From 9eba14b8c5adc008d85cff7cda2ca9c604b699d8b90c07db7c157a7bc4d6fdb4 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 27 Sep 2018 14:11:14 +0000 Subject: [PATCH] - Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=232 --- ...00802-shutil_use_subprocess_no_spawn.patch | 50 +++++++++++++++++++ python-base.changes | 7 +++ python-base.spec | 7 ++- python-doc.changes | 7 +++ python-doc.spec | 7 ++- python.changes | 7 +++ python.spec | 7 ++- 7 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch diff --git a/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch b/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch new file mode 100644 index 0000000..9b990cb --- /dev/null +++ b/CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch @@ -0,0 +1,50 @@ +From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Tue, 28 Aug 2018 22:12:56 -0700 +Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use + subprocess rather than distutils.spawn. + +--- + Lib/shutil.py | 16 ++++++++++------ + .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ + 2 files changed, 13 insertions(+), 6 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst + +--- a/Lib/shutil.py ++++ b/Lib/shutil.py +@@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, c + + return archive_name + +-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): ++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): + # XXX see if we want to keep an external call here + if verbose: + zipoptions = "-r" + else: + zipoptions = "-rq" +- from distutils.errors import DistutilsExecError +- from distutils.spawn import spawn ++ cmd = ["zip", zipoptions, zip_filename, base_dir] ++ if logger is not None: ++ logger.info(' '.join(cmd)) ++ if dry_run: ++ return ++ import subprocess + try: +- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) +- except DistutilsExecError: ++ subprocess.check_call(cmd) ++ except subprocess.CalledProcessError: + # XXX really should distinguish between "couldn't find + # external 'zip' command" and "zip failed". + raise ExecError, \ +@@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, v + zipfile = None + + if zipfile is None: +- _call_external_zip(base_dir, zip_filename, verbose, dry_run) ++ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) + else: + if logger is not None: + logger.info("creating '%s' and adding '%s' to it", diff --git a/python-base.changes b/python-base.changes index 866ff49..c530669 100644 --- a/python-base.changes +++ b/python-base.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl + +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] + ------------------------------------------------------------------- Mon May 21 18:41:43 UTC 2018 - michael@stroeder.com diff --git a/python-base.spec b/python-base.spec index 3559eb1..14f554a 100644 --- a/python-base.spec +++ b/python-base.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -60,6 +60,10 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -167,6 +171,7 @@ other applications. %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python-doc.changes b/python-doc.changes index 55e3201..129c573 100644 --- a/python-doc.changes +++ b/python-doc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl + +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] + ------------------------------------------------------------------- Mon May 21 18:41:43 UTC 2018 - michael@stroeder.com diff --git a/python-doc.spec b/python-doc.spec index 7e5a681..8aa3ea3 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -61,6 +61,10 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -114,6 +118,7 @@ Python, and Macintosh Module Reference in PDF format. %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac diff --git a/python.changes b/python.changes index a8f248d..6cc20bc 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl + +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] + ------------------------------------------------------------------- Mon May 21 18:41:43 UTC 2018 - michael@stroeder.com diff --git a/python.spec b/python.spec index e33e854..e217001 100644 --- a/python.spec +++ b/python.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -66,6 +66,10 @@ Patch38: reproducible.patch Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -220,6 +224,7 @@ that rely on earlier non-verification behavior. %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac