pool/python
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file

Browse Source 
disclosure and directory traversal through URL-encoded characters
  (CVE-2014-4650, bnc#885882)
- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations
  that are incorrect on btrfs (and possibly other filesystems)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=166
This commit is contained in:
Jan Matejek 2014-07-24 14:33:34 +00:00 committed by Git OBS Bridge
parent 71551512cd
commit 13e614b70b
6 changed files with 114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2014-4650-CGIHTTPServer-traversal.patch Normal file
View File

@ -0,0 +1,35 @@
# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1402796189 25200
# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66
# Parent bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef
url unquote the path before checking if it refers to a CGI script (closes #21766)
diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
path begins with one of the strings in self.cgi_directories
(and the next character is a '/' or the end of the string).
"""
- collapsed_path = _url_collapse_path(self.path)
+ collapsed_path = _url_collapse_path(urllib.unquote(self.path))
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase
(res.read(), res.getheader('Content-type'), res.status))
self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ def test_urlquote_decoding_in_cgi_check(self):
+ res = self.request('/cgi-bin%2ffile1.py')
+ self.assertEqual((b'Hello World\n', 'text/html', 200),
+ (res.read(), res.getheader('Content-type'), res.status))
+
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
""" Test url parsing """

52
python-2.7.7-mhlib-linkcount.patch Normal file
View File

@ -0,0 +1,52 @@
Index: Python-2.7.7/Lib/mhlib.py
===================================================================
--- Python-2.7.7.orig/Lib/mhlib.py 2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/mhlib.py 2014-07-24 16:08:26.049343760 +0200
@@ -156,11 +156,6 @@
"""Return the names of the subfolders in a given folder
(prefixed with the given folder name)."""
fullname = os.path.join(self.path, name)
- # Get the link count so we can avoid listing folders
- # that have no subfolders.
- nlinks = os.stat(fullname).st_nlink
- if nlinks <= 2:
- return []
subfolders = []
subnames = os.listdir(fullname)
for subname in subnames:
@@ -168,11 +163,6 @@
if os.path.isdir(fullsubname):
name_subname = os.path.join(name, subname)
subfolders.append(name_subname)
- # Stop looking for subfolders when
- # we've seen them all
- nlinks = nlinks - 1
- if nlinks <= 2:
- break
subfolders.sort()
return subfolders
@@ -183,11 +173,6 @@
def listallsubfolders(self, name):
"""Return the names of subfolders in a given folder, recursively."""
fullname = os.path.join(self.path, name)
- # Get the link count so we can avoid listing folders
- # that have no subfolders.
- nlinks = os.stat(fullname).st_nlink
- if nlinks <= 2:
- return []
subfolders = []
subnames = os.listdir(fullname)
for subname in subnames:
@@ -200,11 +185,6 @@
subsubfolders = self.listallsubfolders(
name_subname)
subfolders = subfolders + subsubfolders
- # Stop looking for subfolders when
- # we've seen them all
- nlinks = nlinks - 1
- if nlinks <= 2:
- break
subfolders.sort()
return subfolders

9
python-base.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com
- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file
disclosure and directory traversal through URL-encoded characters
(CVE-2014-4650, bnc#885882)
- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations
that are incorrect on btrfs (and possibly other filesystems)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 20 13:11:34 UTC 2014 - jmatejek@suse.com Fri Jun 20 13:11:34 UTC 2014 - jmatejek@suse.com

6
python-base.spec
View File

@ -57,6 +57,10 @@ Patch26: xmlrpc_gzip_27.patch
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
Patch28: smtplib_maxline-2.7.patch Patch28: smtplib_maxline-2.7.patch
Patch29: python-2.7.6-poplib.patch Patch29: python-2.7.6-poplib.patch
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
Patch31: python-2.7.7-mhlib-linkcount.patch
# COMMON-PATCH-END # COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3) %define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake BuildRequires: automake
@ -149,6 +153,8 @@ other applications.
%patch26 -p1 %patch26 -p1
%patch28 -p1 %patch28 -p1
%patch29 -p1 %patch29 -p1
%patch30 -p1
%patch31 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac sed -i 's/^version_required/dnl version_required/' configure.ac

6
python-doc.spec
View File

@ -60,6 +60,10 @@ Patch26: xmlrpc_gzip_27.patch
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
Patch28: smtplib_maxline-2.7.patch Patch28: smtplib_maxline-2.7.patch
Patch29: python-2.7.6-poplib.patch Patch29: python-2.7.6-poplib.patch
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
Patch31: python-2.7.7-mhlib-linkcount.patch
# COMMON-PATCH-END # COMMON-PATCH-END
Provides: pyth_doc Provides: pyth_doc
Provides: pyth_ps Provides: pyth_ps
@ -106,6 +110,8 @@ Python, and Macintosh Module Reference in PDF format.
%patch26 -p1 %patch26 -p1
%patch28 -p1 %patch28 -p1
%patch29 -p1 %patch29 -p1
%patch30 -p1
%patch31 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac sed -i 's/^version_required/dnl version_required/' configure.ac

6
python.spec
View File

@ -61,6 +61,10 @@ Patch26: xmlrpc_gzip_27.patch
# CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
Patch28: smtplib_maxline-2.7.patch Patch28: smtplib_maxline-2.7.patch
Patch29: python-2.7.6-poplib.patch Patch29: python-2.7.6-poplib.patch
# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch
# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
Patch31: python-2.7.7-mhlib-linkcount.patch
# COMMON-PATCH-END # COMMON-PATCH-END
BuildRequires: automake BuildRequires: automake
BuildRequires: db-devel BuildRequires: db-devel
@ -183,6 +187,8 @@ implementation of the standard Unix DBM databases.
%patch26 -p1 %patch26 -p1
%patch28 -p1 %patch28 -p1
%patch29 -p1 %patch29 -p1
%patch30 -p1
%patch31 -p1
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac sed -i 's/^version_required/dnl version_required/' configure.ac