diff options
author | drochner <drochner@pkgsrc.org> | 2011-03-28 16:00:06 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2011-03-28 16:00:06 +0000 |
commit | 89649c26a70cf788be10bb7803523d286b61224b (patch) | |
tree | 80b79a15340010793a3fb18455bb870d15c9fae0 | |
parent | 0f2ea06e1a2092cf4453b384c7a75cfa967eb9eb (diff) | |
download | pkgsrc-89649c26a70cf788be10bb7803523d286b61224b.tar.gz |
fix a security issue, using patches from upstream:
stricter redirect handling in urllib, to prevent redirects to eg
"file://" URLs (CVE-2011-1521)
bump PKGREV
-rw-r--r-- | lang/python26/Makefile | 4 | ||||
-rw-r--r-- | lang/python26/distinfo | 4 | ||||
-rw-r--r-- | lang/python26/patches/patch-ca | 29 | ||||
-rw-r--r-- | lang/python26/patches/patch-cb | 21 | ||||
-rw-r--r-- | lang/python27/Makefile | 3 | ||||
-rw-r--r-- | lang/python27/distinfo | 4 | ||||
-rw-r--r-- | lang/python27/patches/patch-ca | 29 | ||||
-rw-r--r-- | lang/python27/patches/patch-cb | 21 |
8 files changed, 110 insertions, 5 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile index 327823b1267..7c34a54a47f 100644 --- a/lang/python26/Makefile +++ b/lang/python26/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.34 2011/02/28 22:35:53 tron Exp $ +# $NetBSD: Makefile,v 1.35 2011/03/28 16:00:06 drochner Exp $ .include "dist.mk" PKGNAME= python26-${PY_DISTVERSION} -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python26/distinfo b/lang/python26/distinfo index d569112c756..050d5964c74 100644 --- a/lang/python26/distinfo +++ b/lang/python26/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.32 2011/02/28 22:35:53 tron Exp $ +$NetBSD: distinfo,v 1.33 2011/03/28 16:00:06 drochner Exp $ SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 @@ -20,3 +20,5 @@ SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456 SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858 +SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b +SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e diff --git a/lang/python26/patches/patch-ca b/lang/python26/patches/patch-ca new file mode 100644 index 00000000000..457474d629a --- /dev/null +++ b/lang/python26/patches/patch-ca @@ -0,0 +1,29 @@ +$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000 ++++ Lib/urllib.py +@@ -638,10 +638,20 @@ class FancyURLopener(URLopener): + newurl = headers['uri'] + else: + return +- void = fp.read() +- fp.close() ++ + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) ++ ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ ++ void = fp.read() ++ fp.close() + return self.open(newurl) + + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb new file mode 100644 index 00000000000..1af34378a99 --- /dev/null +++ b/lang/python26/patches/patch-cb @@ -0,0 +1,21 @@ +$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000 ++++ Lib/urllib2.py +@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler): + + newurl = urlparse.urljoin(req.get_full_url(), newurl) + ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ + # XXX Probably want to forget about the state of the current + # request, although that might interact poorly with other + # handlers that also use handler-specific request attributes diff --git a/lang/python27/Makefile b/lang/python27/Makefile index 501afbb517f..8850863e1d6 100644 --- a/lang/python27/Makefile +++ b/lang/python27/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.1.1.1 2011/02/22 08:51:58 obache Exp $ +# $NetBSD: Makefile,v 1.2 2011/03/28 16:00:07 drochner Exp $ .include "dist.mk" PKGNAME= python27-${PY_DISTVERSION} +PKGREVISION= 1 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python27/distinfo b/lang/python27/distinfo index 389bd9588bb..61781de4f68 100644 --- a/lang/python27/distinfo +++ b/lang/python27/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.2 2011/02/22 10:50:37 adam Exp $ +$NetBSD: distinfo,v 1.3 2011/03/28 16:00:07 drochner Exp $ SHA1 (Python-2.7.1.tar.bz2) = fbe1894322ff91b80726e269c97454f4129fc2a3 RMD160 (Python-2.7.1.tar.bz2) = 3ce59305f6cd3fb320a53771d0ea01ec0687005f @@ -16,3 +16,5 @@ SHA1 (patch-au) = 700dc128833af755f3ea08c4db79c127453b12e6 SHA1 (patch-av) = a14eaf4d5db6fc3b79ed896fbfcc34ca98051af2 SHA1 (patch-aw) = 15652e241f371a22c7300f46771825ea74514fa0 SHA1 (patch-ax) = b3a69107d3abbc8476ce79fb05aa8c9f293896a2 +SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b +SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e diff --git a/lang/python27/patches/patch-ca b/lang/python27/patches/patch-ca new file mode 100644 index 00000000000..457474d629a --- /dev/null +++ b/lang/python27/patches/patch-ca @@ -0,0 +1,29 @@ +$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000 ++++ Lib/urllib.py +@@ -638,10 +638,20 @@ class FancyURLopener(URLopener): + newurl = headers['uri'] + else: + return +- void = fp.read() +- fp.close() ++ + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) ++ ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ ++ void = fp.read() ++ fp.close() + return self.open(newurl) + + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/lang/python27/patches/patch-cb b/lang/python27/patches/patch-cb new file mode 100644 index 00000000000..1af34378a99 --- /dev/null +++ b/lang/python27/patches/patch-cb @@ -0,0 +1,21 @@ +$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $ + +Issue #11662 (CVE-2011-1521) + +--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000 ++++ Lib/urllib2.py +@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler): + + newurl = urlparse.urljoin(req.get_full_url(), newurl) + ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ return ++ + # XXX Probably want to forget about the state of the current + # request, although that might interact poorly with other + # handlers that also use handler-specific request attributes |