Hello community, here is the log from the commit of package python3 for openSUSE:Factory checked in at 2014-07-26 09:41:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3 (Old) and /work/SRC/openSUSE:Factory/.python3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3" Changes: -------- --- /work/SRC/openSUSE:Factory/python3/python3-base.changes 2014-06-25 06:58:16.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3.new/python3-base.changes 2014-07-26 09:41:54.000000000 +0200 @@ -1,0 +2,15 @@ +Wed Jul 23 16:31:02 UTC 2014 - [email protected] + +- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file + disclosure and directory traversal through URL-encoded characters + (CVE-2014-4650, bnc#885882) + +------------------------------------------------------------------- +Tue Jul 22 13:55:57 UTC 2014 - [email protected] + +- drop python-3.4.1-SUSE-ensurepip.patch for compatibility reasons, + reinstate bundled copies of pip and setuptools + (fixes bnc#885662) +- add more files as sources to silence the validator + +------------------------------------------------------------------- python3.changes: same change Old: ---- python-3.4.1-SUSE-ensurepip.patch New: ---- CVE-2014-4650-CGIHTTPServer-traversal.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-base.spec ++++++ --- /var/tmp/diff_new_pack.gl2y3F/_old 2014-07-26 09:41:56.000000000 +0200 +++ /var/tmp/diff_new_pack.gl2y3F/_new 2014-07-26 09:41:56.000000000 +0200 @@ -58,8 +58,12 @@ Source9: import_failed.py Source10: import_failed.map -Source99: PACKAGING-NOTES -# this is documentation for packagers, put here to silence Factory source_validator +# The following files are not used in the build. +# They are listed here to work around missing functionality in rpmbuild, +# which would otherwise exclude them from distributed src.rpm files. +Source100: PACKAGING-NOTES +Source101: rpmlintrc +Source102: pre_checkin.sh ### COMMON-PATCH-BEGIN ### @@ -85,8 +89,8 @@ Patch13: libffi-ppc64le.diff # Raise timeout value for test_subprocess Patch15: subprocess-raise-timeout.patch -# Modify ensurepip module to rely on python3-pip instead of bundled copy -Patch16: python-3.4.1-SUSE-ensurepip.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch16: CVE-2014-4650-CGIHTTPServer-traversal.patch ### COMMON-PATCH-END ### BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ python3-doc.spec ++++++ --- /var/tmp/diff_new_pack.gl2y3F/_old 2014-07-26 09:41:56.000000000 +0200 +++ /var/tmp/diff_new_pack.gl2y3F/_new 2014-07-26 09:41:56.000000000 +0200 @@ -69,8 +69,8 @@ Patch13: libffi-ppc64le.diff # Raise timeout value for test_subprocess Patch15: subprocess-raise-timeout.patch -# Modify ensurepip module to rely on python3-pip instead of bundled copy -Patch16: python-3.4.1-SUSE-ensurepip.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch16: CVE-2014-4650-CGIHTTPServer-traversal.patch ### COMMON-PATCH-END ### ### COMMON-DEF-BEGIN ### ++++++ python3.spec ++++++ --- /var/tmp/diff_new_pack.gl2y3F/_old 2014-07-26 09:41:56.000000000 +0200 +++ /var/tmp/diff_new_pack.gl2y3F/_new 2014-07-26 09:41:56.000000000 +0200 @@ -34,7 +34,6 @@ BuildRequires: readline-devel BuildRequires: sqlite-devel BuildRequires: tk-devel -BuildRequires: unzip BuildRequires: xorg-x11-devel BuildRequires: xz Url: http://www.python.org/ @@ -87,8 +86,8 @@ Patch13: libffi-ppc64le.diff # Raise timeout value for test_subprocess Patch15: subprocess-raise-timeout.patch -# Modify ensurepip module to rely on python3-pip instead of bundled copy -Patch16: python-3.4.1-SUSE-ensurepip.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch16: CVE-2014-4650-CGIHTTPServer-traversal.patch ### COMMON-PATCH-END ### BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -238,13 +237,8 @@ # only test the parts skipped in python3-base TESTS="test_dbm_gnu test_dbm_ndbm test_readline test_ssl test_tcl test_tk test_ttk_guionly test_ttk_textonly test_curses test_socketserver test_sqlite test_hashlib test_smtpnet" -# prepare ensurepip-based tests -pushd Lib -for whl in ../Lib/ensurepip/_bundled/*.whl; do - unzip $whl -done -popd -TESTS="$TESTS test_venv test_tools test_ensurepip" +# ensurepip-based tests +TESTS="$TESTS test_venv test_ensurepip test_tools" make test TESTOPTS="-u none $TESTS" ++++++ CVE-2014-4650-CGIHTTPServer-traversal.patch ++++++ # HG changeset patch # User Benjamin Peterson <[email protected]> # Date 1402796473 25200 # Node ID 847e288d6e93dba049c280f40979e16a1378d0f6 # Parent 6f1f387759913d91cb307d2783b3a40c48fe7424# Parent 5676797f3a3eccaf38e2c500e77ed39c68923cc9 merge 3.3 (#21766) Index: Python-3.4.1/Lib/http/server.py =================================================================== --- Python-3.4.1.orig/Lib/http/server.py 2014-07-23 18:18:25.808928664 +0200 +++ Python-3.4.1/Lib/http/server.py 2014-07-23 18:18:29.568947377 +0200 @@ -977,7 +977,7 @@ (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: Index: Python-3.4.1/Lib/test/test_httpservers.py =================================================================== --- Python-3.4.1.orig/Lib/test/test_httpservers.py 2014-07-23 18:18:25.808928664 +0200 +++ Python-3.4.1/Lib/test/test_httpservers.py 2014-07-23 18:18:29.568947377 +0200 @@ -485,6 +485,11 @@ (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
