- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file

disclosure and directory traversal through URL-encoded characters (CVE-2014-4650, bnc#885882) - python-2.7.7-mhlib-linkcount.patch: remove link count optimizations that are incorrect on btrfs (and possibly other filesystems) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=166
2014-07-24 14:33:34 +00:00 · 2014-07-24 14:33:34 +00:00 · 13e614b70b
commit 13e614b70b
parent 71551512cd
6 changed files with 114 additions and 0 deletions
--- a/CVE-2014-4650-CGIHTTPServer-traversal.patch
+++ b/CVE-2014-4650-CGIHTTPServer-traversal.patch
@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1402796189 25200
+# Node ID b4bab078876811c7d95231d08aa6fa7142fdda66
+# Parent  bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef
+url unquote the path before checking if it refers to a CGI script (closes #21766)
+
+diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py
+--- a/Lib/CGIHTTPServer.py
+++ b/Lib/CGIHTTPServer.py
+@@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+         path begins with one of the strings in self.cgi_directories
+         (and the next character is a '/' or the end of the string).
+         """
+-        collapsed_path = _url_collapse_path(self.path)
+        collapsed_path = _url_collapse_path(urllib.unquote(self.path))
+         dir_sep = collapsed_path.find('/', 1)
+         head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
+         if head in self.cgi_directories:
+diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
+--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
+@@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase
+                 (res.read(), res.getheader('Content-type'), res.status))
+         self.assertEqual(os.environ['SERVER_SOFTWARE'], signature)
+ 
+    def test_urlquote_decoding_in_cgi_check(self):
+        res = self.request('/cgi-bin%2ffile1.py')
+        self.assertEqual((b'Hello World\n', 'text/html', 200),
+                (res.read(), res.getheader('Content-type'), res.status))
+
+ 
+ class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
+     """ Test url parsing """
--- a/python-2.7.7-mhlib-linkcount.patch
+++ b/python-2.7.7-mhlib-linkcount.patch
@ -0,0 +1,52 @@
+Index: Python-2.7.7/Lib/mhlib.py
+===================================================================
+--- Python-2.7.7.orig/Lib/mhlib.py	2014-05-31 20:58:39.000000000 +0200
+++ Python-2.7.7/Lib/mhlib.py	2014-07-24 16:08:26.049343760 +0200
+@@ -156,11 +156,6 @@
+         """Return the names of the subfolders in a given folder
+         (prefixed with the given folder name)."""
+         fullname = os.path.join(self.path, name)
+-        # Get the link count so we can avoid listing folders
+-        # that have no subfolders.
+-        nlinks = os.stat(fullname).st_nlink
+-        if nlinks <= 2:
+-            return []
+         subfolders = []
+         subnames = os.listdir(fullname)
+         for subname in subnames:
+@@ -168,11 +163,6 @@
+             if os.path.isdir(fullsubname):
+                 name_subname = os.path.join(name, subname)
+                 subfolders.append(name_subname)
+-                # Stop looking for subfolders when
+-                # we've seen them all
+-                nlinks = nlinks - 1
+-                if nlinks <= 2:
+-                    break
+         subfolders.sort()
+         return subfolders
+ 
+@@ -183,11 +173,6 @@
+     def listallsubfolders(self, name):
+         """Return the names of subfolders in a given folder, recursively."""
+         fullname = os.path.join(self.path, name)
+-        # Get the link count so we can avoid listing folders
+-        # that have no subfolders.
+-        nlinks = os.stat(fullname).st_nlink
+-        if nlinks <= 2:
+-            return []
+         subfolders = []
+         subnames = os.listdir(fullname)
+         for subname in subnames:
+@@ -200,11 +185,6 @@
+                     subsubfolders = self.listallsubfolders(
+                               name_subname)
+                     subfolders = subfolders + subsubfolders
+-                # Stop looking for subfolders when
+-                # we've seen them all
+-                nlinks = nlinks - 1
+-                if nlinks <= 2:
+-                    break
+         subfolders.sort()
+         return subfolders
+ 
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jul 23 16:48:38 UTC 2014 - jmatejek@suse.com
+
+- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file
+  disclosure and directory traversal through URL-encoded characters
+  (CVE-2014-4650, bnc#885882)
+- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations
+  that are incorrect on btrfs (and possibly other filesystems)
+
 -------------------------------------------------------------------
 Fri Jun 20 13:11:34 UTC 2014 - jmatejek@suse.com

--- a/python-base.spec
+++ b/python-base.spec
@ -57,6 +57,10 @@ Patch26:        xmlrpc_gzip_27.patch
 # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
 Patch28:        smtplib_maxline-2.7.patch
 Patch29:        python-2.7.6-poplib.patch
+# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
+Patch30:        CVE-2014-4650-CGIHTTPServer-traversal.patch
+# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
+Patch31:        python-2.7.7-mhlib-linkcount.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -149,6 +153,8 @@ other applications.
 %patch26 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
+%patch31 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.spec
+++ b/python-doc.spec
@ -60,6 +60,10 @@ Patch26:        xmlrpc_gzip_27.patch
 # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
 Patch28:        smtplib_maxline-2.7.patch
 Patch29:        python-2.7.6-poplib.patch
+# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
+Patch30:        CVE-2014-4650-CGIHTTPServer-traversal.patch
+# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
+Patch31:        python-2.7.7-mhlib-linkcount.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -106,6 +110,8 @@ Python, and Macintosh Module Reference in PDF format.
 %patch26 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
+%patch31 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.spec
+++ b/python.spec
@ -61,6 +61,10 @@ Patch26:        xmlrpc_gzip_27.patch
 # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib
 Patch28:        smtplib_maxline-2.7.patch
 Patch29:        python-2.7.6-poplib.patch
+# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer
+Patch30:        CVE-2014-4650-CGIHTTPServer-traversal.patch
+# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere)
+Patch31:        python-2.7.7-mhlib-linkcount.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -183,6 +187,8 @@ implementation of the standard Unix DBM databases.
 %patch26 -p1
 %patch28 -p1
 %patch29 -p1
+%patch30 -p1
+%patch31 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac