python3: avoid usage of md5 in multiprocessing

category: bugfix
bugzilla: https://gitee.com/src-openeuler/python3/issues/I67848#note_15325390

Signed-off-by: Guangzhong Yao <yaoguangzhong@xfusion.com>

avoid-usage-of-md5-in-multiprocessing.patch

@@ -0,0 +1,57 @@
+From 17198bd8ac7eac7320bf22828cc9b22a26d62ae2 Mon Sep 17 00:00:00 2001
+From: liyuanyuan <liyuanyuan@xfusion.com>
+Date: Thu, 15 Dec 2022 19:32:29 +0800
+Subject: [PATCH] avoid usage of md5 in multiprocessing
+
+---
+ Lib/multiprocessing/connection.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+index 8e2facf..4ef15bf 100644
+--- a/Lib/multiprocessing/connection.py
++++ b/Lib/multiprocessing/connection.py
+@@ -42,6 +42,10 @@ BUFSIZE = 8192
+ # A very generous timeout when it comes to local connections...
+ CONNECTION_TIMEOUT = 20.
+ 
++# The hmac module implicitly defaults to using MD5.
++# Support using a stronger algorithm for the challenge/response code:
++HMAC_DIGEST_NAME='sha256'
++
+ _mmap_counter = itertools.count()
+ 
+ default_family = 'AF_INET'
+@@ -729,6 +733,10 @@ CHALLENGE = b'#CHALLENGE#'
+ WELCOME = b'#WELCOME#'
+ FAILURE = b'#FAILURE#'
+ 
++def get_digestmod_for_hmac():
++    import hashlib
++    return getattr(hashlib, HMAC_DIGEST_NAME)
++
+ def deliver_challenge(connection, authkey):
+     import hmac
+     if not isinstance(authkey, bytes):
+@@ -736,7 +744,7 @@ def deliver_challenge(connection, authkey):
+             "Authkey must be bytes, not {0!s}".format(type(authkey)))
+     message = os.urandom(MESSAGE_LENGTH)
+     connection.send_bytes(CHALLENGE + message)
+-    digest = hmac.new(authkey, message, 'md5').digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     response = connection.recv_bytes(256)        # reject large message
+     if response == digest:
+         connection.send_bytes(WELCOME)
+@@ -752,7 +760,7 @@ def answer_challenge(connection, authkey):
+     message = connection.recv_bytes(256)         # reject large message
+     assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
+     message = message[len(CHALLENGE):]
+-    digest = hmac.new(authkey, message, 'md5').digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     connection.send_bytes(digest)
+     response = connection.recv_bytes(256)        # reject large message
+     if response != WELCOME:
+-- 
+2.27.0
+
+

python3.spec

@@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 
 Version: 3.9.9
-Release: 21
+Release: 22
 License: Python-2.0
 
 %global branchversion 3.9
@@ -107,6 +107,7 @@ Patch6012: backport-CVE-2022-37454.patch
 Patch9000: add-the-sm3-method-for-obtaining-the-salt-value.patch
 Patch9001: python3-Add-sw64-architecture.patch
 Patch9002: Add-loongarch-support.patch
+Patch9003: avoid-usage-of-md5-in-multiprocessing.patch
 
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@@ -207,6 +208,7 @@ rm -r Modules/expat
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
+%patch9003 -p1
 
 rm Lib/ensurepip/_bundled/*.whl
 rm configure pyconfig.h.in
@@ -829,6 +831,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 
 %changelog
+* Fri Dec 23 yaoguangzhong <yaoguangzhong@xfusion.com> - 3.9.9-22
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: avoid usage of md5 in multiprocessing
+
 * Fri Dec 02 zhuofeng <zhuofeng2@huawei.com> - 3.9.9-21
 - Type:bugfix
 - CVE:NA