commit jython for openSUSE:Factory

h_root Fri, 06 Feb 2015 01:47:06 -0800

Hello community,

here is the log from the commit of package jython for openSUSE:Factory checked 
in at 2015-02-06 10:46:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jython (Old)
 and      /work/SRC/openSUSE:Factory/.jython.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "jython"

Changes:
--------
--- /work/SRC/openSUSE:Factory/jython/jython.changes    2013-09-11 
13:38:21.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.jython.new/jython.changes       2015-02-06 
10:46:50.000000000 +0100
@@ -1,0 +2,8 @@
+Wed Feb  4 14:23:46 UTC 2015 - tchva...@suse.com
+
+- Added patches to fix CVE-2013-2027 bnc#916224:
+  * jython-cached-classes.patch
+  * jython-cacheperms.patch
+  * jython-makeCompiledFilename.patch
+
+-------------------------------------------------------------------

New:
----
  jython-cached-classes.patch
  jython-cacheperms.patch
  jython-makeCompiledFilename.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ jython.spec ++++++
--- /var/tmp/diff_new_pack.4ww6Rr/_old  2015-02-06 10:46:51.000000000 +0100
+++ /var/tmp/diff_new_pack.4ww6Rr/_new  2015-02-06 10:46:51.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package jython
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -42,6 +42,10 @@
 # Also, copy python's license from source directory and not
 # ${python.home}
 Patch1:         %{name}-nofullbuildpath.patch
+# These address CVE-2013-2027 (http://bugs.jython.org/msg8004)
+Patch3:         %{name}-cacheperms.patch
+Patch4:         %{name}-makeCompiledFilename.patch
+Patch5:         %{name}-cached-classes.patch
 Requires:       jakarta-oro
 Requires:       javapackages-tools
 Requires:       libreadline-java >= 0.8.0-16
@@ -166,6 +170,9 @@
 %setup -q -n %{name}-svn-%{svn_tag}
 %patch0 -p1
 %patch1 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 export CLASSPATH=$(build-classpath mysql-connector-java oro servlet)

++++++ jython-cached-classes.patch ++++++
>From 85a88bcffe2d61d143b4f8c545bd28b152d8d05b Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lubo.rin...@gooddata.com>
Date: Wed, 3 Apr 2013 18:31:40 +0200
Subject: [PATCH 3/3] Use cache dir for classes too

Instead of attempting to write them next to source files.
Java 6 API does not allow for setting sane permissions (i.e. same as
those of a source file) and relying on defaults is a security hazard
which can lead to information disclosure, or, in case of a too relaxed
umask, arbitrary code execution.

Also, this will likely improve performance for non-privileged users
which can not write to their distribution's packaged jython tree.
---
 src/org/python/core/PySystemState.java |  6 ++++++
 src/org/python/core/imp.java           | 12 ++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/org/python/core/PySystemState.java 
b/src/org/python/core/PySystemState.java
index 9de34e3..a124228 100644
--- a/src/org/python/core/PySystemState.java
+++ b/src/org/python/core/PySystemState.java
@@ -539,6 +539,12 @@ public class PySystemState extends PyObject
     public static PackageManager packageManager;
     public static File cachedir;
     
+    public static File classCache() {
+        if (cachedir == null)
+           return null;
+        return new File(cachedir, "classes");
+    }
+
     public static boolean isPackageCacheEnabled() {
         return cachedir != null;
     }
diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
index a9868dd..67c33d6 100644
--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
@@ -117,8 +117,15 @@ public class imp {
     }
 
     private static String makeCompiledFilename(String filename) {
-        return filename.substring(0, filename.length() - 3)
-                + "$py.class";
+       String basename = filename.substring(0, filename.length() - 3)
+                        + "$py.class";
+        File cache = Py.getSystemState().classCache();
+
+        if (cache == null) {
+            return basename;
+        } else {
+            return new File(cache, basename).getPath();
+        }
     }
     
     /**
@@ -144,6 +151,7 @@ public class imp {
         }
         FileOutputStream fop = null;
         try {
+            new File(compiledFilename).getParentFile().mkdirs();
             fop = new FileOutputStream(compiledFilename);
             fop.write(compiledSource);
             fop.close();
-- 
1.8.3.1

++++++ jython-cacheperms.patch ++++++
>From 517883617472d53c3346ad419f0af42a7dd83705 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lubo.rin...@gooddata.com>
Date: Wed, 3 Apr 2013 18:24:46 +0200
Subject: [PATCH 1/3] Make cache not accessible by anyone else

Sensitive information might be being cached or umask can be too relaxed,
allowing writes.
---
 src/org/python/core/CachedJarsPackageManager.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/org/python/core/CachedJarsPackageManager.java 
b/src/org/python/core/CachedJarsPackageManager.java
index 6953136..764f2f3 100644
--- a/src/org/python/core/CachedJarsPackageManager.java
+++ b/src/org/python/core/CachedJarsPackageManager.java
@@ -587,6 +587,12 @@ public abstract class CachedJarsPackageManager extends 
PackageManager {
             return false;
         }
 
+        aCachedir1.setReadable(false, false);
+        aCachedir1.setWritable(false, false);
+        aCachedir1.setExecutable(false, false);
+        aCachedir1.setReadable(true, true);
+        aCachedir1.setWritable(true, true);
+        aCachedir1.setExecutable(true, true);
         this.cachedir = aCachedir1;
 
         return true;
-- 
1.8.3.1

++++++ jython-makeCompiledFilename.patch ++++++
>From 9adf26828ecf5650a86885b344b93242f6617220 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lubo.rin...@gooddata.com>
Date: Wed, 3 Apr 2013 18:32:14 +0200
Subject: [PATCH 2/3] Avoid code duplication with makeCompiledFilename()

---
 src/org/python/core/imp.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/org/python/core/imp.java b/src/org/python/core/imp.java
index a902079..a9868dd 100644
--- a/src/org/python/core/imp.java
+++ b/src/org/python/core/imp.java
@@ -424,7 +424,7 @@ public class imp {
 
         int nlen = name.length();
         String sourceName = "__init__.py";
-        String compiledName = "__init__$py.class";
+        String compiledName = makeCompiledFilename(sourceName);
         String directoryName = defaultEmptyPathDirectory(entry.toString());
 
         // First check for packages
@@ -437,7 +437,7 @@ public class imp {
         if (!pkg) {
             Py.writeDebug(IMPORT_LOG, "trying source " + dir.getPath());
             sourceName = name + ".py";
-            compiledName = name + "$py.class";
+            compiledName = makeCompiledFilename(sourceName);
             sourceFile = new File(directoryName, sourceName);
             compiledFile = new File(directoryName, compiledName);
         } else {
-- 
1.8.3.1

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit jython for openSUSE:Factory

Reply via email to