From 01e8a2e4904069a3dc51ab87f64d2e904dfc2099 Mon Sep 17 00:00:00 2001
From: Charalampos Stratakis <cstratak@redhat.com>
Date: Jul 28 2020 17:09:31 +0000
Subject: Resolve hash collisions for IPv4Interface and IPv6Interface (CVE-2020-14422)


Resolves: rhbz#1854926

---

diff --git a/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch b/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
new file mode 100644
index 0000000..a5f4028
--- /dev/null
+++ b/00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 00:50:21 +0530
+Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and
+ IPv6Interface
+
+CVE-2020-14422
+The hash() methods of classes IPv4Interface and IPv6Interface had issue
+of generating constant hash values of 32 and 128 respectively causing hash collisions.
+The fix uses the hash() function to generate hash values for the objects
+instead of XOR operation.
+Fixed upstream: https://bugs.python.org/issue41004
+---
+ Lib/ipaddress.py                                      |  4 ++--
+ Lib/test/test_ipaddress.py                            | 11 +++++++++++
+ .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst |  1 +
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+
+diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
+index 80249288d7..54882934c3 100644
+--- a/Lib/ipaddress.py
++++ b/Lib/ipaddress.py
+@@ -1442,7 +1442,7 @@ class IPv4Interface(IPv4Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+@@ -2088,7 +2088,7 @@ class IPv6Interface(IPv6Address):
+             return False
+ 
+     def __hash__(self):
+-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
++        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
+ 
+     __reduce__ = _IPAddressBase.__reduce__
+ 
+diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
+index 455b893fb1..1fb6a929dc 100644
+--- a/Lib/test/test_ipaddress.py
++++ b/Lib/test/test_ipaddress.py
+@@ -2091,6 +2091,17 @@ class IpaddrUnitTest(unittest.TestCase):
+                          sixtofouraddr.sixtofour)
+         self.assertFalse(bad_addr.sixtofour)
+ 
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV4HashIsNotConstant(self):
++        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
++        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
++        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
++
++    # issue41004 Hash collisions in IPv4Interface and IPv6Interface
++    def testV6HashIsNotConstant(self):
++        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
++        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
++        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())
+ 
+ if __name__ == '__main__':
+     unittest.main()
+diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+new file mode 100644
+index 0000000000..f5a9db52ff
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst
+@@ -0,0 +1 @@
++CVE-2020-14422: The __hash__() methods of  ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).
diff --git a/python3.spec b/python3.spec
index eade7dc..6583137 100644
--- a/python3.spec
+++ b/python3.spec
@@ -320,6 +320,17 @@ Patch335: 00335-backport-pathfix-change.patch
 # Fixed upstream: https://bugs.python.org/issue39017
 Patch351: 00351-avoid-infinite-loop-in-the-tarfile-module.patch
 
+# 00352 # 5253c417a23b3658fa115d2c72fa54b20293a31c
+# Resolve hash collisions for IPv4Interface and IPv6Interface
+#
+# CVE-2020-14422
+# The hash() methods of classes IPv4Interface and IPv6Interface had issue
+# of generating constant hash values of 32 and 128 respectively causing hash collisions.
+# The fix uses the hash() function to generate hash values for the objects
+# instead of XOR operation.
+# Fixed upstream: https://bugs.python.org/issue41004
+Patch352: 00352-resolve-hash-collisions-for-ipv4interface-and-ipv6interface.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1560,6 +1571,8 @@ CheckPython optimized
 * Tue Jul 28 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.7.8-2
 - Avoid infinite loop when reading specially crafted TAR files (CVE-2019-20907)
 Resolves: rhbz#1856481
+- Resolve hash collisions for Pv4Interface and IPv6Interface (CVE-2020-14422)
+Resolves: rhbz#1854926
 
 * Wed Jul 01 2020 Petr Viktorin <pviktori@redhat.com> - 3.7.8-1
 - Update to 3.7.8 final