diff options
-rw-r--r-- | meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch | 69 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python_2.7.15.bb | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch new file mode 100644 index 0000000000..e6fe5f2cc4 --- /dev/null +++ b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Peterson <benjamin@python.org> | ||
3 | Date: Wed, 29 Aug 2018 21:59:21 -0700 | ||
4 | Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use | ||
5 | subprocess rather than distutils.spawn. (GH-8985) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Fix CVE-2018-1000802 | ||
10 | |||
11 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
12 | --- | ||
13 | Lib/shutil.py | 16 ++++++++++------ | ||
14 | .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ | ||
15 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
16 | create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
17 | |||
18 | diff --git a/Lib/shutil.py b/Lib/shutil.py | ||
19 | index 3462f7c..0ab1a06 100644 | ||
20 | --- a/Lib/shutil.py | ||
21 | +++ b/Lib/shutil.py | ||
22 | @@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, | ||
23 | |||
24 | return archive_name | ||
25 | |||
26 | -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): | ||
27 | +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): | ||
28 | # XXX see if we want to keep an external call here | ||
29 | if verbose: | ||
30 | zipoptions = "-r" | ||
31 | else: | ||
32 | zipoptions = "-rq" | ||
33 | - from distutils.errors import DistutilsExecError | ||
34 | - from distutils.spawn import spawn | ||
35 | + cmd = ["zip", zipoptions, zip_filename, base_dir] | ||
36 | + if logger is not None: | ||
37 | + logger.info(' '.join(cmd)) | ||
38 | + if dry_run: | ||
39 | + return | ||
40 | + import subprocess | ||
41 | try: | ||
42 | - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) | ||
43 | - except DistutilsExecError: | ||
44 | + subprocess.check_call(cmd) | ||
45 | + except subprocess.CalledProcessError: | ||
46 | # XXX really should distinguish between "couldn't find | ||
47 | # external 'zip' command" and "zip failed". | ||
48 | raise ExecError, \ | ||
49 | @@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): | ||
50 | zipfile = None | ||
51 | |||
52 | if zipfile is None: | ||
53 | - _call_external_zip(base_dir, zip_filename, verbose, dry_run) | ||
54 | + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) | ||
55 | else: | ||
56 | if logger is not None: | ||
57 | logger.info("creating '%s' and adding '%s' to it", | ||
58 | diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
59 | new file mode 100644 | ||
60 | index 0000000..4f68696 | ||
61 | --- /dev/null | ||
62 | +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
63 | @@ -0,0 +1,3 @@ | ||
64 | +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it | ||
65 | +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This | ||
66 | +closes a possible shell injection vector. | ||
67 | -- | ||
68 | 2.7.4 | ||
69 | |||
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.15.bb index b402ad6f1e..e8c9475005 100644 --- a/meta/recipes-devtools/python/python_2.7.15.bb +++ b/meta/recipes-devtools/python/python_2.7.15.bb | |||
@@ -31,6 +31,7 @@ SRC_URI += "\ | |||
31 | file://pass-missing-libraries-to-Extension-for-mul.patch \ | 31 | file://pass-missing-libraries-to-Extension-for-mul.patch \ |
32 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ | 32 | file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ |
33 | file://float-endian.patch \ | 33 | file://float-endian.patch \ |
34 | file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \ | ||
34 | " | 35 | " |
35 | 36 | ||
36 | S = "${WORKDIR}/Python-${PV}" | 37 | S = "${WORKDIR}/Python-${PV}" |