Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2018-10-02 19:41:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Tue Oct 2 19:41:22 2018 rev:133 rq:638809 version:2.7.15 Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2018-05-25 21:36:32.445649011 +0200 +++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2018-10-02 19:41:29.802202938 +0200 @@ -1,0 +2,7 @@ +Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <[email protected]> + +- Apply "CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch" which + converts shutil._call_external_zip to use subprocess rather than + distutils.spawn. [bsc#1109663, CVE-2018-1000802] + +------------------------------------------------------------------- python-doc.changes: same change python.changes: same change New: ---- CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.88zoie/_old 2018-10-02 19:41:35.578194358 +0200 +++ /var/tmp/diff_new_pack.88zoie/_new 2018-10-02 19:41:35.578194358 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -60,6 +60,10 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -167,6 +171,7 @@ %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.88zoie/_old 2018-10-02 19:41:35.638194269 +0200 +++ /var/tmp/diff_new_pack.88zoie/_new 2018-10-02 19:41:35.642194262 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -61,6 +61,10 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -114,6 +118,7 @@ %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.88zoie/_old 2018-10-02 19:41:35.666194227 +0200 +++ /var/tmp/diff_new_pack.88zoie/_new 2018-10-02 19:41:35.670194221 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -66,6 +66,10 @@ Patch40: python-skip_random_failing_tests.patch # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263 Patch41: python-sorted_tar.patch +# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch [email protected] +# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch +Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch +# # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -220,6 +224,7 @@ %patch40 -p1 %endif %patch41 -p1 +%patch42 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch ++++++ >From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001 From: Benjamin Peterson <[email protected]> Date: Tue, 28 Aug 2018 22:12:56 -0700 Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use subprocess rather than distutils.spawn. --- Lib/shutil.py | 16 ++++++++++------ .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ 2 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst --- a/Lib/shutil.py +++ b/Lib/shutil.py @@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, c return archive_name -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): # XXX see if we want to keep an external call here if verbose: zipoptions = "-r" else: zipoptions = "-rq" - from distutils.errors import DistutilsExecError - from distutils.spawn import spawn + cmd = ["zip", zipoptions, zip_filename, base_dir] + if logger is not None: + logger.info(' '.join(cmd)) + if dry_run: + return + import subprocess try: - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) - except DistutilsExecError: + subprocess.check_call(cmd) + except subprocess.CalledProcessError: # XXX really should distinguish between "couldn't find # external 'zip' command" and "zip failed". raise ExecError, \ @@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, v zipfile = None if zipfile is None: - _call_external_zip(base_dir, zip_filename, verbose, dry_run) + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) else: if logger is not None: logger.info("creating '%s' and adding '%s' to it",
