[gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/, dev-python/pysaml2/

2018-01-11 Thread Matt Thode 
commit: 8c31196d00e344da82cf4facf4f6f5d2826c692a
Author: Matthew Thode  gentoo  org>
AuthorDate: Thu Jan 11 23:29:34 2018 +
Commit: Matt Thode  gentoo  org>
CommitDate: Thu Jan 11 23:29:50 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c31196d

dev-python/pysaml2: fix bug 644016 CVE-2017-1000433

Package-Manager: Portage-2.3.14, Repoman-2.3.6

 .../files/pysaml-4.0.2_CVE-2017-1000433.patch  | 14 
 dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild | 39 ++
 2 files changed, 53 insertions(+)

diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch 
b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
new file mode 100644
index 000..e745263d236
--- /dev/null
+++ b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch
@@ -0,0 +1,14 @@
+diff -Naur pysaml2/src/saml2/authn.py pysaml2.new/src/saml2/authn.py
+--- 1/src/saml2/authn.py 2018-01-11 17:23:27.198775074 -0600
 2/src/saml2/authn.py 2018-01-11 17:22:57.909567278 -0600
+@@ -147,7 +147,8 @@
+ return resp
+ 
+ def _verify(self, pwd, user):
+-assert is_equal(pwd, self.passwd[user])
++if not is_equal(pwd, self.passwd[user]):
++raise ValueError("Wrong password")
+ 
+ def verify(self, request, **kwargs):
+ """
+

diff --git a/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild 
b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild
new file mode 100644
index 000..34cc46c5c0d
--- /dev/null
+++ b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 )
+
+inherit distutils-r1
+
+DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI 
environment"
+HOMEPAGE="https://github.com/rohe/pysaml2;
+SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE=""
+
+PATCHES=(
+   "${FILESDIR}/xxe-4.0.2.patch"
+   "${FILESDIR}/pysaml-4.0.2_CVE-2017-1000433.patch"
+)
+
+DEPEND="
+   dev-python/setuptools[${PYTHON_USEDEP}]
+"
+RDEPEND="
+   dev-python/decorator[${PYTHON_USEDEP}]
+   >=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
+   dev-python/future[${PYTHON_USEDEP}]
+   dev-python/paste[${PYTHON_USEDEP}]
+   dev-python/zope-interface[${PYTHON_USEDEP}]
+   dev-python/repoze-who[${PYTHON_USEDEP}]
+   >=dev-python/pycrypto-2.5[${PYTHON_USEDEP}]
+   dev-python/pytz[${PYTHON_USEDEP}]
+   dev-python/pyopenssl[${PYTHON_USEDEP}]
+   dev-python/python-dateutil[${PYTHON_USEDEP}]
+   dev-python/six[${PYTHON_USEDEP}]
+   dev-python/defusedxml[${PYTHON_USEDEP}]
+"

[gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/files/, dev-python/pysaml2/

2017-01-10 Thread Matt Thode 
commit: 908a711df2180e3cbcdf8ec873bbe7bf809135db
Author: Matthew Thode  gentoo  org>
AuthorDate: Wed Jan 11 03:00:40 2017 +
Commit: Matt Thode  gentoo  org>
CommitDate: Wed Jan 11 03:01:03 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=908a711d

dev-python/pysaml2: fix xxe in pysaml2

Package-Manager: portage-2.3.0

 dev-python/pysaml2/files/xxe-4.0.2.patch   | 305 +
 dev-python/pysaml2/pysaml2-4.0.2-r1.ebuild |  37 
 2 files changed, 342 insertions(+)

