Bug 2133805

Summary: Rebase python-oauthlib to 3.2.2 OR alternatively include fixes for https://github.com/oauthlib/oauthlib/issues/817 AND CVE-2022-36087
Product: Red Hat Enterprise Linux 9 Reporter: Dave Wilde <dwilde>
Component: python-oauthlibAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: aboscatt, apevec, spoore
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-oauthlib-3.1.1-5.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:38:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2148354    

Description Dave Wilde 2022-10-11 13:15:08 UTC 
Description of problem:
Upstream oauthlib has released version 3.2.1.
It includes fix for CVE-2022-36087 which is needed for OSP.

Version-Release number of selected component (if applicable):
3.1.1

Thanks,

/Dave
Comment 1 Tomas Halman 2022-10-17 16:04:46 UTC 
Considering our capacity we decided to backport the fix instead doing rebase.

Tomas
Comment 3 Alan Pevec 2022-10-19 15:04:15 UTC 
> Upstream oauthlib has released version 3.2.1.
> It includes fix for CVE-2022-36087 which is needed for OSP.

Actually OSP needs https://github.com/oauthlib/oauthlib/pull/818 included in 3.2.1
please backport also that patch!
Comment 4 Alan Pevec 2022-10-19 15:07:28 UTC 
Re. CVE fix, looks like it actually missed 3.2.1 https://github.com/oauthlib/oauthlib/issues/837 !
Comment 6 Alan Pevec 2022-11-10 08:59:33 UTC 
Test case for non-CVE bugfix https://github.com/oauthlib/oauthlib/issues/817 RFC5849 oauth1 signature base_string_uri doesn't parse IPv6 addresses 
is included in the upstream patch:

https://github.com/oauthlib/oauthlib/pull/818/files#diff-9368c78c9d230897f305b2954d5d707abb6cfbbb2f3c3b2c343e49d889d8934d
Comment 7 Alan Pevec 2022-11-10 09:58:35 UTC 
%check in spec file https://gitlab.com/redhat/centos-stream/rpms/python-oauthlib/-/blob/c9s/python-oauthlib.spec#L62
will run the test so verification will be automatic during the rpm build
Comment 8 Tomas Halman 2022-11-10 10:22:53 UTC 
We have to skip few tests during build due to missing test dependencies, but I can confirm that this one is executed.

T.
Comment 12 Scott Poore 2022-11-18 15:25:08 UTC 
Verified

Version ::

python3-oauthlib-3.1.1-5.el9.noarch

Results ::

[root@hostname1 ~]# python3
Python 3.9.14 (main, Nov  7 2022, 00:00:00) 
[GCC 11.3.1 20220421 (Red Hat 11.3.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import oauthlib
>>> oauthlib.__version__
'3.1.1'
>>> from oauthlib import oauth1
>>> oauth1.rfc5849.signature.base_string_uri("https://[123:db8:fd00:1000::5]:13000")
'https://[123:db8:fd00:1000::5]:13000/'


>>> from oauthlib.uri_validate import is_absolute_uri
>>> is_absolute_uri("http://[:::::::::::::::::::::::::::::::::::::::]/path")
>>>
Comment 14 errata-xmlrpc 2023-05-09 07:38:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-oauthlib bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2247