Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2014-07-28 06:31:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2014-06-25 15:24:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2014-07-28 06:31:18.000000000 +0200 @@ -1,0 +2,9 @@ +Wed Jul 23 16:48:38 UTC 2014 - [email protected] + +- CVE-2014-4650-CGIHTTPServer-traversal.patch: CGIHTTPServer file + disclosure and directory traversal through URL-encoded characters + (CVE-2014-4650, bnc#885882) +- python-2.7.7-mhlib-linkcount.patch: remove link count optimizations + that are incorrect on btrfs (and possibly other filesystems) + +------------------------------------------------------------------- python.changes: same change New: ---- CVE-2014-4650-CGIHTTPServer-traversal.patch python-2.7.7-mhlib-linkcount.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.jfvqCf/_old 2014-07-28 06:31:20.000000000 +0200 +++ /var/tmp/diff_new_pack.jfvqCf/_new 2014-07-28 06:31:20.000000000 +0200 @@ -57,6 +57,10 @@ # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch +# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) +Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -149,6 +153,8 @@ %patch26 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.jfvqCf/_old 2014-07-28 06:31:20.000000000 +0200 +++ /var/tmp/diff_new_pack.jfvqCf/_new 2014-07-28 06:31:20.000000000 +0200 @@ -60,6 +60,10 @@ # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch +# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) +Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -106,6 +110,8 @@ %patch26 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.jfvqCf/_old 2014-07-28 06:31:20.000000000 +0200 +++ /var/tmp/diff_new_pack.jfvqCf/_new 2014-07-28 06:31:20.000000000 +0200 @@ -61,6 +61,10 @@ # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch +# CVE-2014-4650 - File disclosure and directory traversal in CGIHTTPServer +Patch30: CVE-2014-4650-CGIHTTPServer-traversal.patch +# remove link count optimization that breaks mhlib on btrfs (and possibly elsewhere) +Patch31: python-2.7.7-mhlib-linkcount.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -183,6 +187,8 @@ %patch26 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 +%patch31 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2014-4650-CGIHTTPServer-traversal.patch ++++++ # HG changeset patch # User Benjamin Peterson <[email protected]> # Date 1402796189 25200 # Node ID b4bab078876811c7d95231d08aa6fa7142fdda66 # Parent bb8b0c7fefd0c5ed99b3f336178a4f9554a1d0ef url unquote the path before checking if it refers to a CGI script (closes #21766) diff --git a/Lib/CGIHTTPServer.py b/Lib/CGIHTTPServer.py --- a/Lib/CGIHTTPServer.py +++ b/Lib/CGIHTTPServer.py @@ -84,7 +84,7 @@ class CGIHTTPRequestHandler(SimpleHTTPSe path begins with one of the strings in self.cgi_directories (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -510,6 +510,11 @@ class CGIHTTPServerTestCase(BaseTestCase (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SimpleHTTPRequestHandlerTestCase(unittest.TestCase): """ Test url parsing """ ++++++ python-2.7.7-mhlib-linkcount.patch ++++++ Index: Python-2.7.7/Lib/mhlib.py =================================================================== --- Python-2.7.7.orig/Lib/mhlib.py 2014-05-31 20:58:39.000000000 +0200 +++ Python-2.7.7/Lib/mhlib.py 2014-07-24 16:08:26.049343760 +0200 @@ -156,11 +156,6 @@ """Return the names of the subfolders in a given folder (prefixed with the given folder name).""" fullname = os.path.join(self.path, name) - # Get the link count so we can avoid listing folders - # that have no subfolders. - nlinks = os.stat(fullname).st_nlink - if nlinks <= 2: - return [] subfolders = [] subnames = os.listdir(fullname) for subname in subnames: @@ -168,11 +163,6 @@ if os.path.isdir(fullsubname): name_subname = os.path.join(name, subname) subfolders.append(name_subname) - # Stop looking for subfolders when - # we've seen them all - nlinks = nlinks - 1 - if nlinks <= 2: - break subfolders.sort() return subfolders @@ -183,11 +173,6 @@ def listallsubfolders(self, name): """Return the names of subfolders in a given folder, recursively.""" fullname = os.path.join(self.path, name) - # Get the link count so we can avoid listing folders - # that have no subfolders. - nlinks = os.stat(fullname).st_nlink - if nlinks <= 2: - return [] subfolders = [] subnames = os.listdir(fullname) for subname in subnames: @@ -200,11 +185,6 @@ subsubfolders = self.listallsubfolders( name_subname) subfolders = subfolders + subsubfolders - # Stop looking for subfolders when - # we've seen them all - nlinks = nlinks - 1 - if nlinks <= 2: - break subfolders.sort() return subfolders -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
