summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrochner <drochner@pkgsrc.org>2011-03-28 16:00:06 +0000
committerdrochner <drochner@pkgsrc.org>2011-03-28 16:00:06 +0000
commit89649c26a70cf788be10bb7803523d286b61224b (patch)
tree80b79a15340010793a3fb18455bb870d15c9fae0
parent0f2ea06e1a2092cf4453b384c7a75cfa967eb9eb (diff)
downloadpkgsrc-89649c26a70cf788be10bb7803523d286b61224b.tar.gz
fix a security issue, using patches from upstream:
stricter redirect handling in urllib, to prevent redirects to eg "file://" URLs (CVE-2011-1521) bump PKGREV
-rw-r--r--lang/python26/Makefile4
-rw-r--r--lang/python26/distinfo4
-rw-r--r--lang/python26/patches/patch-ca29
-rw-r--r--lang/python26/patches/patch-cb21
-rw-r--r--lang/python27/Makefile3
-rw-r--r--lang/python27/distinfo4
-rw-r--r--lang/python27/patches/patch-ca29
-rw-r--r--lang/python27/patches/patch-cb21
8 files changed, 110 insertions, 5 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile
index 327823b1267..7c34a54a47f 100644
--- a/lang/python26/Makefile
+++ b/lang/python26/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.34 2011/02/28 22:35:53 tron Exp $
+# $NetBSD: Makefile,v 1.35 2011/03/28 16:00:06 drochner Exp $
.include "dist.mk"
PKGNAME= python26-${PY_DISTVERSION}
-PKGREVISION= 6
+PKGREVISION= 7
CATEGORIES= lang python
MAINTAINER= pkgsrc-users@NetBSD.org
diff --git a/lang/python26/distinfo b/lang/python26/distinfo
index d569112c756..050d5964c74 100644
--- a/lang/python26/distinfo
+++ b/lang/python26/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.32 2011/02/28 22:35:53 tron Exp $
+$NetBSD: distinfo,v 1.33 2011/03/28 16:00:06 drochner Exp $
SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50
RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912
@@ -20,3 +20,5 @@ SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e
SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf
SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456
SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858
+SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b
+SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e
diff --git a/lang/python26/patches/patch-ca b/lang/python26/patches/patch-ca
new file mode 100644
index 00000000000..457474d629a
--- /dev/null
+++ b/lang/python26/patches/patch-ca
@@ -0,0 +1,29 @@
+$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000
++++ Lib/urllib.py
+@@ -638,10 +638,20 @@ class FancyURLopener(URLopener):
+ newurl = headers['uri']
+ else:
+ return
+- void = fp.read()
+- fp.close()
++
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
++
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ return
++
++ void = fp.read()
++ fp.close()
+ return self.open(newurl)
+
+ def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/lang/python26/patches/patch-cb b/lang/python26/patches/patch-cb
new file mode 100644
index 00000000000..1af34378a99
--- /dev/null
+++ b/lang/python26/patches/patch-cb
@@ -0,0 +1,21 @@
+$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000
++++ Lib/urllib2.py
+@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
+
+ newurl = urlparse.urljoin(req.get_full_url(), newurl)
+
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ return
++
+ # XXX Probably want to forget about the state of the current
+ # request, although that might interact poorly with other
+ # handlers that also use handler-specific request attributes
diff --git a/lang/python27/Makefile b/lang/python27/Makefile
index 501afbb517f..8850863e1d6 100644
--- a/lang/python27/Makefile
+++ b/lang/python27/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.1.1.1 2011/02/22 08:51:58 obache Exp $
+# $NetBSD: Makefile,v 1.2 2011/03/28 16:00:07 drochner Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
+PKGREVISION= 1
CATEGORIES= lang python
MAINTAINER= pkgsrc-users@NetBSD.org
diff --git a/lang/python27/distinfo b/lang/python27/distinfo
index 389bd9588bb..61781de4f68 100644
--- a/lang/python27/distinfo
+++ b/lang/python27/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2011/02/22 10:50:37 adam Exp $
+$NetBSD: distinfo,v 1.3 2011/03/28 16:00:07 drochner Exp $
SHA1 (Python-2.7.1.tar.bz2) = fbe1894322ff91b80726e269c97454f4129fc2a3
RMD160 (Python-2.7.1.tar.bz2) = 3ce59305f6cd3fb320a53771d0ea01ec0687005f
@@ -16,3 +16,5 @@ SHA1 (patch-au) = 700dc128833af755f3ea08c4db79c127453b12e6
SHA1 (patch-av) = a14eaf4d5db6fc3b79ed896fbfcc34ca98051af2
SHA1 (patch-aw) = 15652e241f371a22c7300f46771825ea74514fa0
SHA1 (patch-ax) = b3a69107d3abbc8476ce79fb05aa8c9f293896a2
+SHA1 (patch-ca) = aa0ad5a9dff1cd7c1c456aa6371733727ac1425b
+SHA1 (patch-cb) = f8fa30bb9aae0ef02c187d1d6db176bac731381e
diff --git a/lang/python27/patches/patch-ca b/lang/python27/patches/patch-ca
new file mode 100644
index 00000000000..457474d629a
--- /dev/null
+++ b/lang/python27/patches/patch-ca
@@ -0,0 +1,29 @@
+$NetBSD: patch-ca,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib.py.orig 2007-03-14 08:27:57.000000000 +0000
++++ Lib/urllib.py
+@@ -638,10 +638,20 @@ class FancyURLopener(URLopener):
+ newurl = headers['uri']
+ else:
+ return
+- void = fp.read()
+- fp.close()
++
+ # In case the server sent a relative URL, join with original:
+ newurl = basejoin(self.type + ":" + url, newurl)
++
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ return
++
++ void = fp.read()
++ fp.close()
+ return self.open(newurl)
+
+ def http_error_301(self, url, fp, errcode, errmsg, headers, data=None):
diff --git a/lang/python27/patches/patch-cb b/lang/python27/patches/patch-cb
new file mode 100644
index 00000000000..1af34378a99
--- /dev/null
+++ b/lang/python27/patches/patch-cb
@@ -0,0 +1,21 @@
+$NetBSD: patch-cb,v 1.1 2011/03/28 16:00:07 drochner Exp $
+
+Issue #11662 (CVE-2011-1521)
+
+--- Lib/urllib2.py.orig 2011-03-28 15:17:02.000000000 +0000
++++ Lib/urllib2.py
+@@ -578,6 +578,14 @@ class HTTPRedirectHandler(BaseHandler):
+
+ newurl = urlparse.urljoin(req.get_full_url(), newurl)
+
++ # For security reasons we do not allow redirects to protocols
++ # other than HTTP, HTTPS or FTP.
++ newurl_lower = newurl.lower()
++ if not (newurl_lower.startswith('http://') or
++ newurl_lower.startswith('https://') or
++ newurl_lower.startswith('ftp://')):
++ return
++
+ # XXX Probably want to forget about the state of the current
+ # request, although that might interact poorly with other
+ # handlers that also use handler-specific request attributes