gnu: python2: Add upstream security fixes.

This addresses CVE-2018-{1060,1061,14647,1000802}.

* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.

1 files changed, 20 insertions, 0 deletions

diff --git a/gnu/packages/patches/python2-CVE-2018-1061.patch b/gnu/packages/patches/python2-CVE-2018-1061.patch
new file mode 100644
index 0000000000..6caab24b4d
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1061.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1061:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
+
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdbedcb7..788a92df3f89 100644
+--- a/Lib/difflib.py
++++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ def _qformat(self, aline, bline, atags, btags):
+ 
+ import re
+ 
+-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
++def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
+     r"""
+     Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
+