[pkgsrc/trunk]: pkgsrc/textproc/py-jinja2 add the redhat fix for CVE-2014-001...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/textproc/py-jinja2 add the redhat fix for CVE-2014-001...
From: mspo <mspo%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 15:50:38 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/c40f9c42fee7
branches:  trunk
changeset: 634281:c40f9c42fee7
user:      mspo <mspo%pkgsrc.org@localhost>
date:      Wed May 14 02:28:18 2014 +0000

description:
add the redhat fix for CVE-2014-0012; debian has an alternative but this is better for cgi

diffstat:

 textproc/py-jinja2/distinfo                        |   3 +-
 textproc/py-jinja2/patches/patch-jinja2_bccache.py |  42 ++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletions(-)

diffs (57 lines):

diff -r 7faf03458caf -r c40f9c42fee7 textproc/py-jinja2/distinfo
--- a/textproc/py-jinja2/distinfo       Wed May 14 02:28:13 2014 +0000
+++ b/textproc/py-jinja2/distinfo       Wed May 14 02:28:18 2014 +0000
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.7 2014/01/19 00:18:37 rodent Exp $
+$NetBSD: distinfo,v 1.8 2014/05/14 02:28:18 mspo Exp $
 
 SHA1 (Jinja2-2.7.2.tar.gz) = 1ce4c8bc722444ec3e77ef9db76faebbd17a40d8
 RMD160 (Jinja2-2.7.2.tar.gz) = 7bf0278d6fd75fc402b5dba785b29badeb507650
 Size (Jinja2-2.7.2.tar.gz) = 378300 bytes
+SHA1 (patch-jinja2_bccache.py) = 0c1cab3fcc83d210569071ddb2e2c6713f8f9325
diff -r 7faf03458caf -r c40f9c42fee7 textproc/py-jinja2/patches/patch-jinja2_bccache.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/py-jinja2/patches/patch-jinja2_bccache.py        Wed May 14 02:28:18 2014 +0000
@@ -0,0 +1,42 @@
+$NetBSD: patch-jinja2_bccache.py,v 1.1 2014/05/14 02:28:18 mspo Exp $
+
+--- jinja2/bccache.py-orig     2014-05-14 02:23:49.000000000 +0000
++++ jinja2/bccache.py
+@@ -16,6 +16,7 @@
+ """
+ from os import path, listdir
+ import os
++import stat
+ import sys
+ import errno
+ import marshal
+@@ -215,7 +216,7 @@ class FileSystemBytecodeCache(BytecodeCa
+ 
+         # On windows the temporary directory is used specific unless
+         # explicitly forced otherwise.  We can just use that.
+-        if os.name == 'n':
++        if os.name == 'nt':
+             return tmpdir
+         if not hasattr(os, 'getuid'):
+             raise RuntimeError('Cannot determine safe temp directory.  You '
+@@ -224,12 +225,18 @@ class FileSystemBytecodeCache(BytecodeCa
+         dirname = '_jinja2-cache-%d' % os.getuid()
+         actual_dir = os.path.join(tmpdir, dirname)
+         try:
+-            # 448 == 0700
+-            os.mkdir(actual_dir, 448)
++            os.mkdir(actual_dir, stat.S_IRWXU) # 0o700
+         except OSError as e:
+             if e.errno != errno.EEXIST:
+                 raise
+ 
++        actual_dir_stat = os.lstat(actual_dir)
++        if actual_dir_stat.st_uid != os.getuid() \
++                or not stat.S_ISDIR(actual_dir_stat.st_mode) \
++                or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU:
++            raise RuntimeError('Temporary directory \'%s\' has an incorrect '
++                             'owner, permissions, or type.' % actual_dir)
++
+         return actual_dir
+ 
+     def _get_cache_filename(self, bucket):

Prev by Date: [pkgsrc/trunk]: pkgsrc/finance +py-python-bitcoinlib
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated graphics/cogl to 1.18.2nb1
Previous by Thread: [pkgsrc/trunk]: pkgsrc/finance +py-python-bitcoinlib
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated graphics/cogl to 1.18.2nb1
Indexes:

Home | Main Index | Thread Index | Old Index