Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2014-06-25 15:24:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2014-03-21 15:47:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2014-06-25 15:24:07.000000000 +0200 @@ -1,0 +2,18 @@ +Fri Jun 20 13:11:34 UTC 2014 - jmate...@suse.com + +- update to 2.7.7 + * bugfix-only release, over a hundred bugs fixed + * backported hmac.compare_digest from python3, first step of PEP 466 +- drop upstreamed patches: + * CVE-2014-1912-recvfrom_into.patch + * python-2.7.4-no-REUSEPORT.patch + * python-2.7.6-bdist-rpm.patch + * python-2.7.6-imaplib.patch + * python-2.7.6-sqlite-3.8.4-tests.patch +- refresh patches: + * python-2.7.3-ssl_ca_path.patch + * python-2.7.4-canonicalize2.patch + * xmlrpc_gzip_27.patch +- added python keyring and signature for the main tarball + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python-doc.changes 2014-03-21 15:47:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python.new/python-doc.changes 2014-06-25 15:24:07.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Jun 20 13:46:40 UTC 2014 - jmate...@suse.com + +- update to 2.7.7 + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python.changes 2014-03-21 15:47:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.python.new/python.changes 2014-06-25 15:24:07.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Jun 20 13:46:22 UTC 2014 - jmate...@suse.com + +- update to 2.7.7 + * bugfix-only release, over a hundred bugs fixed + +------------------------------------------------------------------- Old: ---- CVE-2014-1912-recvfrom_into.patch Python-2.7.6.tar.xz python-2.7.4-no-REUSEPORT.patch python-2.7.6-bdist-rpm.patch python-2.7.6-docs-html.tar.bz2 python-2.7.6-docs-pdf-a4.tar.bz2 python-2.7.6-docs-pdf-letter.tar.bz2 python-2.7.6-imaplib.patch python-2.7.6-sqlite-3.8.4-tests.patch New: ---- Python-2.7.7.tar.xz Python-2.7.7.tar.xz.asc python-2.7.7-docs-html.tar.bz2 python-2.7.7-docs-pdf-a4.tar.bz2 python-2.7.7-docs-pdf-letter.tar.bz2 python.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:09.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:09.000000000 +0200 @@ -17,7 +17,7 @@ Name: python-base -Version: 2.7.6 +Version: 2.7.7 Release: 0 Summary: Python Interpreter base package License: Python-2.0 @@ -26,6 +26,8 @@ %define tarversion %{version} %define tarname Python-%{tarversion} Source0: http://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz +Source4: http://www.python.org/ftp/python/%{version}/%{tarname}.tar.xz.asc +Source6: python.keyring Source1: macros.python Source2: baselibs.conf Source3: README.SUSE @@ -47,21 +49,14 @@ Patch20: python-bundle-lang.patch # PATCH-FIX-OPENSUSE Properly support aarch64 in _ctypes module Patch22: python-2.7.4-aarch64.patch -Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff # CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib -Patch27: python-2.7.6-imaplib.patch Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# [bnc#857470] add missing import to bdist_rpm command -Patch30: python-2.7.6-bdist-rpm.patch -# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into -Patch31: CVE-2014-1912-recvfrom_into.patch -Patch32: python-2.7.6-sqlite-3.8.4-tests.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -149,16 +144,11 @@ %patch18 -p1 %patch20 -p1 %patch22 -p1 -%patch23 -p1 %patch24 -p1 %patch25 -p0 %patch26 -p1 -%patch27 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:10.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:10.000000000 +0200 @@ -16,7 +16,7 @@ # Name: python-doc -Version: 2.7.6 +Version: 2.7.7 Release: 0 Summary: Additional Package Documentation for Python License: Python-2.0 @@ -52,21 +52,14 @@ Patch20: python-bundle-lang.patch # PATCH-FIX-OPENSUSE Properly support aarch64 in _ctypes module Patch22: python-2.7.4-aarch64.patch -Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff # CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib -Patch27: python-2.7.6-imaplib.patch Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# [bnc#857470] add missing import to bdist_rpm command -Patch30: python-2.7.6-bdist-rpm.patch -# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into -Patch31: CVE-2014-1912-recvfrom_into.patch -Patch32: python-2.7.6-sqlite-3.8.4-tests.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -108,16 +101,11 @@ %patch18 -p1 %patch20 -p1 %patch22 -p1 -%patch23 -p1 %patch24 -p1 %patch25 -p0 %patch26 -p1 -%patch27 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:10.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:10.000000000 +0200 @@ -16,7 +16,7 @@ # Name: python -Version: 2.7.6 +Version: 2.7.7 Release: 0 Summary: Python Interpreter License: Python-2.0 @@ -53,21 +53,14 @@ Patch20: python-bundle-lang.patch # PATCH-FIX-OPENSUSE Properly support aarch64 in _ctypes module Patch22: python-2.7.4-aarch64.patch -Patch23: python-2.7.4-no-REUSEPORT.patch Patch24: python-bsddb6.diff # PATCH-FIX-OPENSUSE Properly support ppc64le in _ctypes module Patch25: libffi-ppc64le.diff # CVE-2013-1753 [bnc#856835] unbounded gzip decompression in xmlrpc client Patch26: xmlrpc_gzip_27.patch # CVE-2013-1752 patches missing in 2.7.6: imaplib, poplib, smtplib -Patch27: python-2.7.6-imaplib.patch Patch28: smtplib_maxline-2.7.patch Patch29: python-2.7.6-poplib.patch -# [bnc#857470] add missing import to bdist_rpm command -Patch30: python-2.7.6-bdist-rpm.patch -# CVE-2014-1912 [bnc#863741] buffer overflow in recvfrom_into -Patch31: CVE-2014-1912-recvfrom_into.patch -Patch32: python-2.7.6-sqlite-3.8.4-tests.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -185,16 +178,11 @@ %patch18 -p1 %patch20 -p1 %patch22 -p1 -%patch23 -p1 %patch24 -p1 %patch25 -p0 %patch26 -p1 -%patch27 -p1 %patch28 -p1 %patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ Python-2.7.6.tar.xz -> Python-2.7.7.tar.xz ++++++ /work/SRC/openSUSE:Factory/python/Python-2.7.6.tar.xz /work/SRC/openSUSE:Factory/.python.new/Python-2.7.7.tar.xz differ: char 27, line 1 ++++++ python-2.7.3-ssl_ca_path.patch ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:10.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:10.000000000 +0200 @@ -1,16 +1,16 @@ -Index: Python-2.7.5/Modules/_ssl.c +Index: Python-2.7.7/Modules/_ssl.c =================================================================== ---- Python-2.7.5.orig/Modules/_ssl.c -+++ Python-2.7.5/Modules/_ssl.c -@@ -271,6 +271,7 @@ newPySSLObject(PySocketSockObject *Sock, +--- Python-2.7.7.orig/Modules/_ssl.c 2014-06-20 14:34:28.157656595 +0200 ++++ Python-2.7.7/Modules/_ssl.c 2014-06-20 14:35:20.092929774 +0200 +@@ -273,6 +273,7 @@ char *errstr = NULL; int ret; int verification_mode; + struct stat stat_buf; + long options; self = PyObject_New(PySSLObject, &PySSL_Type); /* Create new object */ - if (self == NULL) -@@ -327,20 +328,32 @@ newPySSLObject(PySocketSockObject *Sock, +@@ -331,20 +332,32 @@ if (certreq != PY_SSL_CERT_NONE) { if (cacerts_file == NULL) { ++++++ python-2.7.4-canonicalize2.patch ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:10.