Hello community, here is the log from the commit of package jython for openSUSE:Factory checked in at 2015-02-06 10:46:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jython (Old) and /work/SRC/openSUSE:Factory/.jython.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jython" Changes: -------- --- /work/SRC/openSUSE:Factory/jython/jython.changes 2013-09-11 13:38:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.jython.new/jython.changes 2015-02-06 10:46:50.000000000 +0100 @@ -1,0 +2,8 @@ +Wed Feb 4 14:23:46 UTC 2015 - tchva...@suse.com + +- Added patches to fix CVE-2013-2027 bnc#916224: + * jython-cached-classes.patch + * jython-cacheperms.patch + * jython-makeCompiledFilename.patch + +------------------------------------------------------------------- New: ---- jython-cached-classes.patch jython-cacheperms.patch jython-makeCompiledFilename.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jython.spec ++++++ --- /var/tmp/diff_new_pack.4ww6Rr/_old 2015-02-06 10:46:51.000000000 +0100 +++ /var/tmp/diff_new_pack.4ww6Rr/_new 2015-02-06 10:46:51.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package jython # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,10 @@ # Also, copy python's license from source directory and not # ${python.home} Patch1: %{name}-nofullbuildpath.patch +# These address CVE-2013-2027 (http://bugs.jython.org/msg8004) +Patch3: %{name}-cacheperms.patch +Patch4: %{name}-makeCompiledFilename.patch +Patch5: %{name}-cached-classes.patch Requires: jakarta-oro Requires: javapackages-tools Requires: libreadline-java >= 0.8.0-16 @@ -166,6 +170,9 @@ %setup -q -n %{name}-svn-%{svn_tag} %patch0 -p1 %patch1 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build export CLASSPATH=$(build-classpath mysql-connector-java oro servlet) ++++++ jython-cached-classes.patch ++++++ >From 85a88bcffe2d61d143b4f8c545bd28b152d8d05b Mon Sep 17 00:00:00 2001 From: Lubomir Rintel <lubo.rin...@gooddata.com> Date: Wed, 3 Apr 2013 18:31:40 +0200 Subject: [PATCH 3/3] Use cache dir for classes too Instead of attempting to write them next to source files. Java 6 API does not allow for setting sane permissions (i.e. same as those of a source file) and relying on defaults is a security hazard which can lead to information disclosure, or, in case of a too relaxed umask, arbitrary code execution. Also, this will likely improve performance for non-privileged users which can not write to their distribution's packaged jython tree. --- src/org/python/core/PySystemState.java | 6 ++++++ src/org/python/core/imp.java | 12 ++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/org/python/core/PySystemState.java b/src/org/python/core/PySystemState.java index 9de34e3..a124228 100644 --- a/src/org/python/core/PySystemState.java +++ b/src/org/python/core/PySystemState.java @@ -539,6 +539,12 @@ public class PySystemState extends PyObject public static PackageManager packageManager; public static File cachedir; + public static File classCache() { + if (cachedir == null) + return null; + return new File(cachedir, "classes"); + } + public static boolean isPackageCacheEnabled() { return cachedir != null; } diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java index a9868dd..67c33d6 100644 --- a/src/org/python/core/imp.java +++ b/src/org/python/core/imp.java @@ -117,8 +117,15 @@ public class imp { } private static String makeCompiledFilename(String filename) { - return filename.substring(0, filename.length() - 3) - + "$py.class"; + String basename = filename.substring(0, filename.length() - 3) + + "$py.class"; + File cache = Py.getSystemState().classCache(); + + if (cache == null) { + return basename; + } else { + return new File(cache, basename).getPath(); + } } /** @@ -144,6 +151,7 @@ public class imp { } FileOutputStream fop = null; try { + new File(compiledFilename).getParentFile().mkdirs(); fop = new FileOutputStream(compiledFilename); fop.write(compiledSource); fop.close(); -- 1.8.3.1 ++++++ jython-cacheperms.patch ++++++ >From 517883617472d53c3346ad419f0af42a7dd83705 Mon Sep 17 00:00:00 2001 From: Lubomir Rintel <lubo.rin...@gooddata.com> Date: Wed, 3 Apr 2013 18:24:46 +0200 Subject: [PATCH 1/3] Make cache not accessible by anyone else Sensitive information might be being cached or umask can be too relaxed, allowing writes. --- src/org/python/core/CachedJarsPackageManager.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/org/python/core/CachedJarsPackageManager.java b/src/org/python/core/CachedJarsPackageManager.java index 6953136..764f2f3 100644 --- a/src/org/python/core/CachedJarsPackageManager.java +++ b/src/org/python/core/CachedJarsPackageManager.java @@ -587,6 +587,12 @@ public abstract class CachedJarsPackageManager extends PackageManager { return false; } + aCachedir1.setReadable(false, false); + aCachedir1.setWritable(false, false); + aCachedir1.setExecutable(false, false); + aCachedir1.setReadable(true, true); + aCachedir1.setWritable(true, true); + aCachedir1.setExecutable(true, true); this.cachedir = aCachedir1; return true; -- 1.8.3.1 ++++++ jython-makeCompiledFilename.patch ++++++ >From 9adf26828ecf5650a86885b344b93242f6617220 Mon Sep 17 00:00:00 2001 From: Lubomir Rintel <lubo.rin...@gooddata.com> Date: Wed, 3 Apr 2013 18:32:14 +0200 Subject: [PATCH 2/3] Avoid code duplication with makeCompiledFilename() --- src/org/python/core/imp.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java index a902079..a9868dd 100644 --- a/src/org/python/core/imp.java +++ b/src/org/python/core/imp.java @@ -424,7 +424,7 @@ public class imp { int nlen = name.length(); String sourceName = "__init__.py"; - String compiledName = "__init__$py.class"; + String compiledName = makeCompiledFilename(sourceName); String directoryName = defaultEmptyPathDirectory(entry.toString()); // First check for packages @@ -437,7 +437,7 @@ public class imp { if (!pkg) { Py.writeDebug(IMPORT_LOG, "trying source " + dir.getPath()); sourceName = name + ".py"; - compiledName = name + "$py.class"; + compiledName = makeCompiledFilename(sourceName); sourceFile = new File(directoryName, sourceName); compiledFile = new File(directoryName, compiledName); } else { -- 1.8.3.1 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org