Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at Tue May 3 08:58:09 CEST 2011.
-------- --- python/python-base.changes 2011-02-17 17:47:41.000000000 +0100 +++ /mounts/work_src_done/STABLE/python/python-base.changes 2011-05-02 18:07:07.000000000 +0200 @@ -1,0 +2,9 @@ +Mon May 2 16:04:49 UTC 2011 - [email protected] + +- fixed a security flaw where malicious sites could redirect + Python application from http to a local file + (CVE-2011-1521, bnc#682554) +- fixed race condition in Makefile which randomly failed + parallel builds ( http://bugs.python.org/issue10013 ) + +------------------------------------------------------------------- python.changes: same change calling whatdependson for head-i586 New: ---- python-2.7-CVE-2011-1521-fileurl.patch python-2.7-fix-parallel-make.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.WmJOaL/_old 2011-05-03 08:56:07.000000000 +0200 +++ /var/tmp/diff_new_pack.WmJOaL/_new 2011-05-03 08:56:07.000000000 +0200 @@ -30,7 +30,7 @@ # Summary: Python Interpreter base package Version: 2.7 -Release: 6 +Release: 7 %define tarversion %{version} %define tarname Python-%{tarversion} Source0: %{tarname}.tar.bz2 @@ -53,6 +53,8 @@ Patch11: smtpd-dos.patch Patch12: http://psf.upfronthosting.co.za/roundup/tracker/file19029/python-test_structmembers.patch Patch13: python-fix_date_time_compiler.patch +Patch14: python-2.7-CVE-2011-1521-fileurl.patch +Patch15: python-2.7-fix-parallel-make.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define python_version %(echo %{version} | head -c 3) Provides: %{name} = %{python_version} @@ -145,8 +147,10 @@ %patch9 -p1 %patch10 %patch11 -%patch12 -p0 +%patch12 %patch13 +%patch14 -p1 +%patch15 -p1 # some cleanup find . -name .cvsignore -type f -print0 | xargs -0 rm -f ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.WmJOaL/_old 2011-05-03 08:56:07.000000000 +0200 +++ /var/tmp/diff_new_pack.WmJOaL/_new 2011-05-03 08:56:07.000000000 +0200 @@ -24,7 +24,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Additional Package Documentation for Python. Version: 2.7 -Release: 6 +Release: 7 %define pyver 2.7 BuildArch: noarch %define tarname Python-%{pyver} ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.WmJOaL/_old 2011-05-03 08:56:07.000000000 +0200 +++ /var/tmp/diff_new_pack.WmJOaL/_new 2011-05-03 08:56:07.000000000 +0200 @@ -32,7 +32,7 @@ Obsoletes: python-nothreads python21 python-elementtree python-sqlite Summary: Python Interpreter Version: 2.7 -Release: 11 +Release: 13 Requires: python-base = %{version} %define tarversion %{version} %define tarname Python-%{tarversion} ++++++ python-2.7-CVE-2011-1521-fileurl.patch ++++++ # HG changeset patch # User Guido van Rossum <[email protected]> # Date 1301428435 25200 # Node ID b2934d98dac1f7b13cc6cc280f06d1aec3f6e80d # Parent 1a5aab273332a7a379e35ed6f88400a110b5de0c# Parent 9eeda8e3a13f107a698f10b0a45ffc2c6bd710fb Merge issue 11662 from 2.6. diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -161,6 +161,20 @@ Content-Type: text/html; charset=iso-885 finally: self.unfakehttp() + def test_invalid_redirect(self): + # urlopen() should raise IOError for many error codes. + self.fakehttp("""HTTP/1.1 302 Found +Date: Wed, 02 Jan 2008 03:03:54 GMT +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e +Location: file:README +Connection: close +Content-Type: text/html; charset=iso-8859-1 +""") + try: + self.assertRaises(IOError, urllib.urlopen, "http://python.org/";) + finally: + self.unfakehttp() + def test_empty_socket(self): # urlopen() raises IOError if the underlying socket does not send any # data. (#1680230) diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py --- a/Lib/test/test_urllib2.py +++ b/Lib/test/test_urllib2.py @@ -969,6 +969,27 @@ class HandlerTests(unittest.TestCase): self.assertEqual(count, urllib2.HTTPRedirectHandler.max_redirections) + def test_invalid_redirect(self): + from_url = "http://example.com/a.html"; + valid_schemes = ['http', 'https', 'ftp'] + invalid_schemes = ['file', 'imap', 'ldap'] + schemeless_url = "example.com/b.html" + h = urllib2.HTTPRedirectHandler() + o = h.parent = MockOpener() + req = Request(from_url) + + for scheme in invalid_schemes: + invalid_url = scheme + '://' + schemeless_url + self.assertRaises(urllib2.HTTPError, h.http_error_302, + req, MockFile(), 302, "Security Loophole", + MockHeaders({"location": invalid_url})) + + for scheme in valid_schemes: + valid_url = scheme + '://' + schemeless_url + h.http_error_302(req, MockFile(), 302, "That's fine", + MockHeaders({"location": valid_url})) + self.assertEqual(o.req.get_full_url(), valid_url) + def test_cookie_redirect(self): # cookies shouldn't leak into redirected requests from cookielib import CookieJar diff --git a/Lib/urllib.py b/Lib/urllib.py --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -644,6 +644,18 @@ class FancyURLopener(URLopener): fp.close() # In case the server sent a relative URL, join with original: newurl = basejoin(self.type + ":" + url, newurl) + + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise IOError('redirect error', errcode, + errmsg + " - Redirection to url '%s' is not allowed" % + newurl, + headers) + return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/Lib/urllib2.py b/Lib/urllib2.py --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler): newurl = urlparse.urljoin(req.get_full_url(), newurl) + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise HTTPError(newurl, code, + msg + " - Redirection to url '%s' is not allowed" % + newurl, + headers, fp) + # XXX Probably want to forget about the state of the current # request, although that might interact poorly with other # handlers that also use handler-specific request attributes ++++++ python-2.7-fix-parallel-make.patch ++++++ diff -up Python-2.7/Makefile.pre.in.fix-parallel-make Python-2.7/Makefile.pre.in --- Python-2.7/Makefile.pre.in.fix-parallel-make 2010-07-22 15:01:39.567996932 -0400 +++ Python-2.7/Makefile.pre.in 2010-07-22 15:47:02.437998509 -0400 @@ -207,6 +207,7 @@ SIGNAL_OBJS= @SIGNAL_OBJS@ ########################################################################## # Grammar +GRAMMAR_STAMP= $(srcdir)/grammar-stamp GRAMMAR_H= $(srcdir)/Include/graminit.h GRAMMAR_C= $(srcdir)/Python/graminit.c GRAMMAR_INPUT= $(srcdir)/Grammar/Grammar @@ -530,10 +531,24 @@ Modules/getpath.o: $(srcdir)/Modules/get Modules/python.o: $(srcdir)/Modules/python.c $(MAINCC) -c $(PY_CFLAGS) -o $@ $(srcdir)/Modules/python.c +# GNU "make" interprets rules with two dependents as two copies of the rule. +# +# In a parallel build this can lead to pgen being run twice, once for each of +# GRAMMAR_H and GRAMMAR_C, leading to race conditions in which the compiler +# reads a partially-overwritten copy of one of these files, leading to syntax +# errors (or linker errors if the fragment happens to be syntactically valid C) +# +# See http://www.gnu.org/software/hello/manual/automake/Multiple-Outputs.html +# for more information +# +# Introduce ".grammar-stamp" as a contrived single output from PGEN to avoid +# this: +$(GRAMMAR_H) $(GRAMMAR_C): $(GRAMMAR_STAMP) -$(GRAMMAR_H) $(GRAMMAR_C): $(PGEN) $(GRAMMAR_INPUT) +$(GRAMMAR_STAMP): $(PGEN) $(GRAMMAR_INPUT) -@$(INSTALL) -d Include -$(PGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C) + touch $(GRAMMAR_STAMP) $(PGEN): $(PGENOBJS) $(CC) $(OPT) $(LDFLAGS) $(PGENOBJS) $(LIBS) -o $(PGEN) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
