diff options
| author | Chen Qi <Qi.Chen@windriver.com> | 2018-10-19 10:43:14 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-11-16 16:33:09 +0000 |
| commit | 87f8184671afda5fb33cca2533bf969aa8b95c9b (patch) | |
| tree | f1809f84c59131f635cf95b15be42977e199f099 /meta | |
| parent | 1e88059649a043f9ba06c6eabf9a3a75b01bf768 (diff) | |
| download | poky-87f8184671afda5fb33cca2533bf969aa8b95c9b.tar.gz | |
python: backport patch to fix CVE-2018-1000802
Backport a patch to fix the following CVE.
CVE: CVE-2018-1000802
(From OE-Core rev: c0343f1035af98cb451eea0de94c16fe89ffdf48)
(From OE-Core rev: 64d0cfb0f2291434f3ceacff99015f6a35942868)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch | 69 | ||||
| -rw-r--r-- | meta/recipes-devtools/python/python_2.7.15.bb | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch new file mode 100644 index 0000000000..e6fe5f2cc4 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch | |||
| @@ -0,0 +1,69 @@ | |||
| 1 | From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Benjamin Peterson <benjamin@python.org> | ||
| 3 | Date: Wed, 29 Aug 2018 21:59:21 -0700 | ||
| 4 | Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use | ||
| 5 | subprocess rather than distutils.spawn. (GH-8985) | ||
| 6 | |||
| 7 | Upstream-Status: Backport | ||
| 8 | |||
| 9 | Fix CVE-2018-1000802 | ||
| 10 | |||
| 11 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
| 12 | --- | ||
| 13 | Lib/shutil.py | 16 ++++++++++------ | ||
| 14 | .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ | ||
| 15 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
| 16 | create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
| 17 | |||
| 18 | diff --git a/Lib/shutil.py b/Lib/shutil.py | ||
| 19 | index 3462f7c..0ab1a06 100644 | ||
| 20 | --- a/Lib/shutil.py | ||
| 21 | +++ b/Lib/shutil.py | ||
| 22 | @@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, | ||
| 23 | |||
| 24 | return archive_name | ||
| 25 | |||
| 26 | -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): | ||
| 27 | +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): | ||
| 28 | # XXX see if we want to keep an external call here | ||
| 29 | if verbose: | ||
| 30 | zipoptions = "-r" | ||
| 31 | else: | ||
| 32 | zipoptions = "-rq" | ||
| 33 | - from distutils.errors import DistutilsExecError | ||
| 34 | - from distutils.spawn import spawn | ||
| 35 | + cmd = ["zip", zipoptions, zip_filename, base_dir] | ||
| 36 | + if logger is not None: | ||
| 37 | + logger.info(' '.join(cmd)) | ||
| 38 | + if dry_run: | ||
| 39 | + return | ||
| 40 | + import subprocess | ||
| 41 | try: | ||
| 42 | - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) | ||
| 43 | - except DistutilsExecError: | ||
| 44 | + subprocess.check_call(cmd) | ||
| 45 | + except subprocess.CalledProcessError: | ||
| 46 | # XXX really should distinguish between "couldn't find | ||
| 47 | # external 'zip' command" and "zip failed". | ||
| 48 | raise ExecError, \ | ||
| 49 | @@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): | ||
| 50 | zipfile = None | ||
| 51 | |||
| 52 | if zipfile is None: | ||
| 53 | - _call_external_zip(base_dir, zip_filename, verbose, dry_run) | ||
| 54 | + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) | ||
| 55 | else: | ||
| 56 | if logger is not None: | ||
| 57 | logger.info("creating '%s' and adding '%s' to it", | ||
| 58 | diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
| 59 | new file mode 100644 | ||
| 60 | index 0000000..4f68696 | ||
| 61 | --- /dev/null | ||
| 62 | +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
| 63 | @@ -0,0 +1,3 @@ | ||
| 64 | +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it | ||
| 65 | +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This | ||
| 66 | +closes a possible shell injection vector. | ||
| 67 | -- | ||
| 68 | 2.7.4 | ||
| 69 | |||
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.15.bb index 9e54f22e73..bdbc8d3364 100644 --- a/meta/recipes-devtools/python/python_2.7.15.bb +++ b/meta/recipes-devtools/python/python_2.7.15.bb | |||
| @@ -30,6 +30,7 @@ SRC_URI += "\ | |||
| 30 | file://pass-missing-libraries-to-Extension-for-mul.patch \ | 30 | file://pass-missing-libraries-to-Extension-for-mul.patch \ |
| 31 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ | 31 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ |
| 32 | file://float-endian.patch \ | 32 | file://float-endian.patch \ |
| 33 | file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \ | ||
| 33 | " | 34 | " |
| 34 | 35 | ||
| 35 | S = "${WORKDIR}/Python-${PV}" | 36 | S = "${WORKDIR}/Python-${PV}" |