diff --git a/dev-python/pysaml2/files/xxe-4.0.2.patch 
b/dev-python/pysaml2/files/xxe-4.0.2.patch
new file mode 100644
index ..8e1a2ef
--- /dev/null
+++ b/dev-python/pysaml2/files/xxe-4.0.2.patch
@@ -0,0 +1,305 @@
+diff -Naur pysaml2/setup.py pysaml2.new/setup.py
+--- pysaml2/setup.py   2015-12-06 00:46:33.0 -0600
 pysaml2.new/setup.py   2017-01-10 20:31:43.387413477 -0600
+@@ -17,6 +17,7 @@
+ 'pytz',
+ 'pyOpenSSL',
+ 'python-dateutil',
++'defusedxml',
+ 'six'
+ ]
+ 
+diff -Naur pysaml2/src/saml2/__init__.py pysaml2.new/src/saml2/__init__.py
+--- pysaml2/src/saml2/__init__.py  2016-01-07 05:53:57.0 -0600
 pysaml2.new/src/saml2/__init__.py  2017-01-10 20:34:04.171641116 -0600
+@@ -35,6 +35,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+ 
+ root_logger = logging.getLogger(__name__)
+ root_logger.level = logging.NOTSET
+@@ -86,7 +87,7 @@
+ """
+ if not isinstance(xml_string, six.binary_type):
+ xml_string = xml_string.encode('utf-8')
+-tree = ElementTree.fromstring(xml_string)
++tree = defusedxml.ElementTree.fromstring(xml_string)
+ return create_class_from_element_tree(target_class, tree)
+ 
+ 
+@@ -268,7 +269,7 @@
+ 
+ 
+ def extension_element_from_string(xml_string):
+-element_tree = ElementTree.fromstring(xml_string)
++element_tree = defusedxml.ElementTree.fromstring(xml_string)
+ return _extension_element_from_element_tree(element_tree)
+ 
+ 
+diff -Naur pysaml2/src/saml2/pack.py pysaml2.new/src/saml2/pack.py
+--- pysaml2/src/saml2/pack.py  2015-12-11 07:31:39.0 -0600
 pysaml2.new/src/saml2/pack.py  2017-01-10 20:35:35.382435020 -0600
+@@ -37,6 +37,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+ 
+ NAMESPACE = "http://schemas.xmlsoap.org/soap/envelope/;
+ FORM_SPEC = """
+@@ -235,7 +236,7 @@
+ :param text: The SOAP object as XML
+ :return: header parts and body as saml.samlbase instances
+ """
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ assert envelope.tag == '{%s}Envelope' % NAMESPACE
+ 
+ # print(len(envelope))
+diff -Naur pysaml2/src/saml2/soap.py pysaml2.new/src/saml2/soap.py
+--- pysaml2/src/saml2/soap.py  2015-05-18 02:54:05.0 -0500
 pysaml2.new/src/saml2/soap.py  2017-01-10 20:36:16.163808770 -0600
+@@ -19,6 +19,7 @@
+ except ImportError:
+ #noinspection PyUnresolvedReferences
+ from elementtree import ElementTree
++import defusedxml.ElementTree
+ 
+ 
+ logger = logging.getLogger(__name__)
+@@ -133,7 +134,7 @@
+ :param expected_tags: What the tag of the SAML thingy is expected to be.
+ :return: SAML thingy as a string
+ """
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ 
+ # Make sure it's a SOAP message
+ assert envelope.tag == '{%s}Envelope' % soapenv.NAMESPACE
+@@ -183,7 +184,7 @@
+ :return: The body and headers as class instances
+ """
+ try:
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ except Exception as exc:
+ raise XmlParseError("%s" % exc)
+ 
+@@ -209,7 +210,7 @@
+ :return: dictionary with two keys "body"/"header"
+ """
+ try:
+-envelope = ElementTree.fromstring(text)
++envelope = defusedxml.ElementTree.fromstring(text)
+ except Exception as exc:
+ raise XmlParseError("%s" % exc)
+ 
+diff -Naur pysaml2/tests/test_03_saml2.py pysaml2.new/tests/test_03_saml2.py
+--- pysaml2/tests/test_03_saml2.py 2015-06-06 02:15:20.0 -0500
 pysaml2.new/tests/test_03_saml2.py 2017-01-10 20:38:32.541728380 -0600
+@@ -17,6 +17,7 @@
+ import cElementTree as ElementTree
+ except ImportError:
+ from elementtree import ElementTree
++from defusedxml.common import EntitiesForbidden
+ 
+ ITEMS = {
+ NameID: ["""
+@@ -27,7 +28,7 @@
+ 
+ """, """
+ https://foo.example.com/sp; 
++  SPNameQualifier="https://foo.example.com/sp;
+   
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_1632879f09d08ea5ede2dc667cbed7e429ebc4335c
+ """, """
+ 
+ http://192.168.0.10/saml/sp; />""",
+