2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)

* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-23 - use SHA-256 rather than implicitly using MD5 within the challenge handling in multiprocessing.connection (patch 169; rhbz#879695)
2013-02-20 15:25:17 -05:00 · 2013-02-20 15:25:17 -05:00 · 41aa0d34f7
parent 01cf2c167e
commit 41aa0d34f7
2 changed files with 55 additions and 1 deletions
--- a/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
+++ b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
@ -0,0 +1,41 @@
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+--- a/Lib/multiprocessing/connection.py
+++ b/Lib/multiprocessing/connection.py
+@@ -41,6 +41,10 @@
+ # A very generous timeout when it comes to local connections...
+ CONNECTION_TIMEOUT = 20.
+ 
+# The hmac module implicitly defaults to using MD5.
+# Support using a stronger algorithm for the challenge/response code:
+HMAC_DIGEST_NAME='sha256'
+
+ _mmap_counter = itertools.count()
+ 
+ default_family = 'AF_INET'
+@@ -700,12 +704,16 @@
+ WELCOME = b'#WELCOME#'
+ FAILURE = b'#FAILURE#'
+ 
+def get_digestmod_for_hmac():
+    import hashlib
+    return getattr(hashlib, HMAC_DIGEST_NAME)
+
+ def deliver_challenge(connection, authkey):
+     import hmac
+     assert isinstance(authkey, bytes)
+     message = os.urandom(MESSAGE_LENGTH)
+     connection.send_bytes(CHALLENGE + message)
+-    digest = hmac.new(authkey, message).digest()
+    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     response = connection.recv_bytes(256)        # reject large message
+     if response == digest:
+         connection.send_bytes(WELCOME)
+@@ -719,7 +727,7 @@
+     message = connection.recv_bytes(256)         # reject large message
+     assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
+     message = message[len(CHALLENGE):]
+-    digest = hmac.new(authkey, message).digest()
+    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     connection.send_bytes(digest)
+     response = connection.recv_bytes(256)        # reject large message
+     if response != WELCOME:
--- a/python.spec
+++ b/python.spec
@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python-docs when changing this:
 Version: 2.7.3
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@ -763,6 +763,14 @@ Patch167: 00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch
 # (rhbz#849994)
 Patch168: 00168-distutils-cflags.patch

+# 00169 #
+# Use SHA-256 rather than implicitly using MD5 within the challenge handling
+# in multiprocessing.connection
+#
+# Sent upstream as http://bugs.python.org/issue17258
+# (rhbz#879695)
+Patch169: 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora 17 onwards,
@ -1098,6 +1106,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
 %patch166 -p1
 %patch167 -p1
 %patch168 -p1
+%patch169 -p1


 # This shouldn't be necesarry, but is right now (2.2a3)
@ -1928,6 +1937,10 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
+* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-23
+- use SHA-256 rather than implicitly using MD5 within the challenge handling
+in multiprocessing.connection (patch 169; rhbz#879695)
+
 * Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-22
 - fix a problem with distutils.sysconfig when CFLAGS is defined in the
 environment (patch 168; rhbz#849994)