From 41aa0d34f7037b69d9a615cfb8d36a3ebccecf4b Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Wed, 20 Feb 2013 15:25:17 -0500 Subject: [PATCH] 2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695) * Wed Feb 20 2013 David Malcolm - 2.7.3-23 - use SHA-256 rather than implicitly using MD5 within the challenge handling in multiprocessing.connection (patch 169; rhbz#879695) --- ...icit-usage-of-md5-in-multiprocessing.patch | 41 +++++++++++++++++++ python.spec | 15 ++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch diff --git a/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch new file mode 100644 index 0000000..debf92f --- /dev/null +++ b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch @@ -0,0 +1,41 @@ +diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py +--- a/Lib/multiprocessing/connection.py ++++ b/Lib/multiprocessing/connection.py +@@ -41,6 +41,10 @@ + # A very generous timeout when it comes to local connections... + CONNECTION_TIMEOUT = 20. + ++# The hmac module implicitly defaults to using MD5. ++# Support using a stronger algorithm for the challenge/response code: ++HMAC_DIGEST_NAME='sha256' ++ + _mmap_counter = itertools.count() + + default_family = 'AF_INET' +@@ -700,12 +704,16 @@ + WELCOME = b'#WELCOME#' + FAILURE = b'#FAILURE#' + ++def get_digestmod_for_hmac(): ++ import hashlib ++ return getattr(hashlib, HMAC_DIGEST_NAME) ++ + def deliver_challenge(connection, authkey): + import hmac + assert isinstance(authkey, bytes) + message = os.urandom(MESSAGE_LENGTH) + connection.send_bytes(CHALLENGE + message) +- digest = hmac.new(authkey, message).digest() ++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() + response = connection.recv_bytes(256) # reject large message + if response == digest: + connection.send_bytes(WELCOME) +@@ -719,7 +727,7 @@ + message = connection.recv_bytes(256) # reject large message + assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message + message = message[len(CHALLENGE):] +- digest = hmac.new(authkey, message).digest() ++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest() + connection.send_bytes(digest) + response = connection.recv_bytes(256) # reject large message + if response != WELCOME: diff --git a/python.spec b/python.spec index 309c258..2873931 100644 --- a/python.spec +++ b/python.spec @@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python-docs when changing this: Version: 2.7.3 -Release: 22%{?dist} +Release: 23%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -763,6 +763,14 @@ Patch167: 00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch # (rhbz#849994) Patch168: 00168-distutils-cflags.patch +# 00169 # +# Use SHA-256 rather than implicitly using MD5 within the challenge handling +# in multiprocessing.connection +# +# Sent upstream as http://bugs.python.org/issue17258 +# (rhbz#879695) +Patch169: 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -1098,6 +1106,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c %patch166 -p1 %patch167 -p1 %patch168 -p1 +%patch169 -p1 # This shouldn't be necesarry, but is right now (2.2a3) @@ -1928,6 +1937,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Wed Feb 20 2013 David Malcolm - 2.7.3-23 +- use SHA-256 rather than implicitly using MD5 within the challenge handling +in multiprocessing.connection (patch 169; rhbz#879695) + * Wed Feb 20 2013 David Malcolm - 2.7.3-22 - fix a problem with distutils.sysconfig when CFLAGS is defined in the environment (patch 168; rhbz#849994)