Security fix for CVE-2018-1000802 (#1631662)
This commit is contained in:
parent
0052c9fa9d
commit
0dfe62335c
|
@ -0,0 +1,61 @@
|
||||||
|
From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001
|
||||||
|
From: Benjamin Peterson <benjamin@python.org>
|
||||||
|
Date: Tue, 28 Aug 2018 22:12:56 -0700
|
||||||
|
Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use
|
||||||
|
subprocess rather than distutils.spawn.
|
||||||
|
|
||||||
|
---
|
||||||
|
Lib/shutil.py | 16 ++++++++++------
|
||||||
|
.../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++
|
||||||
|
2 files changed, 13 insertions(+), 6 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
|
||||||
|
|
||||||
|
diff --git a/Lib/shutil.py b/Lib/shutil.py
|
||||||
|
index 3462f7c5e91c..0ab1a06f5260 100644
|
||||||
|
--- a/Lib/shutil.py
|
||||||
|
+++ b/Lib/shutil.py
|
||||||
|
@@ -413,17 +413,21 @@ def _set_uid_gid(tarinfo):
|
||||||
|
|
||||||
|
return archive_name
|
||||||
|
|
||||||
|
-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
|
||||||
|
+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
|
||||||
|
# XXX see if we want to keep an external call here
|
||||||
|
if verbose:
|
||||||
|
zipoptions = "-r"
|
||||||
|
else:
|
||||||
|
zipoptions = "-rq"
|
||||||
|
- from distutils.errors import DistutilsExecError
|
||||||
|
- from distutils.spawn import spawn
|
||||||
|
+ cmd = ["zip", zipoptions, zip_filename, base_dir]
|
||||||
|
+ if logger is not None:
|
||||||
|
+ logger.info(' '.join(cmd))
|
||||||
|
+ if dry_run:
|
||||||
|
+ return
|
||||||
|
+ import subprocess
|
||||||
|
try:
|
||||||
|
- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
|
||||||
|
- except DistutilsExecError:
|
||||||
|
+ subprocess.check_call(cmd)
|
||||||
|
+ except subprocess.CalledProcessError:
|
||||||
|
# XXX really should distinguish between "couldn't find
|
||||||
|
# external 'zip' command" and "zip failed".
|
||||||
|
raise ExecError, \
|
||||||
|
@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
|
||||||
|
zipfile = None
|
||||||
|
|
||||||
|
if zipfile is None:
|
||||||
|
- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
|
||||||
|
+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
|
||||||
|
else:
|
||||||
|
if logger is not None:
|
||||||
|
logger.info("creating '%s' and adding '%s' to it",
|
||||||
|
diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..4f686962a87b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
|
||||||
|
+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
|
||||||
|
+closes a possible shell injection vector.
|
13
python2.spec
13
python2.spec
|
@ -123,7 +123,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
||||||
Name: %{python}
|
Name: %{python}
|
||||||
# Remember to also rebase python2-docs when changing this:
|
# Remember to also rebase python2-docs when changing this:
|
||||||
Version: 2.7.15
|
Version: 2.7.15
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
@ -760,6 +760,13 @@ Patch193: 00193-enable-loading-sqlite-extensions.patch
|
||||||
# (we handle it it in Setup.dist, see Patch0)
|
# (we handle it it in Setup.dist, see Patch0)
|
||||||
Patch289: 00289-disable-nis-detection.patch
|
Patch289: 00289-disable-nis-detection.patch
|
||||||
|
|
||||||
|
# 00309 #
|
||||||
|
# CVE-2018-1000802
|
||||||
|
# shutil._call_external_zip to use subprocess instead of distutils.spawn
|
||||||
|
# rhbz#1631662
|
||||||
|
# Fixed upstream https://bugs.python.org/issue34540
|
||||||
|
Patch309: 00309-shutil-spawn-subprocess.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
|
# When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
|
||||||
|
@ -1112,6 +1119,7 @@ rm Lib/ensurepip/_bundled/*.whl
|
||||||
%patch191 -p1
|
%patch191 -p1
|
||||||
%patch193 -p1
|
%patch193 -p1
|
||||||
%patch289 -p1
|
%patch289 -p1
|
||||||
|
%patch309 -p1
|
||||||
|
|
||||||
|
|
||||||
%if 0%{?_module_build}
|
%if 0%{?_module_build}
|
||||||
|
@ -2011,6 +2019,9 @@ CheckPython \
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 20 2018 Miro Hrončok <mhroncok@redhat.com> - 2.7.15-10
|
||||||
|
- Security fix for CVE-2018-1000802 (#1631662)
|
||||||
|
|
||||||
* Thu Sep 06 2018 Petr Viktorin <pviktori@redhat.com> - 2.7.15-9
|
* Thu Sep 06 2018 Petr Viktorin <pviktori@redhat.com> - 2.7.15-9
|
||||||
- Deprecate python2 and all subpackages in Fedora 30+ (#1625773)
|
- Deprecate python2 and all subpackages in Fedora 30+ (#1625773)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue