Accepting request 1220114 from devel:languages:python:Factory

- Update CVE-2024-9287-venv_path_unquoted.patch according to the
  upstream PR gh#python/cpython!126301.

OBS-URL: https://build.opensuse.org/request/show/1220114
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python39?expand=0&rev=68
This commit is contained in:
Dominique Leuenberger 2024-11-01 22:03:28 +00:00 committed by Git OBS Bridge
commit 090db10a8a
2 changed files with 49 additions and 29 deletions

View File

@ -1,32 +1,31 @@
From b6a3bbd155c558cdcda482629073e492437db3d0 Mon Sep 17 00:00:00 2001 From ae0d64cb185900712c40a65d7d8aa118f9903d57 Mon Sep 17 00:00:00 2001
From: y5c4l3 <y5c4l3@proton.me> From: Victor Stinner <vstinner@python.org>
Date: Sat, 28 Sep 2024 02:09:07 +0800 Date: Fri, 1 Nov 2024 14:11:47 +0100
Subject: [PATCH] Quote template strings in `venv` activation scripts Subject: [PATCH] [3.11] gh-124651: Quote template strings in `venv` activation
scripts (GH-124712) (GH-126185) (#126269)
This patch properly quotes template strings in `venv` activation (cherry picked from commit ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97)
scripts. This mitigates potential command injection.
Signed-off-by: y5c4l3 <y5c4l3@proton.me>
--- ---
Lib/test/test_venv.py | 81 ++++++++++ Lib/test/test_venv.py | 81 ++++++++++
Lib/venv/__init__.py | 42 ++++- Lib/venv/__init__.py | 42 ++++-
Lib/venv/scripts/common/activate | 6 Lib/venv/scripts/common/activate | 6
Lib/venv/scripts/nt/activate.bat | 6 Lib/venv/scripts/nt/activate.bat | 4
Lib/venv/scripts/posix/activate.csh | 6 Lib/venv/scripts/posix/activate.csh | 6
Lib/venv/scripts/posix/activate.fish | 6
Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst | 1 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst | 1
6 files changed, 128 insertions(+), 14 deletions(-) 7 files changed, 130 insertions(+), 16 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst create mode 100644 Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
--- a/Lib/test/test_venv.py --- a/Lib/test/test_venv.py
+++ b/Lib/test/test_venv.py +++ b/Lib/test/test_venv.py
@@ -9,6 +9,7 @@ import ensurepip @@ -14,6 +14,7 @@ import struct
import os
import os.path
import re
+import shlex
import shutil
import struct
import subprocess import subprocess
import sys
import tempfile
+import shlex
from test.support import (captured_stdout, captured_stderr, requires_zlib,
can_symlink, EnvironmentVarGuard, rmtree,
import_module,
@@ -85,6 +86,10 @@ class BaseTest(unittest.TestCase): @@ -85,6 +86,10 @@ class BaseTest(unittest.TestCase):
result = f.read() result = f.read()
return result return result
@ -178,14 +177,14 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
return text return text
def install_scripts(self, context, path): def install_scripts(self, context, path):
@@ -393,6 +424,7 @@ class EnvBuilder: @@ -392,6 +423,7 @@ class EnvBuilder:
with open(srcfile, 'rb') as f:
data = f.read() data = f.read()
if not srcfile.endswith(('.exe', '.pdb')): if not srcfile.endswith(('.exe', '.pdb')):
try:
+ context.script_path = srcfile + context.script_path = srcfile
try:
data = data.decode('utf-8') data = data.decode('utf-8')
data = self.replace_variables(data, context) data = self.replace_variables(data, context)
data = data.encode('utf-8')
--- a/Lib/venv/scripts/common/activate --- a/Lib/venv/scripts/common/activate
+++ b/Lib/venv/scripts/common/activate +++ b/Lib/venv/scripts/common/activate
@@ -37,11 +37,11 @@ deactivate () { @@ -37,11 +37,11 @@ deactivate () {
@ -222,15 +221,6 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
if not defined PROMPT set PROMPT=$P$G if not defined PROMPT set PROMPT=$P$G
@@ -16,7 +16,7 @@ if defined _OLD_VIRTUAL_PROMPT set PROMP
if defined _OLD_VIRTUAL_PYTHONHOME set PYTHONHOME=%_OLD_VIRTUAL_PYTHONHOME%
set _OLD_VIRTUAL_PROMPT=%PROMPT%
-set PROMPT=__VENV_PROMPT__%PROMPT%
+set "PROMPT=__VENV_PROMPT__%PROMPT%"
if defined PYTHONHOME set _OLD_VIRTUAL_PYTHONHOME=%PYTHONHOME%
set PYTHONHOME=
@@ -24,7 +24,7 @@ set PYTHONHOME= @@ -24,7 +24,7 @@ set PYTHONHOME=
if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH% if defined _OLD_VIRTUAL_PATH set PATH=%_OLD_VIRTUAL_PATH%
if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH% if not defined _OLD_VIRTUAL_PATH set _OLD_VIRTUAL_PATH=%PATH%
@ -262,6 +252,30 @@ Signed-off-by: y5c4l3 <y5c4l3@proton.me>
endif endif
alias pydoc python -m pydoc alias pydoc python -m pydoc
--- a/Lib/venv/scripts/posix/activate.fish
+++ b/Lib/venv/scripts/posix/activate.fish
@@ -29,10 +29,10 @@ end
# Unset irrelevant variables.
deactivate nondestructive
-set -gx VIRTUAL_ENV "__VENV_DIR__"
+set -gx VIRTUAL_ENV __VENV_DIR__
set -gx _OLD_VIRTUAL_PATH $PATH
-set -gx PATH "$VIRTUAL_ENV/__VENV_BIN_NAME__" $PATH
+set -gx PATH "$VIRTUAL_ENV/"__VENV_BIN_NAME__ $PATH
# Unset PYTHONHOME if set.
if set -q PYTHONHOME
@@ -52,7 +52,7 @@ if test -z "$VIRTUAL_ENV_DISABLE_PROMPT"
set -l old_status $status
# Output the venv prompt; color taken from the blue of the Python logo.
- printf "%s%s%s" (set_color 4B8BBE) "__VENV_PROMPT__" (set_color normal)
+ printf "%s%s%s" (set_color 4B8BBE) __VENV_PROMPT__ (set_color normal)
# Restore the return status of the previous command.
echo "exit $old_status" | .
--- /dev/null --- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst +++ b/Misc/NEWS.d/next/Library/2024-09-28-02-03-04.gh-issue-124651.bLBGtH.rst
@@ -0,0 +1 @@ @@ -0,0 +1 @@

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Fri Nov 1 21:16:32 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
- Update CVE-2024-9287-venv_path_unquoted.patch according to the
upstream PR gh#python/cpython!126301.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu> Thu Oct 24 16:09:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>