pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/python27 python27: add backported security patching
details: https://anonhg.NetBSD.org/pkgsrc/rev/1011b9a4299d
branches: trunk
changeset: 383028:1011b9a4299d
user: gutteridge <gutteridge%pkgsrc.org@localhost>
date: Thu Aug 11 01:32:50 2022 +0000
description:
python27: add backported security patching
Fix CVE-2015-20107: Make mailcap refuse to match unsafe filenames/types/params
Via Fedora:
https://src.fedoraproject.org/rpms/python2.7/raw/a9b12e85bd4d3280e07bc3bfa72a9f2b674cb4ff/f/00382-cve-2015-20107.patch
diffstat:
lang/python27/Makefile | 4 +-
lang/python27/PLIST | 6 +-
lang/python27/distinfo | 6 +-
lang/python27/patches/patch-Doc_library_mailcap.rst | 28 +
lang/python27/patches/patch-Lib_mailcap.py | 77 +++++
lang/python27/patches/patch-Lib_test_mailcap.txt | 50 +++
lang/python27/patches/patch-Lib_test_test__mailcap.py | 269 ++++++++++++++++++
7 files changed, 436 insertions(+), 4 deletions(-)
diffs (truncated from 515 to 300 lines):
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/Makefile
--- a/lang/python27/Makefile Thu Aug 11 01:11:23 2022 +0000
+++ b/lang/python27/Makefile Thu Aug 11 01:32:50 2022 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.103 2022/07/23 14:57:33 wiz Exp $
+# $NetBSD: Makefile,v 1.104 2022/08/11 01:32:50 gutteridge Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
-PKGREVISION= 8
+PKGREVISION= 9
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/PLIST
--- a/lang/python27/PLIST Thu Aug 11 01:11:23 2022 +0000
+++ b/lang/python27/PLIST Thu Aug 11 01:32:50 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2019/10/21 09:40:35 adam Exp $
+@comment $NetBSD: PLIST,v 1.5 2022/08/11 01:32:50 gutteridge Exp $
bin/2to3-${PY_VER_SUFFIX}
bin/pydoc${PY_VER_SUFFIX}
bin/python${PY_VER_SUFFIX}
@@ -2963,6 +2963,7 @@
lib/python${PY_VER_SUFFIX}/test/lock_tests.py
lib/python${PY_VER_SUFFIX}/test/lock_tests.pyc
lib/python${PY_VER_SUFFIX}/test/lock_tests.pyo
+lib/python${PY_VER_SUFFIX}/test/mailcap.txt
lib/python${PY_VER_SUFFIX}/test/make_ssl_certs.py
lib/python${PY_VER_SUFFIX}/test/make_ssl_certs.pyc
lib/python${PY_VER_SUFFIX}/test/make_ssl_certs.pyo
@@ -3700,6 +3701,9 @@
lib/python${PY_VER_SUFFIX}/test/test_mailbox.py
lib/python${PY_VER_SUFFIX}/test/test_mailbox.pyc
lib/python${PY_VER_SUFFIX}/test/test_mailbox.pyo
+lib/python${PY_VER_SUFFIX}/test/test_mailcap.py
+lib/python${PY_VER_SUFFIX}/test/test_mailcap.pyc
+lib/python${PY_VER_SUFFIX}/test/test_mailcap.pyo
lib/python${PY_VER_SUFFIX}/test/test_marshal.py
lib/python${PY_VER_SUFFIX}/test/test_marshal.pyc
lib/python${PY_VER_SUFFIX}/test/test_marshal.pyo
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/distinfo
--- a/lang/python27/distinfo Thu Aug 11 01:11:23 2022 +0000
+++ b/lang/python27/distinfo Thu Aug 11 01:32:50 2022 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.90 2022/05/13 18:42:05 tnn Exp $
+$NetBSD: distinfo,v 1.91 2022/08/11 01:32:50 gutteridge Exp $
BLAKE2s (Python-2.7.18.tar.xz) = 1b673ec8c9362a178e044691392bc4f67ad13457d7fddd84a88de346f23f9812
SHA512 (Python-2.7.18.tar.xz) = a7bb62b51f48ff0b6df0b18f5b0312a523e3110f49c3237936bfe56ed0e26838c0274ff5401bda6fc21bf24337477ccac49e8026c5d651e4b4cafb5eb5086f6c
Size (Python-2.7.18.tar.xz) = 12854736 bytes
SHA1 (patch-Doc_library_cgi.rst) = ed9ac101b0857dc573e9a648694d1ee5fabe61fb
+SHA1 (patch-Doc_library_mailcap.rst) = 020cf493c4e83bc9f21040f90ccb99a2d9aeef24
SHA1 (patch-Doc_library_urlparse.rst) = ceaea3a4577ba7d3055ffb3b3c8ffbbdda7e1d32
SHA1 (patch-Include_pyerrors.h) = 0d2cd52d18cc719b895fa32ed7e11c6cb15bae54
SHA1 (patch-Include_pyport.h) = f3e4ddbc954425a65301465410911222ca471320
@@ -22,14 +23,17 @@
SHA1 (patch-Lib_ftplib.py) = 6679c4ea109dcb5d56d86a55343954e0368b9138
SHA1 (patch-Lib_httplib.py) = b8eeaa203e2a86ece94148d192b2a7e0c078602a
SHA1 (patch-Lib_lib2to3_pgen2_driver.py) = 5d6dab14197f27363394ff1aeee22a8ced8026d2
+SHA1 (patch-Lib_mailcap.py) = 9ed762022c0f08cefa6b87f975d0e5333fe2a5eb
SHA1 (patch-Lib_multiprocessing_process.py) = 15699bd8ec822bf54a0631102e00e0a34f882803
SHA1 (patch-Lib_plistlib.py) = 96ae702995d434e2d7ec0ac62e37427a90b61d13
SHA1 (patch-Lib_sysconfig.py) = 8a7a0e5cbfec279a05945dffafea1b1131a76f0e
SHA1 (patch-Lib_tarfile.py) = df00aa1941367c42dcbbed4b6658b724a22ddcde
+SHA1 (patch-Lib_test_mailcap.txt) = 80923517cb616f7de97df11ee8632465cce8d10c
SHA1 (patch-Lib_test_multibytecodec__support.py) = a18c40e8009f1a8f63e15196d3e751d7dccf8367
SHA1 (patch-Lib_test_test__cgi.py) = 724355e8d2195f8a4b76d7ea61133e9b14fa3a68
SHA1 (patch-Lib_test_test__ftplib.py) = 4b22c8a963ccf6f60ca49be003bf026e1b0b632d
SHA1 (patch-Lib_test_test__httplib.py) = f7cfa5501a63eaca539bfa53d38cf931f3a6c3ac
+SHA1 (patch-Lib_test_test__mailcap.py) = 6b869c9e9d9ef097d6fc4aef967e7b7bca3bd41c
SHA1 (patch-Lib_test_test__platform.py) = 3a3b8c05f9bf9adf4862b1022ce864127d36b8b0
SHA1 (patch-Lib_test_test__unicode.py) = 1bd182bdbd880d0a847f9d8b69277a607f9f0526
SHA1 (patch-Lib_test_test__urllib2.py) = 89baa57daf2f3282e4fc5009915dbc4910b96ef1
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/patches/patch-Doc_library_mailcap.rst
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Doc_library_mailcap.rst Thu Aug 11 01:32:50 2022 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-Doc_library_mailcap.rst,v 1.1 2022/08/11 01:32:50 gutteridge Exp $
+
+Fix CVE-2015-20107: Make mailcap refuse to match unsafe filenames/types/params
+
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/a9b12e85bd4d3280e07bc3bfa72a9f2b674cb4ff/f/00382-cve-2015-20107.patch
+
+--- Doc/library/mailcap.rst.orig 2020-04-19 21:13:39.000000000 +0000
++++ Doc/library/mailcap.rst
+@@ -54,6 +54,18 @@ standard. However, mailcap files are su
+ use) to determine whether or not the mailcap line applies. :func:`findmatch`
+ will automatically check such conditions and skip the entry if the check fails.
+
++ .. versionchanged:: 3.11
++
++ To prevent security issues with shell metacharacters (symbols that have
++ special effects in a shell command line), ``findmatch`` will refuse
++ to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++ into the returned command line.
++
++ If a disallowed character appears in *filename*, ``findmatch`` will always
++ return ``(None, None)`` as if no entry was found.
++ If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++ ``findmatch`` will ignore all mailcap entries which use that value.
++ A :mod:`warning <warnings>` will be raised in either case.
+
+ .. function:: getcaps()
+
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/patches/patch-Lib_mailcap.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_mailcap.py Thu Aug 11 01:32:50 2022 +0000
@@ -0,0 +1,77 @@
+$NetBSD: patch-Lib_mailcap.py,v 1.1 2022/08/11 01:32:50 gutteridge Exp $
+
+Fix CVE-2015-20107: Make mailcap refuse to match unsafe filenames/types/params
+
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/a9b12e85bd4d3280e07bc3bfa72a9f2b674cb4ff/f/00382-cve-2015-20107.patch
+
+--- Lib/mailcap.py.orig 2020-04-19 21:13:39.000000000 +0000
++++ Lib/mailcap.py
+@@ -1,9 +1,18 @@
+ """Mailcap file handling. See RFC 1524."""
+
+ import os
++import warnings
++import re
+
+ __all__ = ["getcaps","findmatch"]
+
++
++_find_unsafe = re.compile(r'[^\xa1-\xff\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++ """Warning raised when refusing unsafe input"""
++
++
+ # Part 1: top-level interface.
+
+ def getcaps():
+@@ -144,15 +153,22 @@ def findmatch(caps, MIMEtype, key='view'
+ entry to use.
+
+ """
++ if _find_unsafe(filename):
++ msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None, None
+ entries = lookup(caps, MIMEtype, key)
+ # XXX This code should somehow check for the needsterminal flag.
+ for e in entries:
+ if 'test' in e:
+ test = subst(e['test'], filename, plist)
++ if test is None:
++ continue
+ if test and os.system(test) != 0:
+ continue
+ command = subst(e[key], MIMEtype, filename, plist)
+- return command, e
++ if command is not None:
++ return command, e
+ return None, None
+
+ def lookup(caps, MIMEtype, key=None):
+@@ -184,6 +200,10 @@ def subst(field, MIMEtype, filename, pli
+ elif c == 's':
+ res = res + filename
+ elif c == 't':
++ if _find_unsafe(MIMEtype):
++ msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
+ res = res + MIMEtype
+ elif c == '{':
+ start = i
+@@ -191,7 +211,12 @@ def subst(field, MIMEtype, filename, pli
+ i = i+1
+ name = field[start:i]
+ i = i+1
+- res = res + findparam(name, plist)
++ param = findparam(name, plist)
++ if _find_unsafe(param):
++ msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++ warnings.warn(msg, UnsafeMailcapInput)
++ return None
++ res = res + param
+ # XXX To do:
+ # %n == number of parts if type is multipart/*
+ # %F == list of alternating type and filename for parts
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/patches/patch-Lib_test_mailcap.txt
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_mailcap.txt Thu Aug 11 01:32:50 2022 +0000
@@ -0,0 +1,50 @@
+$NetBSD: patch-Lib_test_mailcap.txt,v 1.1 2022/08/11 01:32:50 gutteridge Exp $
+
+Fix CVE-2015-20107: Make mailcap refuse to match unsafe filenames/types/params
+
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/a9b12e85bd4d3280e07bc3bfa72a9f2b674cb4ff/f/00382-cve-2015-20107.patch
+
+--- Lib/test/mailcap.txt.orig 2022-06-21 00:11:14.548632668 +0000
++++ Lib/test/mailcap.txt
+@@ -0,0 +1,39 @@
++# Mailcap file for test_mailcap; based on RFC 1524
++# Referred to by test_mailcap.py
++
++#
++# This is a comment.
++#
++
++application/frame; showframe %s; print="cat %s | lp"
++application/postscript; ps-to-terminal %s;\
++ needsterminal
++application/postscript; ps-to-terminal %s; \
++ compose=idraw %s
++application/x-dvi; xdvi %s
++application/x-movie; movieplayer %s; compose=moviemaker %s; \
++ description="Movie"; \
++ x11-bitmap="/usr/lib/Zmail/bitmaps/movie.xbm"
++application/*; echo "This is \"%t\" but \
++ is 50 \% Greek to me" \; cat %s; copiousoutput
++
++audio/basic; showaudio %s; compose=audiocompose %s; edit=audiocompose %s;\
++description="An audio fragment"
++audio/* ; /usr/local/bin/showaudio %t
++
++image/rgb; display %s
++#image/gif; display %s
++image/x-xwindowdump; display %s
++
++# The continuation char shouldn't \
++# make a difference in a comment.
++
++message/external-body; showexternal %s %{access-type} %{name} %{site} \
++ %{directory} %{mode} %{server}; needsterminal; composetyped = extcompose %s; \
++ description="A reference to data stored in an external location"
++
++text/richtext; shownonascii iso-8859-8 -e richtext -p %s; test=test "`echo \
++ %{charset} | tr '[A-Z]' '[a-z]'`" = iso-8859-8; copiousoutput
++
++video/*; animate %s
++video/mpeg; mpeg_play %s
+\ No newline at end of file
diff -r f2f41e8ad6cf -r 1011b9a4299d lang/python27/patches/patch-Lib_test_test__mailcap.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__mailcap.py Thu Aug 11 01:32:50 2022 +0000
@@ -0,0 +1,269 @@
+$NetBSD: patch-Lib_test_test__mailcap.py,v 1.1 2022/08/11 01:32:50 gutteridge Exp $
+
+Fix CVE-2015-20107: Make mailcap refuse to match unsafe filenames/types/params
+
+Via Fedora:
+https://src.fedoraproject.org/rpms/python2.7/raw/a9b12e85bd4d3280e07bc3bfa72a9f2b674cb4ff/f/00382-cve-2015-20107.patch
+
+--- Lib/test/test_mailcap.py.orig 2022-06-21 00:11:25.039641610 +0000
++++ Lib/test/test_mailcap.py
+@@ -0,0 +1,259 @@
++import copy
++import os
++import sys
++import test.support
++import unittest
++from test import support as os_helper
++from test import support as warnings_helper
++from collections import OrderedDict
++
++import mailcap
++
++
++# Location of mailcap file
++MAILCAPFILE = test.support.findfile("mailcap.txt")
++
++# Dict to act as mock mailcap entry for this test
++# The keys and values should match the contents of MAILCAPFILE
++
++MAILCAPDICT = {
++ 'application/x-movie':
++ [{'compose': 'moviemaker %s',
++ 'x11-bitmap': '"/usr/lib/Zmail/bitmaps/movie.xbm"',
++ 'description': '"Movie"',
++ 'view': 'movieplayer %s',
++ 'lineno': 4}],
++ 'application/*':
++ [{'copiousoutput': '',
++ 'view': 'echo "This is \\"%t\\" but is 50 \\% Greek to me" \\; cat %s',
++ 'lineno': 5}],
++ 'audio/basic':
++ [{'edit': 'audiocompose %s',
++ 'compose': 'audiocompose %s',
++ 'description': '"An audio fragment"',
++ 'view': 'showaudio %s',
++ 'lineno': 6}],
++ 'video/mpeg':
++ [{'view': 'mpeg_play %s', 'lineno': 13}],
++ 'application/postscript':
++ [{'needsterminal': '', 'view': 'ps-to-terminal %s', 'lineno': 1},
++ {'compose': 'idraw %s', 'view': 'ps-to-terminal %s', 'lineno': 2}],
++ 'application/x-dvi':
++ [{'view': 'xdvi %s', 'lineno': 3}],
++ 'message/external-body':
++ [{'composetyped': 'extcompose %s',
Home |
Main Index |
Thread Index |
Old Index