[gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/, dev-python/pysaml2/

Thu, 11 Jan 2018 15:30:21 -0800 

commit:     8c31196d00e344da82cf4facf4f6f5d2826c692a
Author:     Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 11 23:29:34 2018 +0000
Commit:     Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Thu Jan 11 23:29:50 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c31196d

dev-python/pysaml2: fix bug 644016 CVE-2017-1000433

Package-Manager: Portage-2.3.14, Repoman-2.3.6

 .../files/pysaml-4.0.2_CVE-2017-1000433.patch      | 14 ++++++++
 dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild         | 39 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch 
b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
new file mode 100644
index 00000000000..e745263d236
--- /dev/null
+++ b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
@@ -0,0 +1,14 @@
+diff -Naur pysaml2/src/saml2/authn.py pysaml2.new/src/saml2/authn.py
+--- 1/src/saml2/authn.py 2018-01-11 17:23:27.198775074 -0600
++++ 2/src/saml2/authn.py 2018-01-11 17:22:57.909567278 -0600
+@@ -147,7 +147,8 @@
+         return resp
+ 
+     def _verify(self, pwd, user):
+-        assert is_equal(pwd, self.passwd[user])
++        if not is_equal(pwd, self.passwd[user]):
++            raise ValueError("Wrong password")
+ 
+     def verify(self, request, **kwargs):
+         """
+

diff --git a/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild 
b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild
new file mode 100644
index 00000000000..34cc46c5c0d
--- /dev/null
+++ b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 )
+
+inherit distutils-r1
+
+DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI 
environment"
+HOMEPAGE="https://github.com/rohe/pysaml2";
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE=""
+
+PATCHES=(
+       "${FILESDIR}/xxe-4.0.2.patch"
+       "${FILESDIR}/pysaml-4.0.2_CVE-2017-1000433.patch"
+)
+
+DEPEND="
+       dev-python/setuptools[${PYTHON_USEDEP}]
+"
+RDEPEND="
+       dev-python/decorator[${PYTHON_USEDEP}]
+       >=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
+       dev-python/future[${PYTHON_USEDEP}]
+       dev-python/paste[${PYTHON_USEDEP}]
+       dev-python/zope-interface[${PYTHON_USEDEP}]
+       dev-python/repoze-who[${PYTHON_USEDEP}]
+       >=dev-python/pycrypto-2.5[${PYTHON_USEDEP}]
+       dev-python/pytz[${PYTHON_USEDEP}]
+       dev-python/pyopenssl[${PYTHON_USEDEP}]
+       dev-python/python-dateutil[${PYTHON_USEDEP}]
+       dev-python/six[${PYTHON_USEDEP}]
+       dev-python/defusedxml[${PYTHON_USEDEP}]
+"

Reply via email to