diff options
| author | Marius Bakke <mbakke@fastmail.com> | 2018-10-06 18:50:47 +0200 |
|---|---|---|
| committer | Marius Bakke <mbakke@fastmail.com> | 2018-10-17 20:34:37 +0200 |
| commit | a55ebe2e3a7b438b4eec06c594440d3a0fb06a25 (patch) | |
| tree | 2b368479f5d45d8a862648d8c474dadedd28873d /gnu/packages/patches/python2-CVE-2018-1000802.patch | |
| parent | 90aeaee861845142843a0f988fa4ff016c723cdb (diff) | |
| download | guix-a55ebe2e3a7b438b4eec06c594440d3a0fb06a25.tar.gz | |
gnu: python2: Add upstream security fixes.
This addresses CVE-2018-{1060,1061,14647,1000802}.
* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
Diffstat (limited to 'gnu/packages/patches/python2-CVE-2018-1000802.patch')
| -rw-r--r-- | gnu/packages/patches/python2-CVE-2018-1000802.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/gnu/packages/patches/python2-CVE-2018-1000802.patch b/gnu/packages/patches/python2-CVE-2018-1000802.patch new file mode 100644 index 0000000000..0d5bc77c84 --- /dev/null +++ b/gnu/packages/patches/python2-CVE-2018-1000802.patch @@ -0,0 +1,47 @@ +Fix CVE-2018-1000802: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802 + +Taken from upstream commit (sans NEWS): +https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435 + +diff --git a/Lib/shutil.py b/Lib/shutil.py +index 3462f7c5e9..0ab1a06f52 100644 +--- a/Lib/shutil.py ++++ b/Lib/shutil.py +@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, + + return archive_name + +-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): ++def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): + # XXX see if we want to keep an external call here + if verbose: + zipoptions = "-r" + else: + zipoptions = "-rq" +- from distutils.errors import DistutilsExecError +- from distutils.spawn import spawn ++ cmd = ["zip", zipoptions, zip_filename, base_dir] ++ if logger is not None: ++ logger.info(' '.join(cmd)) ++ if dry_run: ++ return ++ import subprocess + try: +- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) +- except DistutilsExecError: ++ subprocess.check_call(cmd) ++ except subprocess.CalledProcessError: + # XXX really should distinguish between "couldn't find + # external 'zip' command" and "zip failed". + raise ExecError, \ +@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): + zipfile = None + + if zipfile is None: +- _call_external_zip(base_dir, zip_filename, verbose, dry_run) ++ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) + else: + if logger is not None: + logger.info("creating '%s' and adding '%s' to it", |