From 88c9accd0ac927b02e8622fcb1997d9cc6be554c665adb909b912b474b53c6c8 Mon Sep 17 00:00:00 2001 From: Jan Matejek Date: Mon, 26 Aug 2013 15:45:18 +0000 Subject: [PATCH 1/2] Accepting request 196445 from home:lnussel:branches:devel:languages:python:Factory - update python-2.7.3-ssl_ca_path.patch patch to load default verify locations if no ca_certs file is specified (bnc#827982, bnc#836739) OBS-URL: https://build.opensuse.org/request/show/196445 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=149 --- python-2.7.3-ssl_ca_path.patch | 42 +++++++++++++++++++++++----------- python.changes | 6 +++++ 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/python-2.7.3-ssl_ca_path.patch b/python-2.7.3-ssl_ca_path.patch index 6c67a45..dd73ebc 100644 --- a/python-2.7.3-ssl_ca_path.patch +++ b/python-2.7.3-ssl_ca_path.patch @@ -1,6 +1,8 @@ ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -271,6 +271,7 @@ +Index: Python-2.7.5/Modules/_ssl.c +=================================================================== +--- Python-2.7.5.orig/Modules/_ssl.c ++++ Python-2.7.5/Modules/_ssl.c +@@ -271,6 +271,7 @@ newPySSLObject(PySocketSockObject *Sock, char *errstr = NULL; int ret; int verification_mode; @@ -8,15 +10,24 @@ self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ if (self == NULL) -@@ -331,11 +332,23 @@ - "verification of other-side certificates."); - goto fail; - } else { -- PySSL_BEGIN_ALLOW_THREADS +@@ -327,20 +328,32 @@ newPySSLObject(PySocketSockObject *Sock, + + if (certreq != PY_SSL_CERT_NONE) { + if (cacerts_file == NULL) { +- errstr = ERRSTR("No root certificates specified for " +- "verification of other-side certificates."); +- goto fail; +- } else { + PySSL_BEGIN_ALLOW_THREADS - ret = SSL_CTX_load_verify_locations(self->ctx, - cacerts_file, - NULL); -- PySSL_END_ALLOW_THREADS ++ ret = SSL_CTX_set_default_verify_paths(self->ctx); + PySSL_END_ALLOW_THREADS +- if (ret != 1) { +- _setSSLError(NULL, 0, __FILE__, __LINE__); +- goto fail; ++ } else { + /* If cacerts_file is a directory-based cert store, pass it as the + third parameter, CApath, instead + */ @@ -32,8 +43,13 @@ + cacerts_file, + NULL); + PySSL_END_ALLOW_THREADS -+ } + } + } + - if (ret != 1) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - goto fail; ++ if (ret != 1) { ++ _setSSLError(NULL, 0, __FILE__, __LINE__); ++ goto fail; ++ } + } + if (key_file) { + PySSL_BEGIN_ALLOW_THREADS diff --git a/python.changes b/python.changes index 58948aa..daf5978 100644 --- a/python.changes +++ b/python.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Aug 26 13:55:35 UTC 2013 - lnussel@suse.de + +- update python-2.7.3-ssl_ca_path.patch patch to load default verify locations + if no ca_certs file is specified (bnc#827982, bnc#836739) + ------------------------------------------------------------------- Fri Aug 16 11:25:49 UTC 2013 - jmatejek@suse.com From 822329c555813ba82e9c370fc802cc2358b8189218dae8363a8ca924ce9eb6e6 Mon Sep 17 00:00:00 2001 From: Jan Matejek Date: Mon, 26 Aug 2013 15:46:16 +0000 Subject: [PATCH 2/2] (CVE-2013-4238, bnc#834601) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=150 --- CVE-2013-4073_py27.patch => CVE-2013-4238_py27.patch | 0 python-base.spec | 2 +- python-doc.spec | 2 +- python.changes | 2 +- python.spec | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) rename CVE-2013-4073_py27.patch => CVE-2013-4238_py27.patch (100%) diff --git a/CVE-2013-4073_py27.patch b/CVE-2013-4238_py27.patch similarity index 100% rename from CVE-2013-4073_py27.patch rename to CVE-2013-4238_py27.patch diff --git a/python-base.spec b/python-base.spec index e1f0c49..a02a5cd 100644 --- a/python-base.spec +++ b/python-base.spec @@ -50,7 +50,7 @@ Patch20: python-bundle-lang.patch Patch22: python-2.7.4-aarch64.patch Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff -Patch25: CVE-2013-4073_py27.patch +Patch25: CVE-2013-4238_py27.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake diff --git a/python-doc.spec b/python-doc.spec index 8e3f09b..ae23821 100644 --- a/python-doc.spec +++ b/python-doc.spec @@ -56,7 +56,7 @@ Patch20: python-bundle-lang.patch Patch22: python-2.7.4-aarch64.patch Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff -Patch25: CVE-2013-4073_py27.patch +Patch25: CVE-2013-4238_py27.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps diff --git a/python.changes b/python.changes index daf5978..8c2a36c 100644 --- a/python.changes +++ b/python.changes @@ -8,7 +8,7 @@ Mon Aug 26 13:55:35 UTC 2013 - lnussel@suse.de Fri Aug 16 11:25:49 UTC 2013 - jmatejek@suse.com - handle NULL bytes in certain fields of SSL certificates - (CVE-2013-4073, bnc#834601) + (CVE-2013-4238, bnc#834601) ------------------------------------------------------------------- Tue Jul 9 07:55:50 UTC 2013 - jengelh@inai.de diff --git a/python.spec b/python.spec index f6359b7..31c5426 100644 --- a/python.spec +++ b/python.spec @@ -56,7 +56,7 @@ Patch20: python-bundle-lang.patch Patch22: python-2.7.4-aarch64.patch Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff -Patch25: CVE-2013-4073_py27.patch +Patch25: CVE-2013-4238_py27.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel