From 7f273c8f794cdc7b7dac5a282789ac697629c4118f0d5c772e6215ce2eb5dedd Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Thu, 9 Aug 2018 07:56:32 +0000 Subject: [PATCH] update to 0.11.0 + Upstream provides no changelog Remove patch CVE-2014-3539-disable-doa.patch (included upstream) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-rope?expand=0&rev=16 --- CVE-2014-3539-disable-doa.patch | 251 -------------------------------- python-rope.changes | 7 + python-rope.spec | 22 ++- rope-0.10.7.tar.gz | 3 - rope-0.11.0.tar.gz | 3 + 5 files changed, 20 insertions(+), 266 deletions(-) delete mode 100644 CVE-2014-3539-disable-doa.patch delete mode 100644 rope-0.10.7.tar.gz create mode 100644 rope-0.11.0.tar.gz diff --git a/CVE-2014-3539-disable-doa.patch b/CVE-2014-3539-disable-doa.patch deleted file mode 100644 index d94d763..0000000 --- a/CVE-2014-3539-disable-doa.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 5cd16e47baf76f57b0dab0d9ab1684a8e02ea6a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= -Date: Wed, 11 Feb 2015 22:06:44 +0100 -Subject: [PATCH 1/2] Simple hackish solution to CVE-2014-3539. - -This doesn't resolve the issue, but at least people using DOA should be -intentional about it and aware of the security risks. - -It is also necessary explicitly switch on 'perform_doa' preference for -tests that require it. - -Fixes #105 ---- - rope/base/default_config.py | 12 +++++++++++- - ropetest/advanced_oi_test.py | 23 +++++++++++++++++++++++ - 2 files changed, 34 insertions(+), 1 deletion(-) - -diff --git a/rope/base/default_config.py b/rope/base/default_config.py -index 0ee9937..e46509f 100644 ---- a/rope/base/default_config.py -+++ b/rope/base/default_config.py -@@ -46,7 +46,17 @@ def set_prefs(prefs): - - # If `False` when running modules or unit tests "dynamic object - # analysis" is turned off. This makes them much faster. -- prefs['perform_doa'] = True -+ # -+ # There is also a security risk involved with this (CVE-2014-3539), -+ # because during by this rope can be persuaded to open under some -+ # circumstances a network port for short moment of time, which can -+ # be used to push commands to the running process, so that such -+ # process could proceed some commands under the privilegis of the -+ # user running rope. Therefore this variable defaults to False, and -+ # anybody who would like to change its value to True is advised to -+ # make sure the computer is well firewalled against possible -+ # intruders. -+ prefs['perform_doa'] = False - - # Rope can check the validity of its object DB when running. - prefs['validate_objectdb'] = True -diff --git a/ropetest/advanced_oi_test.py b/ropetest/advanced_oi_test.py -index 4130fae..e862307 100644 ---- a/ropetest/advanced_oi_test.py -+++ b/ropetest/advanced_oi_test.py -@@ -17,6 +17,7 @@ def tearDown(self): - super(DynamicOITest, self).tearDown() - - def test_simple_dti(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg):\n return eval("arg")\n' \ - 'a_var = a_func(a_func)\n' -@@ -27,6 +28,7 @@ def test_simple_dti(self): - pymod['a_var'].get_object()) - - def test_module_dti(self): -+ self.project.prefs['perform_doa'] = True - mod1 = testutils.create_module(self.project, 'mod1') - mod2 = testutils.create_module(self.project, 'mod2') - code = 'import mod1\ndef a_func(arg):\n return eval("arg")\n' \ -@@ -38,6 +40,7 @@ def test_module_dti(self): - pymod2['a_var'].get_object()) - - def test_class_from_another_module_dti(self): -+ self.project.prefs['perform_doa'] = True - mod1 = testutils.create_module(self.project, 'mod1') - mod2 = testutils.create_module(self.project, 'mod2') - code1 = 'class AClass(object):\n pass\n' -@@ -54,6 +57,7 @@ def test_class_from_another_module_dti(self): - - def test_class_dti(self): - mod = testutils.create_module(self.project, 'mod') -+ self.project.prefs['perform_doa'] = True - code = 'class AClass(object):\n pass\n' \ - '\ndef a_func(arg):\n return eval("arg")\n' \ - 'a_var = a_func(AClass)\n' -@@ -64,6 +68,7 @@ def test_class_dti(self): - pymod['a_var'].get_object()) - - def