summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch69
-rw-r--r--meta/recipes-devtools/python/python_2.7.15.bb1
2 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
new file mode 100644
index 0000000000..e6fe5f2cc4
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
@@ -0,0 +1,69 @@
1From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001
2From: Benjamin Peterson <benjamin@python.org>
3Date: Wed, 29 Aug 2018 21:59:21 -0700
4Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use
5 subprocess rather than distutils.spawn. (GH-8985)
6
7Upstream-Status: Backport
8
9Fix CVE-2018-1000802
10
11Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
12---
13 Lib/shutil.py | 16 ++++++++++------
14 .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++
15 2 files changed, 13 insertions(+), 6 deletions(-)
16 create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
17
18diff --git a/Lib/shutil.py b/Lib/shutil.py
19index 3462f7c..0ab1a06 100644
20--- a/Lib/shutil.py
21+++ b/Lib/shutil.py
22@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
23
24 return archive_name
25
26-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
27+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
28 # XXX see if we want to keep an external call here
29 if verbose:
30 zipoptions = "-r"
31 else:
32 zipoptions = "-rq"
33- from distutils.errors import DistutilsExecError
34- from distutils.spawn import spawn
35+ cmd = ["zip", zipoptions, zip_filename, base_dir]
36+ if logger is not None:
37+ logger.info(' '.join(cmd))
38+ if dry_run:
39+ return
40+ import subprocess
41 try:
42- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
43- except DistutilsExecError:
44+ subprocess.check_call(cmd)
45+ except subprocess.CalledProcessError:
46 # XXX really should distinguish between "couldn't find
47 # external 'zip' command" and "zip failed".
48 raise ExecError, \
49@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
50 zipfile = None
51
52 if zipfile is None:
53- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
54+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
55 else:
56 if logger is not None:
57 logger.info("creating '%s' and adding '%s' to it",
58diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
59new file mode 100644
60index 0000000..4f68696
61--- /dev/null
62+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
63@@ -0,0 +1,3 @@
64+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
65+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
66+closes a possible shell injection vector.
67--
682.7.4
69
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.15.bb
index b402ad6f1e..e8c9475005 100644
--- a/meta/recipes-devtools/python/python_2.7.15.bb
+++ b/meta/recipes-devtools/python/python_2.7.15.bb
@@ -31,6 +31,7 @@ SRC_URI += "\
31 file://pass-missing-libraries-to-Extension-for-mul.patch \ 31 file://pass-missing-libraries-to-Extension-for-mul.patch \
32 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \ 32 file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
33 file://float-endian.patch \ 33 file://float-endian.patch \
34 file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \
34" 35"
35 36
36S = "${WORKDIR}/Python-${PV}" 37S = "${WORKDIR}/Python-${PV}"