tests/test_smtpsmuggling.py
@@ -0,0 +1,79 @@
+# Copyright 2014-2021 The aiosmtpd Developers
+# SPDX-License-Identifier: Apache-2.0
+
+"""Test SMTP smuggling."""
+
+from email.mime.text import MIMEText
+from smtplib import SMTP, SMTP_SSL
+from typing import Generator, Union
+
+import pytest
+import smtplib
+
+from aiosmtpd.controller import Controller
+from aiosmtpd.testing.helpers import ReceivingHandler
+from aiosmtpd.testing.statuscodes import SMTP_STATUS_CODES as S
+
+from aiosmtpd.smtp import SMTP as Server
+from aiosmtpd.smtp import Session as ServerSession
+from aiosmtpd.smtp import Envelope
+
+from .conftest import Global, controller_data, handler_data
+
+from aiosmtpd.testing.helpers import (
+ ReceivingHandler
+)
+
+def new_data(self, msg):
+ self.putcmd("data")
+
+ (code, repl) = self.getreply()
+ if self.debuglevel > 0:
+ self._print_debug('data:', (code, repl))
+ if code != 354:
+ raise SMTPDataError(code, repl)
+ else:
+ ##### Patching input encoding so we can send raw messages
+ #if isinstance(msg, str):
+ # msg = smtplib._fix_eols(msg).encode('ascii')
+ #q = smtplib._quote_periods(msg)
+ #if q[-2:] != smtplib.bCRLF:
+ # q = q + smtplib.bCRLF
+ #q = q + b"." + smtplib.bCRLF
+ q = msg
+ self.send(q)
+ (code, msg) = self.getreply()
+ if self.debuglevel > 0:
+ self._print_debug('data:', (code, msg))
+ return (code, msg)
+
+def return_unchanged(data):
+ return data
+
+class TestSmuggling:
+ @handler_data(class_=ReceivingHandler)
+ def test_smtp_smuggling(self, plain_controller, client):
+ smtplib._fix_eols = return_unchanged
+ smtplib._quote_periods = return_unchanged
+ smtplib.SMTP.data = new_data
+
+ handler = plain_controller.handler
+ sender = "sender@example.com"
+ recipients = ["rcpt1@example.com"]
+ resp = client.helo("example.com")
+ assert resp == S.S250_FQDN
+ # Trying SMTP smuggling with a fake \n.\r\n end-of-data sequence.
+ message_data = b"""\
+From: Anne Person <anne@example.com>\r\n\
+To: Bart Person <bart@example.com>\r\n\
+Subject: A test\r\n\
+Message-ID: <ant>\r\n\
+\r\n\
+Testing\
+\n.\r\n\
+NO SMUGGLING
+\r\n.\r\n\
+"""
+ results = client.sendmail(sender, recipients, message_data)
+ client.quit()
+ assert b"NO SMUGGLING" in handler.box[0].content

BIN
aiosmtpd-1.4.6.tar.gz Normal file
View File

Binary file not shown.

16
python-aiosmtpd.spec
View File

@ -1,17 +1,11 @@
%global _empty_manifest_terminate_build 0
Name: python-aiosmtpd
Version: 1.4.2
Release: 2
Version: 1.4.6
Release: 1
Summary: aiosmtpd - asyncio based SMTP server
License: Apache 2.0
URL: https://github.com/aio-libs/aiosmtpd
Source0: https://github.com/aio-libs/aiosmtpd/archive/%{version}.tar.gz
Patch0001: 0001-Implement-Unthreaded-Controller-256.patch
Patch0002: 0002-Code-Hygiene-259.patch
Patch0003: 0003-URGENT-Fix-RTD-docs-gen.patch
Patch0004: 0004-Make-Sphinx-RTD-deps-SSOT.patch
Patch0005: %{url}/pull/284.patch
Patch0006: CVE-2024-27305.patch
Source0: %{url}/releases/download/v%{version}/aiosmtpd-%{version}.tar.gz
BuildArch: noarch
@ -79,6 +73,10 @@ mv %{buildroot}/doclist.lst .
%{_pkgdocdir}
%changelog
* Wed May 29 2024 yaoxin <yao_xin001@hoperun.com> - 1.4.6-1
- Update to 1.4.6 (bsc#1224467, CVE-2024-34083):
- STARTTLS is now fully enforced if used.
* Wed Mar 13 2024 wangkai <13474090681@163.com> - 1.4.2-2
- Fix CVE-2024-27305