test_instance_dti(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class AClass(object):\n pass\n' \ - '\ndef a_func(arg):\n return eval("arg()")\n' \ -@@ -75,6 +80,7 @@ def test_instance_dti(self): - pymod['a_var'].get_object().get_type()) - - def test_method_dti(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class AClass(object):\n def a_method(self, arg):\n' \ - ' return eval("arg()")\n' \ -@@ -87,6 +93,7 @@ def test_method_dti(self): - pymod['a_var'].get_object().get_type()) - - def test_function_argument_dti(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg):\n pass\n' \ - 'a_func(a_func)\n' -@@ -97,6 +104,7 @@ def test_function_argument_dti(self): - pyscope.get_scopes()[0]['arg'].get_object()) - - def test_classes_with_the_same_name(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg):\n class AClass(object):\n' \ - ' pass\n return eval("arg")\n' \ -@@ -109,6 +117,7 @@ def test_classes_with_the_same_name(self): - pymod['a_var'].get_object()) - - def test_nested_classes(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func():\n class AClass(object):\n' \ - ' pass\n return AClass\n' \ -@@ -121,6 +130,7 @@ def test_nested_classes(self): - pyscope['a_var'].get_object()) - - def test_function_argument_dti2(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg, a_builtin_type):\n pass\n' \ - 'a_func(a_func, [])\n' -@@ -131,6 +141,7 @@ def test_function_argument_dti2(self): - pyscope.get_scopes()[0]['arg'].get_object()) - - def test_dti_and_concluded_data_invalidation(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg):\n return eval("arg")\n' \ - 'a_var = a_func(a_func)\n' -@@ -142,6 +153,7 @@ def test_dti_and_concluded_data_invalidation(self): - pymod['a_var'].get_object()) - - def test_list_objects_and_dynamicoi(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ -@@ -154,6 +166,7 @@ def test_list_objects_and_dynamicoi(self): - self.assertEquals(c_class, a_var.get_type()) - - def test_for_loops_and_dynamicoi(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ -@@ -166,6 +179,7 @@ def test_for_loops_and_dynamicoi(self): - self.assertEquals(c_class, a_var.get_type()) - - def test_dict_objects_and_dynamicoi(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ -@@ -178,6 +192,7 @@ def test_dict_objects_and_dynamicoi(self): - self.assertEquals(c_class, a_var.get_type()) - - def test_dict_keys_and_dynamicoi(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - if pycompat.PY3: - code = 'class C(object):\n pass\n' \ -@@ -190,6 +205,7 @@ def test_dict_keys_and_dynamicoi(self): - self.assertEquals(c_class, a_var.get_type()) - - def test_dict_keys_and_dynamicoi2(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ -@@ -205,6 +221,7 @@ def test_dict_keys_and_dynamicoi2(self): - self.assertEquals(c2_class, b_var.get_type()) - - def test_strs_and_dynamicoi(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'def a_func(arg):\n return eval("arg")\n' \ - 'a_var = a_func("hey")\n' -@@ -239,6 +256,7 @@ def complex_to_textual(pyobject): - - def test_arguments_with_keywords(self): - mod = testutils.create_module(self.project, 'mod') -+ self.project.prefs['perform_doa'] = True - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ - 'a = a_func(arg=C1())\nb = a_func(arg=C2())\n' -@@ -254,6 +272,7 @@ def test_arguments_with_keywords(self): - - def test_a_function_with_different_returns(self): - mod = testutils.create_module(self.project, 'mod') -+ self.project.prefs['perform_doa'] = True - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(arg):\n return eval("arg")\n' \ - 'a = a_func(C1())\nb = a_func(C2())\n' -@@ -269,6 +288,7 @@ def test_a_function_with_different_returns(self): - - def test_a_function_with_different_returns2(self): - mod = testutils.create_module(self.project, 'mod') -+ self.project.prefs['perform_doa'] = True - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(p):\n if p == C1:\n return C1()\n' \ - ' else:\n return C2()\n' \ -@@ -284,6 +304,7 @@ def test_a_function_with_different_returns2(self): - self.assertEquals(c2_class, b_var.get_type()) - - def