2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)
* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-23 - use SHA-256 rather than implicitly using MD5 within the challenge handling in multiprocessing.connection (patch 169; rhbz#879695)
This commit is contained in:
parent
01cf2c167e
commit
41aa0d34f7
|
@ -0,0 +1,41 @@
|
||||||
|
diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
|
||||||
|
--- a/Lib/multiprocessing/connection.py
|
||||||
|
+++ b/Lib/multiprocessing/connection.py
|
||||||
|
@@ -41,6 +41,10 @@
|
||||||
|
# A very generous timeout when it comes to local connections...
|
||||||
|
CONNECTION_TIMEOUT = 20.
|
||||||
|
|
||||||
|
+# The hmac module implicitly defaults to using MD5.
|
||||||
|
+# Support using a stronger algorithm for the challenge/response code:
|
||||||
|
+HMAC_DIGEST_NAME='sha256'
|
||||||
|
+
|
||||||
|
_mmap_counter = itertools.count()
|
||||||
|
|
||||||
|
default_family = 'AF_INET'
|
||||||
|
@@ -700,12 +704,16 @@
|
||||||
|
WELCOME = b'#WELCOME#'
|
||||||
|
FAILURE = b'#FAILURE#'
|
||||||
|
|
||||||
|
+def get_digestmod_for_hmac():
|
||||||
|
+ import hashlib
|
||||||
|
+ return getattr(hashlib, HMAC_DIGEST_NAME)
|
||||||
|
+
|
||||||
|
def deliver_challenge(connection, authkey):
|
||||||
|
import hmac
|
||||||
|
assert isinstance(authkey, bytes)
|
||||||
|
message = os.urandom(MESSAGE_LENGTH)
|
||||||
|
connection.send_bytes(CHALLENGE + message)
|
||||||
|
- digest = hmac.new(authkey, message).digest()
|
||||||
|
+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
|
||||||
|
response = connection.recv_bytes(256) # reject large message
|
||||||
|
if response == digest:
|
||||||
|
connection.send_bytes(WELCOME)
|
||||||
|
@@ -719,7 +727,7 @@
|
||||||
|
message = connection.recv_bytes(256) # reject large message
|
||||||
|
assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
|
||||||
|
message = message[len(CHALLENGE):]
|
||||||
|
- digest = hmac.new(authkey, message).digest()
|
||||||
|
+ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
|
||||||
|
connection.send_bytes(digest)
|
||||||
|
response = connection.recv_bytes(256) # reject large message
|
||||||
|
if response != WELCOME:
|
15
python.spec
15
python.spec
|
@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
||||||
Name: %{python}
|
Name: %{python}
|
||||||
# Remember to also rebase python-docs when changing this:
|
# Remember to also rebase python-docs when changing this:
|
||||||
Version: 2.7.3
|
Version: 2.7.3
|
||||||
Release: 22%{?dist}
|
Release: 23%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
@ -763,6 +763,14 @@ Patch167: 00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch
|
||||||
# (rhbz#849994)
|
# (rhbz#849994)
|
||||||
Patch168: 00168-distutils-cflags.patch
|
Patch168: 00168-distutils-cflags.patch
|
||||||
|
|
||||||
|
# 00169 #
|
||||||
|
# Use SHA-256 rather than implicitly using MD5 within the challenge handling
|
||||||
|
# in multiprocessing.connection
|
||||||
|
#
|
||||||
|
# Sent upstream as http://bugs.python.org/issue17258
|
||||||
|
# (rhbz#879695)
|
||||||
|
Patch169: 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
|
||||||
|
|
||||||
# (New patches go here ^^^)
|
# (New patches go here ^^^)
|
||||||
#
|
#
|
||||||
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
||||||
|
@ -1098,6 +1106,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
|
||||||
%patch166 -p1
|
%patch166 -p1
|
||||||
%patch167 -p1
|
%patch167 -p1
|
||||||
%patch168 -p1
|
%patch168 -p1
|
||||||
|
%patch169 -p1
|
||||||
|
|
||||||
|
|
||||||
# This shouldn't be necesarry, but is right now (2.2a3)
|
# This shouldn't be necesarry, but is right now (2.2a3)
|
||||||
|
@ -1928,6 +1937,10 @@ rm -fr %{buildroot}
|
||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-23
|
||||||
|
- use SHA-256 rather than implicitly using MD5 within the challenge handling
|
||||||
|
in multiprocessing.connection (patch 169; rhbz#879695)
|
||||||
|
|
||||||
* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-22
|
* Wed Feb 20 2013 David Malcolm <dmalcolm@redhat.com> - 2.7.3-22
|
||||||
- fix a problem with distutils.sysconfig when CFLAGS is defined in the
|
- fix a problem with distutils.sysconfig when CFLAGS is defined in the
|
||||||
environment (patch 168; rhbz#849994)
|
environment (patch 168; rhbz#849994)
|
||||||
|
|
Loading…
Reference in New Issue