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:10.000000000 +0200 @@ -1,6 +1,8 @@ ---- a/Python/sysmodule.c -+++ b/Python/sysmodule.c -@@ -1620,7 +1620,20 @@ +Index: Python-2.7.7/Python/sysmodule.c +=================================================================== +--- Python-2.7.7.orig/Python/sysmodule.c 2014-06-20 14:33:06.696228064 +0200 ++++ Python-2.7.7/Python/sysmodule.c 2014-06-20 14:33:10.960250497 +0200 +@@ -1624,7 +1624,20 @@ char *p = NULL; Py_ssize_t n = 0; PyObject *a; @@ -22,7 +24,7 @@ char link[MAXPATHLEN+1]; char argv0copy[2*MAXPATHLEN+1]; int nr = 0; -@@ -1647,7 +1660,8 @@ +@@ -1651,7 +1664,8 @@ } } } @@ -32,7 +34,7 @@ #if SEP == '\\' /* Special case for MS filename syntax */ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { char *q; -@@ -1676,11 +1690,6 @@ +@@ -1680,11 +1694,6 @@ } #else /* All other filename syntaxes */ if (argc > 0 && argv0 != NULL && strcmp(argv0, "-c") != 0) { @@ -44,7 +46,7 @@ p = strrchr(argv0, SEP); } if (p != NULL) { -@@ -1698,6 +1707,9 @@ +@@ -1702,6 +1711,9 @@ a = PyString_FromStringAndSize(argv0, n); if (a == NULL) Py_FatalError("no mem for sys.path insertion"); @@ -54,9 +56,11 @@ if (PyList_Insert(path, 0, a) < 0) Py_FatalError("sys.path.insert(0) failed"); Py_DECREF(a); ---- a/pyconfig.h.in -+++ b/pyconfig.h.in -@@ -106,6 +106,9 @@ +Index: Python-2.7.7/pyconfig.h.in +=================================================================== +--- Python-2.7.7.orig/pyconfig.h.in 2014-05-31 20:58:40.000000000 +0200 ++++ Python-2.7.7/pyconfig.h.in 2014-06-20 14:33:10.961250502 +0200 +@@ -109,6 +109,9 @@ /* Define to 1 if you have the 'chflags' function. */ #undef HAVE_CHFLAGS @@ -66,11 +70,13 @@ /* Define to 1 if you have the `chown' function. */ #undef HAVE_CHOWN ---- a/configure.ac -+++ b/configure.ac -@@ -2913,7 +2913,7 @@ +Index: Python-2.7.7/configure.ac +=================================================================== +--- Python-2.7.7.orig/configure.ac 2014-06-20 14:33:06.694228054 +0200 ++++ Python-2.7.7/configure.ac 2014-06-20 14:33:10.961250502 +0200 +@@ -2935,7 +2935,7 @@ getpriority getresuid getresgid getpwent getspnam getspent getsid getwd \ - initgroups kill killpg lchmod lchown lstat mkfifo mknod mktime \ + initgroups kill killpg lchmod lchown lstat mkfifo mknod mktime mmap \ mremap nice pathconf pause plock poll pthread_init \ - putenv readlink realpath \ + putenv readlink realpath canonicalize_file_name \ ++++++ python-2.7.6-docs-html.tar.bz2 -> python-2.7.7-docs-html.tar.bz2 ++++++ ++++ 59205 lines of diff (skipped) ++++++ python-2.7.6-docs-pdf-a4.tar.bz2 -> python-2.7.7-docs-pdf-a4.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/python/python-2.7.6-docs-pdf-a4.tar.bz2 /work/SRC/openSUSE:Factory/.python.new/python-2.7.7-docs-pdf-a4.tar.bz2 differ: char 11, line 1 ++++++ python-2.7.6-docs-pdf-letter.tar.bz2 -> python-2.7.7-docs-pdf-letter.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/python/python-2.7.6-docs-pdf-letter.tar.bz2 /work/SRC/openSUSE:Factory/.python.new/python-2.7.7-docs-pdf-letter.tar.bz2 differ: char 11, line 1 ++++++ xmlrpc_gzip_27.patch ++++++ --- /var/tmp/diff_new_pack.6D7Jw3/_old 2014-06-25 15:24:13.000000000 +0200 +++ /var/tmp/diff_new_pack.6D7Jw3/_new 2014-06-25 15:24:13.000000000 +0200 @@ -1,7 +1,8 @@ -diff --git a/Doc/library/xmlrpclib.rst b/Doc/library/xmlrpclib.rst ---- a/Doc/library/xmlrpclib.rst -+++ b/Doc/library/xmlrpclib.rst -@@ -120,6 +120,15 @@ +Index: Python-2.7.7/Doc/library/xmlrpclib.rst +=================================================================== +--- Python-2.7.7.orig/Doc/library/xmlrpclib.rst 2014-05-31 20:58:38.000000000 +0200 ++++ Python-2.7.7/Doc/library/xmlrpclib.rst 2014-06-20 14:51:40.282081132 +0200 +@@ -127,6 +127,15 @@ *__dict__* attribute and don't have a base class that is marshalled in a special way. @@ -17,11 +18,53 @@ .. seealso:: -diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py ---- a/Lib/test/test_xmlrpc.py -+++ b/Lib/test/test_xmlrpc.py -@@ -19,6 +19,11 @@ - threading = None +Index: Python-2.7.7/Lib/xmlrpclib.py +=================================================================== +--- Python-2.7.7.orig/Lib/xmlrpclib.py 2014-05-31 20:58:39.000000000 +0200 ++++ Python-2.7.7/Lib/xmlrpclib.py 2014-06-20 14:51:40.282081132 +0200 +@@ -49,6 +49,7 @@ + # 2003-07-12 gp Correct marshalling of Faults + # 2003-10-31 mvl Add multicall support + # 2004-08-20 mvl Bump minimum supported Python version to 2.1 ++# 2013-01-20 ch Add workaround for gzip bomb vulnerability + # + # Copyright (c) 1999-2002 by Secret Labs AB. + # Copyright (c) 1999-2002 by Fredrik Lundh. +@@ -147,6 +148,10 @@ + except ImportError: + gzip = None #python can be built without zlib/gzip support + ++# Limit the maximum amount of decoded data that is decompressed. The ++# limit prevents gzip bomb attacks. ++MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB ++ + # -------------------------------------------------------------------- + # Internal stuff + +@@ -1178,11 +1183,16 @@ + f = StringIO.StringIO(data) + gzf = gzip.GzipFile(mode="rb", fileobj=f) + try: +- decoded = gzf.read() ++ if MAX_GZIP_DECODE < 0: # no limit ++ decoded = gzf.read() ++ else: ++ decoded = gzf.read(MAX_GZIP_DECODE + 1) + except IOError: + raise ValueError("invalid data") + f.close() + gzf.close() ++ if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE: ++ raise ValueError("max gzipped payload length exceeded") + return decoded + + ## +Index: Python-2.7.7/Lib/test/test_xmlrpc.py +=================================================================== +--- Python-2.7.7.orig/Lib/test/test_xmlrpc.py 2014-05-31 20:58:39.000000000 +0200 ++++ Python-2.7.7/Lib/test/test_xmlrpc.py 2014-06-20 14:51:59.993184645 +0200 +@@ -24,6 +24,11 @@ + gzip = None try: + import gzip @@ -32,7 +75,7 @@ unicode except NameError: have_unicode = False -@@ -731,7 +736,7 @@ +@@ -737,7 +742,7 @@ with cm: p.pow(6, 8) @@ -41,7 +84,7 @@ t = self.Transport() p = xmlrpclib.ServerProxy(URL, transport=t) old = self.requestHandler.encode_threshold -@@ -744,6 +749,27 @@ +@@ -750,6 +755,27 @@ self.requestHandler.encode_threshold = old self.assertTrue(a>b) @@ -69,56 +112,3 @@ #Test special attributes of the ServerProxy object class ServerProxyTestCase(unittest.TestCase): def setUp(self): -@@ -1011,11 +1037,8 @@ - xmlrpc_tests.append(SimpleServerTestCase) - xmlrpc_tests.append(KeepaliveServerTestCase1) - xmlrpc_tests.append(KeepaliveServerTestCase2) -- try: -- import gzip -+ if gzip is not None: - xmlrpc_tests.append(GzipServerTestCase) -- except ImportError: -- pass #gzip not supported in this build - xmlrpc_tests.append(MultiPathServerTestCase) - xmlrpc_tests.append(ServerProxyTestCase) - xmlrpc_tests.append(FailingServerTestCase) -diff --git a/Lib/xmlrpclib.py b/Lib/xmlrpclib.py ---- a/Lib/xmlrpclib.py -+++ b/Lib/xmlrpclib.py -@@ -49,6 +49,7 @@ - # 2003-07-12 gp Correct marshalling of Faults - # 2003-10-31 mvl Add multicall support - # 2004-08-20 mvl Bump minimum supported Python version to 2.1 -+# 2013-01-20 ch Add workaround for gzip bomb vulnerability - # - # Copyright (c) 1999-2002 by Secret Labs AB. - # Copyright (c) 1999-2002 by Fredrik Lundh. -@@ -147,6 +148,10 @@ - except ImportError: - gzip = None #python can be built without zlib/gzip support - -+# Limit the maximum amount of decoded data that is decompressed. The -+# limit prevents gzip bomb attacks. -+MAX_GZIP_DECODE = 20 * 1024 * 1024 # 20 MB -+ - # -------------------------------------------------------------------- - # Internal stuff - -@@ -1178,11 +1183,16 @@ - f = StringIO.StringIO(data) - gzf = gzip.GzipFile(mode="rb", fileobj=f) - try: -- decoded = gzf.read() -+ if MAX_GZIP_DECODE < 0: # no limit -+ decoded = gzf.read() -+ else: -+ decoded = gzf.read(MAX_GZIP_DECODE + 1) - except IOError: - raise ValueError("invalid data") - f.close() - gzf.close() -+ if MAX_GZIP_DECODE >= 0 and len(decoded) > MAX_GZIP_DECODE: -+ raise ValueError("max gzipped payload length exceeded") - return decoded - - ## -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org