test_ignoring_star_args(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(p, *args):' \ -@@ -301,6 +322,7 @@ def test_ignoring_star_args(self): - self.assertEquals(c2_class, b_var.get_type()) - - def test_ignoring_double_star_args(self): -+ self.project.prefs['perform_doa'] = True - mod = testutils.create_module(self.project, 'mod') - code = 'class C1(object):\n pass\nclass C2(object):\n pass\n' \ - 'def a_func(p, *kwds, **args):\n ' \ -@@ -330,6 +352,7 @@ def test_invalidating_data_after_changing(self): - pymod['a_var'].get_object()) - - def test_invalidating_data_after_moving(self): -+ self.project.prefs['perform_doa'] = True - mod2 = testutils.create_module(self.project, 'mod2') - mod2.write('class C(object):\n pass\n') - mod = testutils.create_module(self.project, 'mod') - -From 8e9667d3318f2846362b8a3c350a9d27d7222818 Mon Sep 17 00:00:00 2001 -From: Matej Cepl -Date: Thu, 12 Feb 2015 01:12:15 +0100 -Subject: [PATCH 2/2] limit socket connections to localhost - ---- - rope/base/oi/doa.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rope/base/oi/doa.py b/rope/base/oi/doa.py -index 1b2a00f..74bb91b 100644 ---- a/rope/base/oi/doa.py -+++ b/rope/base/oi/doa.py -@@ -113,7 +113,7 @@ def __init__(self): - self.data_port = 3037 - while self.data_port < 4000: - try: -- self.server_socket.bind(('', self.data_port)) -+ self.server_socket.bind(('127.0.0.1', self.data_port)) - break - except socket.error: - self.data_port += 1 diff --git a/python-rope.changes b/python-rope.changes index 0b037c8..15ccb81 100644 --- a/python-rope.changes +++ b/python-rope.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Aug 9 07:55:22 UTC 2018 - mcepl@suse.com + +- update to 0.11.0 + + Upstream provides no changelog +- Remove patch CVE-2014-3539-disable-doa.patch (included upstream) + ------------------------------------------------------------------- Mon Aug 28 16:14:30 UTC 2017 - toddrme2178@gmail.com diff --git a/python-rope.spec b/python-rope.spec index 1814922..4c94aef 100644 --- a/python-rope.spec +++ b/python-rope.spec @@ -1,7 +1,7 @@ # # spec file for package python-rope # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,23 +16,21 @@ # +%define upname rope %{?!python_module:%define python_module() python-%{**} python3-%{**}} %bcond_without test Name: python-rope -Version: 0.10.7 +Version: 0.11.0 Release: 0 Summary: A python refactoring library -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Development/Languages/Python -Url: https://github.com/python-rope/rope +URL: https://github.com/python-rope/rope Source: https://files.pythonhosted.org/packages/source/r/rope/rope-%{version}.tar.gz -# PATCH-FIX-UPSTREAM - CVE-2014-3539-disable-doa.patch - https://github.com/python-rope/rope/issues/105 -Patch0: CVE-2014-3539-disable-doa.patch BuildRequires: %{python_module devel} BuildRequires: fdupes BuildRequires: python-rpm-macros BuildArch: noarch - %python_subpackages %description @@ -40,16 +38,15 @@ Rope is a python refactoring library. %prep %setup -q -n rope-%{version} -%patch0 -p1 %build export LANG=en_US.UTF-8 -%{python_build} +%python_build %install export LANG=en_US.UTF-8 -%{python_install} -%{python_expand rm -rf %{buildroot}/%{%python_sitelib}/python-rope/ropetest/ +%python_install +%{python_expand rm -rf %{buildroot}/%{%{python_sitelib}}/python-rope/ropetest/ %fdupes %{buildroot}/%{$python_sitelib} } @@ -60,7 +57,8 @@ export LANG=en_US.UTF-8 %endif %files %{python_files} -%doc COPYING README.rst +%license COPYING +%doc README.rst %doc docs/ %{python_sitelib}/ diff --git a/rope-0.10.7.tar.gz b/rope-0.10.7.tar.gz deleted file mode 100644 index a57713e..0000000 --- a/rope-0.10.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a09edfd2034fd50099a67822f9bd851fbd0f4e98d3b87519f6267b60e50d80d1 -size 244089 diff --git a/rope-0.11.0.tar.gz b/rope-0.11.0.tar.gz new file mode 100644 index 0000000..58d6704 --- /dev/null +++ b/rope-0.11.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a108c445e1cd897fe19272ab7877d172e7faf3d4148c80e7d20faba42ea8f7b2 +size 247351