- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which

converts shutil._call_external_zip to use subprocess rather than distutils.spawn. [bsc#1109663, CVE-2018-1000802] OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=232
2018-09-27 14:11:14 +00:00
parent a253d3727a
commit 9eba14b8c5
7 changed files with 89 additions and 3 deletions
--- a/python.spec
+++ b/python.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@@ -66,6 +66,10 @@ Patch38:        reproducible.patch
 Patch40:        python-skip_random_failing_tests.patch
 # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
 Patch41:        python-sorted_tar.patch
+# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
+# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
+Patch42:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
+# 
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -220,6 +224,7 @@ that rely on earlier non-verification behavior.
 %patch40 -p1
 %endif
 %patch41 -p1
+%patch42 -p1

 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac