Hello community, here is the log from the commit of package python for openSUSE:11.4 checked in at Fri May 6 15:22:41 CEST 2011.
-------- --- old-versions/11.4/all/python/python-base.changes 2011-01-17 10:42:37.000000000 +0100 +++ 11.4/python/python-base.changes 2011-05-02 18:07:07.000000000 +0200 @@ -1,0 +2,15 @@ +Mon May 2 16:04:49 UTC 2011 - [email protected] + +- fixed a security flaw where malicious sites could redirect + Python application from http to a local file + (CVE-2011-1521, bnc#682554) +- fixed race condition in Makefile which randomly failed + parallel builds ( http://bugs.python.org/issue10013 ) + +------------------------------------------------------------------- +Thu Feb 17 17:37:09 CET 2011 - [email protected] + +- Prefix DATE and TIME with PY_BUILD_ and COMPILER with PYTHON_ as + to not break external code (bnc#673071). + +------------------------------------------------------------------- --- old-versions/11.4/all/python/python.changes 2010-08-31 04:56:18.000000000 +0200 +++ 11.4/python/python.changes 2011-05-04 16:18:54.000000000 +0200 @@ -1,0 +2,12 @@ +Wed May 4 14:18:08 UTC 2011 - [email protected] + +- added "fix-parallel-make" patch to python main package as well, + because build process is the same + +------------------------------------------------------------------- +Thu Feb 17 17:37:09 CET 2011 - [email protected] + +- Prefix DATE and TIME with PY_BUILD_ and COMPILER with PYTHON_ as + to not break external code (bnc#673071). + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/python Destination is old-versions/11.4/UPDATES/all/python calling whatdependson for 11.4-i586 New: ---- python-2.7-CVE-2011-1521-fileurl.patch python-2.7-fix-parallel-make.patch python-fix_date_time_compiler.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.YTZZuh/_old 2011-05-06 15:22:14.000000000 +0200 +++ /var/tmp/diff_new_pack.YTZZuh/_new 2011-05-06 15:22:14.000000000 +0200 @@ -30,7 +30,7 @@ # Summary: Python Interpreter base package Version: 2.7 -Release: 5 +Release: 8.<RELEASE2> %define tarversion %{version} %define tarname Python-%{tarversion} Source0: %{tarname}.tar.bz2 @@ -52,7 +52,9 @@ Patch10: urllib2-AbstractBasicAuthHandler_reset_attr.diff Patch11: smtpd-dos.patch Patch12: http://psf.upfronthosting.co.za/roundup/tracker/file19029/python-test_structmembers.patch - +Patch13: python-fix_date_time_compiler.patch +Patch14: python-2.7-CVE-2011-1521-fileurl.patch +Patch15: python-2.7-fix-parallel-make.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define python_version %(echo %{version} | head -c 3) Provides: %{name} = %{python_version} @@ -145,7 +147,10 @@ %patch9 -p1 %patch10 %patch11 -%patch12 -p0 +%patch12 +%patch13 +%patch14 -p1 +%patch15 -p1 # some cleanup find . -name .cvsignore -type f -print0 | xargs -0 rm -f @@ -168,10 +173,10 @@ # python installation touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h # use just gcc instead of [GCC 4.5.0 20100604 [gcc-4_5-branch revision 160292].. -echo '#define COMPILER "[GCC]"' >> pyconfig.h.in +echo '#define PYTHON_COMPILER "[GCC]"' >> pyconfig.h.in # use a compilation date equivalent to the source tarball. -printf '#define DATE "%s %s %s"\n' $(date -u -r %{SOURCE0} +"%b %d %Y") >> pyconfig.h.in -printf '#define TIME "%s"\n' $(date -u -r %{SOURCE0} +"%T") >> pyconfig.h.in +printf '#define PY_BUILD_DATE "%s %s %s"\n' $(date -u -r %{SOURCE0} +"%b %d %Y") >> pyconfig.h.in +printf '#define PY_BUILD_TIME "%s"\n' $(date -u -r %{SOURCE0} +"%T") >> pyconfig.h.in ######################################## # configure ######################################## ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.YTZZuh/_old 2011-05-06 15:22:14.000000000 +0200 +++ /var/tmp/diff_new_pack.YTZZuh/_new 2011-05-06 15:22:14.000000000 +0200 @@ -24,7 +24,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Additional Package Documentation for Python. Version: 2.7 -Release: 5 +Release: 8.<RELEASE2> %define pyver 2.7 BuildArch: noarch %define tarname Python-%{pyver} ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.YTZZuh/_old 2011-05-06 15:22:14.000000000 +0200 +++ /var/tmp/diff_new_pack.YTZZuh/_new 2011-05-06 15:22:14.000000000 +0200 @@ -32,7 +32,7 @@ Obsoletes: python-nothreads python21 python-elementtree python-sqlite Summary: Python Interpreter Version: 2.7 -Release: 5 +Release: 9.<RELEASE10> Requires: python-base = %{version} %define tarversion %{version} %define tarname Python-%{tarversion} @@ -51,6 +51,8 @@ Patch6: python-2.6b3-curses-panel.patch Patch7: sparc_longdouble.patch Patch8: python-2.7-acrequire.patch +Patch9: python-fix_date_time_compiler.patch +Patch10: python-2.7-fix-parallel-make.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define python_version %(echo %{version} | head -c 3) @@ -182,6 +184,8 @@ %patch6 %patch7 -p1 %patch8 -p1 +%patch9 +%patch10 -p1 # some cleanup find . -name .cvsignore -type f -print0 | xargs -0 rm -f find . -name CVS -type d -print0 | xargs -0 rm -rf @@ -203,10 +207,10 @@ # python installation touch Parser/asdl* Python/Python-ast.c Include/Python-ast.h # use just gcc instead of [GCC 4.5.0 20100604 [gcc-4_5-branch revision 160292].. -echo '#define COMPILER "[GCC]"' >> pyconfig.h.in +echo '#define PYTHON_COMPILER "[GCC]"' >> pyconfig.h.in # use a compilation date equivalent to the source tarball. -printf '#define DATE "%s %s %s"\n' $(date -u -r %{SOURCE0} +"%b %d %Y") >> pyconfig.h.in -printf '#define TIME "%s"\n' $(date -u -r %{SOURCE0} +"%T") >> pyconfig.h.in +printf '#define PY_BUILD_DATE "%s %s %s"\n' $(date -u -r %{SOURCE0} +"%b %d %Y") >> pyconfig.h.in +printf '#define PY_BUILD_TIME "%s"\n' $(date -u -r %{SOURCE0} +"%T") >> pyconfig.h.in ######################################## # configure ######################################## ++++++ python-2.7-CVE-2011-1521-fileurl.patch ++++++ # HG changeset patch # User Guido van Rossum <[email protected]> # Date 1301428435 25200 # Node ID b2934d98dac1f7b13cc6cc280f06d1aec3f6e80d # Parent 1a5aab273332a7a379e35ed6f88400a110b5de0c# Parent 9eeda8e3a13f107a698f10b0a45ffc2c6bd710fb Merge issue 11662 from 2.6. diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py --- a/Lib/test/test_urllib.py +++ b/Lib/test/test_urllib.py @@ -161,6 +161,20 @@ Content-Type: text/html; charset=iso-885 finally: self.unfakehttp() + def test_invalid_redirect(self): + # urlopen() should raise IOError for many error codes. + self.fakehttp("""HTTP/1.1 302 Found +Date: Wed, 02 Jan 2008 03:03:54 GMT +Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e +Location: file:README +Connection: close +Content-Type: text/html; charset=iso-8859-1 +""") + try: + self.assertRaises(IOError, urllib.urlopen, "http://python.org/";) + finally: + self.unfakehttp() + def test_empty_socket(self): # urlopen() raises IOError if the underlying socket does not send any # data. (#1680230) diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py --- a/Lib/test/test_urllib2.py +++ b/Lib/test/test_urllib2.py @@ -969,6 +969,27 @@ class HandlerTests(unittest.TestCase): self.assertEqual(count, urllib2.HTTPRedirectHandler.max_redirections) + def test_invalid_redirect(self): + from_url = "http://example.com/a.html"; + valid_schemes = ['http', 'https', 'ftp'] + invalid_schemes = ['file', 'imap', 'ldap'] + schemeless_url = "example.com/b.html" + h = urllib2.HTTPRedirectHandler() + o = h.parent = MockOpener() + req = Request(from_url) + + for scheme in invalid_schemes: + invalid_url = scheme + '://' + schemeless_url + self.assertRaises(urllib2.HTTPError, h.http_error_302, + req, MockFile(), 302, "Security Loophole", + MockHeaders({"location": invalid_url})) + + for scheme in valid_schemes: + valid_url = scheme + '://' + schemeless_url + h.http_error_302(req, MockFile(), 302, "That's fine", + MockHeaders({"location": valid_url})) + self.assertEqual(o.req.get_full_url(), valid_url) + def test_cookie_redirect(self): # cookies shouldn't leak into redirected requests from cookielib import CookieJar diff --git a/Lib/urllib.py b/Lib/urllib.py --- a/Lib/urllib.py +++ b/Lib/urllib.py @@ -644,6 +644,18 @@ class FancyURLopener(URLopener): fp.close() # In case the server sent a relative URL, join with original: newurl = basejoin(self.type + ":" + url, newurl) + + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise IOError('redirect error', errcode, + errmsg + " - Redirection to url '%s' is not allowed" % + newurl, + headers) + return self.open(newurl) def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/Lib/urllib2.py b/Lib/urllib2.py --- a/Lib/urllib2.py +++ b/Lib/urllib2.py @@ -578,6 +578,17 @@ class HTTPRedirectHandler(BaseHandler): newurl = urlparse.urljoin(req.get_full_url(), newurl) + # For security reasons we do not allow redirects to protocols + # other than HTTP, HTTPS or FTP. + newurl_lower = newurl.lower() + if not (newurl_lower.startswith('http://') or + newurl_lower.startswith('https://') or + newurl_lower.startswith('ftp://')): + raise HTTPError(newurl, code, + msg + " - Redirection to url '%s' is not allowed" % + newurl, + headers, fp) + # XXX Probably want to forget about the state of the current # request, although that might interact poorly with other # handlers that also use handler-specific request attributes ++++++ python-2.7-fix-parallel-make.patch ++++++ diff -up Python-2.7/Makefile.pre.in.fix-parallel-make Python-2.7/Makefile.pre.in --- Python-2.7/Makefile.pre.in.fix-parallel-make 2010-07-22 15:01:39.567996932 -0400 +++ Python-2.7/Makefile.pre.in 2010-07-22 15:47:02.437998509 -0400 @@ -207,6 +207,7 @@ SIGNAL_OBJS= @SIGNAL_OBJS@ ########################################################################## # Grammar +GRAMMAR_STAMP= $(srcdir)/grammar-stamp GRAMMAR_H= $(srcdir)/Include/graminit.h GRAMMAR_C= $(srcdir)/Python/graminit.c GRAMMAR_INPUT= $(srcdir)/Grammar/Grammar @@ -530,10 +531,24 @@ Modules/getpath.o: $(srcdir)/Modules/get Modules/python.o: $(srcdir)/Modules/python.c $(MAINCC) -c $(PY_CFLAGS) -o $@ $(srcdir)/Modules/python.c +# GNU "make" interprets rules with two dependents as two copies of the rule. +# +# In a parallel build this can lead to pgen being run twice, once for each of +# GRAMMAR_H and GRAMMAR_C, leading to race conditions in which the compiler +# reads a partially-overwritten copy of one of these files, leading to syntax +# errors (or linker errors if the fragment happens to be syntactically valid C) +# +# See http://www.gnu.org/software/hello/manual/automake/Multiple-Outputs.html +# for more information +# +# Introduce ".grammar-stamp" as a contrived single output from PGEN to avoid +# this: +$(GRAMMAR_H) $(GRAMMAR_C): $(GRAMMAR_STAMP) -$(GRAMMAR_H) $(GRAMMAR_C): $(PGEN) $(GRAMMAR_INPUT) +$(GRAMMAR_STAMP): $(PGEN) $(GRAMMAR_INPUT) -@$(INSTALL) -d Include -$(PGEN) $(GRAMMAR_INPUT) $(GRAMMAR_H) $(GRAMMAR_C) + touch $(GRAMMAR_STAMP) $(PGEN): $(PGENOBJS) $(CC) $(OPT) $(LDFLAGS) $(PGENOBJS) $(LIBS) -o $(PGEN) ++++++ python-fix_date_time_compiler.patch ++++++ Index: Modules/getbuildinfo.c =================================================================== --- Modules/getbuildinfo.c.orig 2010-05-09 16:46:46.000000000 +0200 +++ Modules/getbuildinfo.c 2011-02-17 17:25:00.904694976 +0100 @@ -4,19 +4,19 @@ #include <stdio.h> #endif -#ifndef DATE -#ifdef __DATE__ -#define DATE __DATE__ +#ifndef PY_BUILD_DATE +#ifdef __PY_BUILD_DATE__ +#define PY_BUILD_DATE __PY_BUILD_DATE__ #else -#define DATE "xx/xx/xx" +#define PY_BUILD_DATE "xx/xx/xx" #endif #endif -#ifndef TIME -#ifdef __TIME__ -#define TIME __TIME__ +#ifndef PY_BUILD_TIME +#ifdef __PY_BUILD_TIME__ +#define PY_BUILD_TIME __PY_BUILD_TIME__ #else -#define TIME "xx:xx:xx" +#define PY_BUILD_TIME "xx:xx:xx" #endif #endif @@ -37,7 +37,7 @@ Py_GetBuildInfo(void) const char *branch = Py_SubversionShortBranch(); PyOS_snprintf(buildinfo, sizeof(buildinfo), "%s%s%s, %.20s, %.9s", branch, sep, revision, - DATE, TIME); + PY_BUILD_DATE, PY_BUILD_TIME); return buildinfo; } Index: Python/getcompiler.c =================================================================== --- Python/getcompiler.c.orig 2000-09-05 06:40:39.000000000 +0200 +++ Python/getcompiler.c 2011-02-17 17:23:55.320858100 +0100 @@ -3,26 +3,26 @@ #include "Python.h" -#ifndef COMPILER +#ifndef PYTHON_COMPILER #ifdef __GNUC__ -#define COMPILER "\n[GCC " __VERSION__ "]" +#define PYTHON_COMPILER "\n[GCC " __VERSION__ "]" #endif -#endif /* !COMPILER */ +#endif /* !PYTHON_COMPILER */ -#ifndef COMPILER +#ifndef PYTHON_COMPILER #ifdef __cplusplus -#define COMPILER "[C++]" +#define PYTHON_COMPILER "[C++]" #else -#define COMPILER "[C]" +#define PYTHON_COMPILER "[C]" #endif -#endif /* !COMPILER */ +#endif /* !PYTHON_COMPILER */ const char * Py_GetCompiler(void) { - return COMPILER; + return PYTHON_COMPILER; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
