Upgrade libuv to v1.48.0 #600
Conversation
|
I think the pipeline should be able to pass as it did in the PR in my fork repo. Could someone please trigger a retry? |
|
yeah that error in CI looks like an old flake |
|
I did some investigating about that venerability. I checked if I could reproduce the ‘truncate after 256 bytes’ venerability. I cannot exploit it if I pass hostname as a string, due to this idna encoding line; uvloop accidentally protects you from the libuv venerability: This is a similar error that socket gives: However, if I pass the hostname as bytes, I can bypass the accidental uvloop protection and exploit libuv: socket, however, isn’t fooled: I didn’t know about this I can’t find any documentation about why that’s considered a valid hostname. It’s obviously a hex encoding of a 4-byte ipv4 address, but, I’ve never seen it written that way Anyway, maybe you can turn my investigation into a unit test for the security venerability |
|
regarding the idna encoding error, there's some discussion of whether that error should be handled a different way in the python standard library or not. Just for reference: python/cpython#77139 |
This reverts commit 281dc2c.
It seems getaddrinfo('', ...) on macOS is equivalent to nodename='localhost'.
This is inconsistent with libuv 1.48 which treats empty nodename as EINVAL.
Thanks to @tapple-cisco for the repro
| err = ex | ||
|
|
||
| try: | ||
| a2 = self.loop.run_until_complete( | ||
| self.loop.getaddrinfo(*args, **kwargs)) | ||
| except socket.gaierror as ex: | ||
| except (socket.gaierror, UnicodeError) as ex: |
There was a problem hiding this comment.
What input would trigger a UnicodeError?
There was a problem hiding this comment.
This is what @tapple-cisco mentioned with the vulnerability repro, as well as the BPO. A short example with CPython is like:
>>> payload = f'0x{"0"*246}7f000001.example.com'
>>> import socket; socket.getaddrinfo(payload, 0)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.12/socket.py", line 964, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/encodings/idna.py", line 173, in encode
raise UnicodeError("label empty or too long")
UnicodeError: label empty or too long
encoding with 'idna' codec failedThere was a problem hiding this comment.
Is encoding with 'idna' codec failed a context exception?
There was a problem hiding this comment.
yeah it's a weird output, let me see
There was a problem hiding this comment.
It's __notes__, this particular note is added in 3.12 (changed from a __context__).
Changes ======= * Upgrade libuv to v1.48.0 (#600) (by @niklasr22 @fantix in 7777852 for #596 #615) Fixes ===== * Fix test_create_server_4 with Python 3.12.5 (#614) (by @shadchin in 62f9239) * Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (#591) (by @avkarenow in c8531c2 for #591) * Inline _Py_RestoreSignals() from CPython (#604) (by @befeleme in 8511ba1 for #603)
* Fix for libuv 1.48 * Fix for macOS (resolve empty host string as "localhost") * Add test --------- Co-authored-by: Fantix King <[email protected]>
Changes ======= * Upgrade libuv to v1.48.0 (MagicStack#600) (by @niklasr22 @fantix in 7777852 for MagicStack#596 MagicStack#615) Fixes ===== * Fix test_create_server_4 with Python 3.12.5 (MagicStack#614) (by @shadchin in 62f9239) * Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (MagicStack#591) (by @avkarenow in c8531c2 for MagicStack#591) * Inline _Py_RestoreSignals() from CPython (MagicStack#604) (by @befeleme in 8511ba1 for MagicStack#603)
Upgrades libuv to v1.48.0 which fixes a security vulnerability.
I removed two DNS test cases because they raise an error intended by libuv.