pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 196449 from devel:languages:python:Factory

Browse Source 
- update python-2.7.3-ssl_ca_path.patch patch to load default verify locations
  if no ca_certs file is specified (bnc#827982, bnc#836739)

*** this SR also renames the patch and .changes entry for previous request
because wrong CVE number was used

OBS-URL: https://build.opensuse.org/request/show/196449
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=96
This commit is contained in:
Stephan Kulow 2013-08-30 09:47:52 +00:00 committed by Git OBS Bridge
commit b09b1d4770
6 changed files with 39 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
CVE-2013-4073_py27.patch → CVE-2013-4238_py27.patch
View File

42
python-2.7.3-ssl_ca_path.patch
View File

@ -1,6 +1,8 @@
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -271,6 +271,7 @@
Index: Python-2.7.5/Modules/_ssl.c
===================================================================
--- Python-2.7.5.orig/Modules/_ssl.c
+++ Python-2.7.5/Modules/_ssl.c
@@ -271,6 +271,7 @@ newPySSLObject(PySocketSockObject *Sock,
char *errstr = NULL;
int ret;
int verification_mode;
@ -8,15 +10,24 @@
self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */
if (self == NULL)
@@ -331,11 +332,23 @@
"verification of other-side certificates.");
goto fail;
} else {
- PySSL_BEGIN_ALLOW_THREADS
@@ -327,20 +328,32 @@ newPySSLObject(PySocketSockObject *Sock,
if (certreq != PY_SSL_CERT_NONE) {
if (cacerts_file == NULL) {
- errstr = ERRSTR("No root certificates specified for "
- "verification of other-side certificates.");
- goto fail;
- } else {
PySSL_BEGIN_ALLOW_THREADS
- ret = SSL_CTX_load_verify_locations(self->ctx,
- cacerts_file,
- NULL);
- PySSL_END_ALLOW_THREADS
+ ret = SSL_CTX_set_default_verify_paths(self->ctx);
PySSL_END_ALLOW_THREADS
- if (ret != 1) {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
- goto fail;
+ } else {
+ /* If cacerts_file is a directory-based cert store, pass it as the
+ third parameter, CApath, instead
+ */
@ -32,8 +43,13 @@
+ cacerts_file,
+ NULL);
+ PySSL_END_ALLOW_THREADS
+ }
}
}
+
if (ret != 1) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
goto fail;
+ if (ret != 1) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail;
+ }
}
if (key_file) {
PySSL_BEGIN_ALLOW_THREADS

2
python-base.spec
View File

@ -50,7 +50,7 @@ Patch20: python-bundle-lang.patch
Patch22: python-2.7.4-aarch64.patch
Patch23: python-2.7.4-no-REUSEPORT.patch
Patch24: python-bsddb6.diff
Patch25: CVE-2013-4073_py27.patch
Patch25: CVE-2013-4238_py27.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake

2
python-doc.spec
View File

@ -56,7 +56,7 @@ Patch20: python-bundle-lang.patch
Patch22: python-2.7.4-aarch64.patch
Patch23: python-2.7.4-no-REUSEPORT.patch
Patch24: python-bsddb6.diff
Patch25: CVE-2013-4073_py27.patch
Patch25: CVE-2013-4238_py27.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps

8
python.changes
View File

@ -1,8 +1,14 @@
-------------------------------------------------------------------
Mon Aug 26 13:55:35 UTC 2013 - lnussel@suse.de
- update python-2.7.3-ssl_ca_path.patch patch to load default verify locations
if no ca_certs file is specified (bnc#827982, bnc#836739)
-------------------------------------------------------------------
Fri Aug 16 11:25:49 UTC 2013 - jmatejek@suse.com
- handle NULL bytes in certain fields of SSL certificates
(CVE-2013-4073, bnc#834601)
(CVE-2013-4238, bnc#834601)
-------------------------------------------------------------------
Tue Jul 9 07:55:50 UTC 2013 - jengelh@inai.de

2
python.spec
View File

@ -56,7 +56,7 @@ Patch20: python-bundle-lang.patch
Patch22: python-2.7.4-aarch64.patch
Patch23: python-2.7.4-no-REUSEPORT.patch
Patch24: python-bsddb6.diff
Patch25: CVE-2013-4073_py27.patch
Patch25: CVE-2013-4238_py27.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel