* Thu Mar 26 2015 Petr Lautrbach <plautrba@redhat.com> 3.2.17-2

- Fix get_rpm_nvr_*_temporary functions - CVE-2015-1815 (#1203352)

.gitignore

@@ -175,3 +175,7 @@ setroubleshoot-2.2.93.tar.gz
 /setroubleshoot-3.2.11.tar.gz
 /setroubleshoot-3.2.12.tar.gz
 /setroubleshoot-3.2.13.tar.gz
+/setroubleshoot-3.2.14.tar.gz
+/setroubleshoot-3.2.15.tar.gz
+/setroubleshoot-3.2.16.tar.gz
+/setroubleshoot-3.2.17.tar.gz

0001-Fix-get_rpm_nvr_-_temporary-functions-rhbz-1203977.patch

@@ -0,0 +1,53 @@
+From d78a46d19ad3001fb3e3a44bd6b4bb507f2017f4 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 23 Mar 2015 13:58:08 +0100
+Subject: [PATCH 1/2] Fix get_rpm_nvr_*_temporary functions - rhbz#1203977
+
+- use subprocess.check_output() instead of commands.getstatusoutput()
+- use os.path.abspath() to get a normalized absolutized version of the name
+---
+ framework/src/setroubleshoot/util.py | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py
+index 2dffb80..906735b 100755
+--- a/framework/src/setroubleshoot/util.py
++++ b/framework/src/setroubleshoot/util.py
+@@ -263,25 +263,25 @@ def get_rpm_nvr_by_name_temporary(name):
+ 
+     nvr = None
+     try:
+-        import commands
+-        rc, output = commands.getstatusoutput("rpm -q %s" % name)
+-        if rc == 0:
+-            nvr = output
++        import  subprocess
++        nvr = subprocess.check_output(["rpm", "-q", name]).rstrip()
+     except:
+         syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name)
+     return nvr
+ 
+ 
+ def get_rpm_nvr_by_file_path_temporary(name):
+-    if name is None or not os.path.exists(name):
++    if name is None:
++        return None
++
++    name = os.path.abspath(name)
++    if not os.path.exists(name):
+         return None
+ 
+     nvr = None
+     try:
+-        import commands
+-        rc, output = commands.getstatusoutput("rpm -qf '%s'" % name)
+-        if rc == 0:
+-            nvr = output
++        import subprocess
++        nvr = subprocess.check_output(["rpm", "-qf", name]).rstrip()
+     except:
+         syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name)
+     return nvr
+-- 
+2.3.3
+

setroubleshoot-po.patch

@@ -0,0 +1,26 @@
+diff -up setroubleshoot-3.2.14/po/bn_IN.po~ setroubleshoot-3.2.14/po/bn_IN.po
+--- setroubleshoot-3.2.14/po/bn_IN.po~	2013-11-20 10:01:40.717181224 -0500
++++ setroubleshoot-3.2.14/po/bn_IN.po	2013-11-20 10:02:47.154195170 -0500
+@@ -165,9 +165,7 @@ msgstr "উৎসের পà§<C3A0>রকà§<C3A0>à
+ 
+ #: ../src/browser.py:269
+ msgid "Attempted Access"
+-msgstr ""
+-"\n"
+-"বà§<C3A0>যবহারের পà§<C3A0>রয়াস\n"
++msgstr "বà§<C3A0>যবহারের পà§<C3A0>রয়াস"
+ 
+ #: ../src/browser.py:269
+ msgid "On this"
+@@ -222,9 +220,8 @@ msgstr ""
+ msgid ""
+ "Report\n"
+ "Bug"
+-msgstr ""
+-"বাগ সমà§<C3A0>পরà§<C3A0>কে\n"
+-"সূচিত করà§<C3A0>ন\n"
++msgstr "বাগ সমà§<C3A0>পরà§<C3A0>কে\n"
++"সূচিত করà§<C3A0>ন"
+ 
+ #: ../src/browser.py:543
+ #, python-format

setroubleshoot.spec

@@ -1,13 +1,16 @@
 Summary: Helps troubleshoot SELinux problems
 Name: setroubleshoot
-Version: 3.2.13
-Release: 1%{?dist}
+Version: 3.2.17
+Release: 2%{?dist}
 License: GPLv2+
 Group: Applications/System
 URL: https://fedorahosted.org/setroubleshoot
 # git clone git://git.fedorahosted.org/git/setroubleshoot.git; cd setroubleshoot
 # git archive --prefix setroubleshoot-3.0.10/426cf8ea7a38e8c5179981219d831368161b65f2 > setroubleshoot-3.0.10.tar.gz
 Source0: %{name}-%{version}.tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=1203352
+# CVE-2015-1815
+Patch0: 0001-Fix-get_rpm_nvr_-_temporary-functions-rhbz-1203977.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: perl-XML-Parser
 BuildRequires: libcap-ng-devel
@@ -16,24 +19,16 @@ BuildRequires: desktop-file-utils dbus-glib-devel gtk2-devel libnotify-devel aud
 Requires: %{name}-server = %{version}-%{release} 
 Requires: pygtk2-libglade >= 2.9.2
 Requires: gtk2
-Requires: dbus
-Requires: dbus-python
-Requires: pygobject2
-Requires: libreport-gtk
-Requires: polkit
-Requires: yum
+Requires: libreport-gtk, libreport-python
 Requires(post): desktop-file-utils
 Requires(post): dbus
 Requires(postun): desktop-file-utils
 Requires(postun): dbus
-Requires: notify-python
 
 BuildRequires: xdg-utils
 Requires: xdg-utils
 
-%global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
-
-%global pkgpythondir  %{python_sitelib}/%{name}
+%global pkgpythondir  %{python_sitearch}/%{name}
 %define pkgguidir     %{_datadir}/%{name}/gui
 %define pkgdatadir    %{_datadir}/%{name}
 %define pkglibexecdir %{_prefix}/libexec/%{name}
@@ -79,6 +74,7 @@ fi
 
 %prep
 %setup -q
+%patch0 -p 2 -b .CVE-2015-1815
 
 %build
 %configure
@@ -108,9 +104,10 @@ Requires: policycoreutils-python
 BuildRequires: intltool gettext python
 BuildRequires: python-devel
 Requires: python-slip-dbus systemd-python >= 206-1
-
-Requires(post):   /sbin/service
-Requires(preun):  /sbin/service
+Requires: pygobject2
+Requires: dbus
+Requires: dbus-python
+Requires: polkit
 
 %description server
 Provides tools to help diagnose SELinux problems. When AVC messages
@@ -125,9 +122,8 @@ to user preference. The same tools can be run on existing log files.
 %systemd_postun_with_restart auditd.service
 
 %triggerun server -- %{name}-server < 2.1.1
-/sbin/service %{name} stop >/dev/null 2>&1 || :
-chkconfig --del %{name}  || :
-
+/usr/bin/systemctl --no-reload disable %{name} >/dev/null 2>&1 || :
+/usr/bin/systemctl stop %{name} >/dev/null 2>&1 || :
 %clean 
 rm -rf %{buildroot}
 
@@ -136,7 +132,7 @@ rm -rf %{buildroot}
 %{_bindir}/sealert
 %{_sbindir}/sedispatch
 %{_sbindir}/setroubleshootd
-%{python_sitelib}/setroubleshoot*.egg-info
+%{python_sitearch}/setroubleshoot*.egg-info
 %dir %attr(0755,root,root) %{pkgconfigdir}
 %dir %attr(0755,root,root) %{pkgpythondir}
 %{pkgpythondir}/Plugin.py*
@@ -176,6 +172,36 @@ rm -rf %{buildroot}
 %{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service
 
 %changelog
+* Thu Mar 26 2015 Petr Lautrbach <plautrba@redhat.com> 3.2.17-2
+- Fix get_rpm_nvr_*_temporary functions - CVE-2015-1815 (#1203352)
+
+* Mon Jan 20 2014 Dan Walsh <dwalsh@redhat.com> - 3.2.17-1
+- Fix unicode settings
+
+* Tue Jan 7 2014 Dan Walsh <dwalsh@redhat.com> - 3.2.16-2
+- Remove requires for notify-python and yum
+
+* Thu Jan 2 2014 Dan Walsh <dwalsh@redhat.com> - 3.2.16-1
+- Don't error out on no policy installed
+- Update translations.
+
+* Thu Jan 2 2014 Dan Walsh <dwalsh@redhat.com> - 3.2.15-2
+- Eliminate requirement on service script.
+
+* Tue Dec 3 2013 Dan Walsh <dwalsh@redhat.com> - 3.2.15-1
+- Update Lanquages
+- Use setup.py in Makefile for setroubleshoot dir
+
+* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 3.2.14-2
+- Add requires for libreport-python
+
+* Mon Sep 16 2013 Dan Walsh <dwalsh@redhat.com> - 3.2.14-1
+- Remove "the the" typo from code.
+- Update Translations
+
+* Tue Sep 10 2013 Dan Walsh <dwalsh@redhat.com> - 3.2.13-2
+- Move some of the Requires block down to -server package
+
 * Thu Aug 1 2013 Dan Walsh <dwalsh@redhat.com> - 3.2.13-1
 - Fix typo again in audit_data.py
 - Make setroubleshoot less noicy in logs

sources

@@ -1 +1 @@
-79ba5172701f0d0c838da4e5755a3c6f  setroubleshoot-3.2.13.tar.gz
+672edbf58ec7de8132fc92e9e494b055  setroubleshoot-3.2.17.tar.gz