diff options
| author | Marius Bakke <mbakke@fastmail.com> | 2018-10-06 18:50:47 +0200 |
|---|---|---|
| committer | Marius Bakke <mbakke@fastmail.com> | 2018-10-17 20:34:37 +0200 |
| commit | a55ebe2e3a7b438b4eec06c594440d3a0fb06a25 (patch) | |
| tree | 2b368479f5d45d8a862648d8c474dadedd28873d /gnu/packages/patches/python2-CVE-2018-1060.patch | |
| parent | 90aeaee861845142843a0f988fa4ff016c723cdb (diff) | |
| download | guix-a55ebe2e3a7b438b4eec06c594440d3a0fb06a25.tar.gz | |
gnu: python2: Add upstream security fixes.
This addresses CVE-2018-{1060,1061,14647,1000802}.
* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
Diffstat (limited to 'gnu/packages/patches/python2-CVE-2018-1060.patch')
| -rw-r--r-- | gnu/packages/patches/python2-CVE-2018-1060.patch | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/packages/patches/python2-CVE-2018-1060.patch new file mode 100644 index 0000000000..5eb7ccfbc9 --- /dev/null +++ b/gnu/packages/patches/python2-CVE-2018-1060.patch @@ -0,0 +1,20 @@ +Fix CVE-2018-1060: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060 + +Taken from upstream commit (sans test and NEWS): +https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 + +diff --git a/Lib/poplib.py b/Lib/poplib.py +index b91e5f72d2ca..a238510b38fc 100644 +--- a/Lib/poplib.py ++++ b/Lib/poplib.py +@@ -274,7 +274,7 @@ def rpop(self, user): + return self._shortcmd('RPOP %s' % user) + + +- timestamp = re.compile(r'\+OK.*(<[^>]+>)') ++ timestamp = re.compile(br'\+OK.[^<]*(<.*>)') + + def apop(self, user, secret): + """Authorisation + |