diff options
Diffstat (limited to 'meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch')
-rw-r--r-- | meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch deleted file mode 100644 index 125db8512a..0000000000 --- a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Peterson <benjamin@python.org> | ||
3 | Date: Wed, 29 Aug 2018 21:59:21 -0700 | ||
4 | Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use | ||
5 | subprocess rather than distutils.spawn. (GH-8985) | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | CVE: CVE-2018-1000802 | ||
9 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
10 | --- | ||
11 | Lib/shutil.py | 16 ++++++++++------ | ||
12 | .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ | ||
13 | 2 files changed, 13 insertions(+), 6 deletions(-) | ||
14 | create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
15 | |||
16 | diff --git a/Lib/shutil.py b/Lib/shutil.py | ||
17 | index 3462f7c..0ab1a06 100644 | ||
18 | --- a/Lib/shutil.py | ||
19 | +++ b/Lib/shutil.py | ||
20 | @@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, | ||
21 | |||
22 | return archive_name | ||
23 | |||
24 | -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): | ||
25 | +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): | ||
26 | # XXX see if we want to keep an external call here | ||
27 | if verbose: | ||
28 | zipoptions = "-r" | ||
29 | else: | ||
30 | zipoptions = "-rq" | ||
31 | - from distutils.errors import DistutilsExecError | ||
32 | - from distutils.spawn import spawn | ||
33 | + cmd = ["zip", zipoptions, zip_filename, base_dir] | ||
34 | + if logger is not None: | ||
35 | + logger.info(' '.join(cmd)) | ||
36 | + if dry_run: | ||
37 | + return | ||
38 | + import subprocess | ||
39 | try: | ||
40 | - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) | ||
41 | - except DistutilsExecError: | ||
42 | + subprocess.check_call(cmd) | ||
43 | + except subprocess.CalledProcessError: | ||
44 | # XXX really should distinguish between "couldn't find | ||
45 | # external 'zip' command" and "zip failed". | ||
46 | raise ExecError, \ | ||
47 | @@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): | ||
48 | zipfile = None | ||
49 | |||
50 | if zipfile is None: | ||
51 | - _call_external_zip(base_dir, zip_filename, verbose, dry_run) | ||
52 | + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) | ||
53 | else: | ||
54 | if logger is not None: | ||
55 | logger.info("creating '%s' and adding '%s' to it", | ||
56 | diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
57 | new file mode 100644 | ||
58 | index 0000000..4f68696 | ||
59 | --- /dev/null | ||
60 | +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | ||
61 | @@ -0,0 +1,3 @@ | ||
62 | +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it | ||
63 | +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This | ||
64 | +closes a possible shell injection vector. | ||
65 | -- | ||
66 | 2.7.4 | ||
67 | |||