diff options
author | tron <tron@pkgsrc.org> | 2010-11-23 08:24:04 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2010-11-23 08:24:04 +0000 |
commit | e5730179d4a188d7673a0dbc1434209184f9bab7 (patch) | |
tree | 886e30e287f5d7151d87463d8e1d0b882c326401 /lang/python26 | |
parent | 2a1c1d47276bbc62a3b3b878717562a94ce62231 (diff) | |
download | pkgsrc-e5730179d4a188d7673a0dbc1434209184f9bab7.tar.gz |
Add fix for CVE-2010-3492 and update the fix for CVE-2010-3493. Both
fixes taken from the Python 2.7 branch in the Python SVN repository.
Diffstat (limited to 'lang/python26')
-rw-r--r-- | lang/python26/Makefile | 4 | ||||
-rw-r--r-- | lang/python26/distinfo | 6 | ||||
-rw-r--r-- | lang/python26/patches/patch-aw | 39 | ||||
-rw-r--r-- | lang/python26/patches/patch-ba | 104 | ||||
-rw-r--r-- | lang/python26/patches/patch-bb | 28 | ||||
-rw-r--r-- | lang/python26/patches/patch-bc | 86 |
6 files changed, 224 insertions, 43 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile index f013e4c4a90..3847083b46d 100644 --- a/lang/python26/Makefile +++ b/lang/python26/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.30 2010/11/17 18:44:06 tez Exp $ +# $NetBSD: Makefile,v 1.31 2010/11/23 08:24:04 tron Exp $ .include "dist.mk" PKGNAME= python26-${PY_DISTVERSION} -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= lang python MAINTAINER= pkgsrc-users@NetBSD.org diff --git a/lang/python26/distinfo b/lang/python26/distinfo index 953202905e6..91569760727 100644 --- a/lang/python26/distinfo +++ b/lang/python26/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.28 2010/11/17 18:44:06 tez Exp $ +$NetBSD: distinfo,v 1.29 2010/11/23 08:24:04 tron Exp $ SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 @@ -16,4 +16,6 @@ SHA1 (patch-ao) = 8c6a156b0f0c2a6d319658477fff348e6a0c3603 SHA1 (patch-ap) = d23a869a449ab9dc166cfa149913b20c9acad9cb SHA1 (patch-au) = 38030fc45afc2a8f53a41f26b649e731642b9148 SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e -SHA1 (patch-aw) = e74bae33eb95c821b5147f5c89c3ee7cb061db95 +SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf +SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456 +SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858 diff --git a/lang/python26/patches/patch-aw b/lang/python26/patches/patch-aw deleted file mode 100644 index c3b5f7203ab..00000000000 --- a/lang/python26/patches/patch-aw +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-aw,v 1.1 2010/11/17 18:44:07 tez Exp $ - -Fix for SA41968 (CVE-2010-3493) from the 2.7 branch repo -http://svn.python.org/view/python/branches/release27-maint/Lib/smtpd.py?r1=86084&r2=82503&view=patch - ---- Lib/smtpd2.6.py.orig 2010-06-30 12:41:25.000000000 -0500 -+++ Lib/smtpd2.6.py 2010-11-17 12:19:14.825489100 -0600 -@@ -121,7 +121,15 @@ - self.__rcpttos = [] - self.__data = '' - self.__fqdn = socket.getfqdn() -- self.__peer = conn.getpeername() -+ try: -+ self.__peer = conn.getpeername() -+ except socket.error, err: -+ # a race condition may occur if the other end is closing -+ # before we can get the peername -+ self.close() -+ if err[0] != errno.ENOTCONN: -+ raise -+ return - print >> DEBUGSTREAM, 'Peer:', repr(self.__peer) - self.push('220 %s %s' % (self.__fqdn, __version__)) - self.set_terminator('\r\n') -@@ -291,9 +299,11 @@ - localaddr, remoteaddr) - - def handle_accept(self): -- conn, addr = self.accept() -- print >> DEBUGSTREAM, 'Incoming connection from %s' % repr(addr) -- channel = SMTPChannel(self, conn, addr) -+ pair = self.accept() -+ if pair is not None: -+ conn, addr = pair -+ print >> DEBUGSTREAM, 'Incoming connection from %s' % repr(addr) -+ channel = SMTPChannel(self, conn, addr) - - # API for "doing something useful with the message" - def process_message(self, peer, mailfrom, rcpttos, data): diff --git a/lang/python26/patches/patch-ba b/lang/python26/patches/patch-ba new file mode 100644 index 00000000000..4c9af031344 --- /dev/null +++ b/lang/python26/patches/patch-ba @@ -0,0 +1,104 @@ +$NetBSD: patch-ba,v 1.1 2010/11/23 08:24:04 tron Exp $ + +Fix for CVE-2010-3492, taken from the Python SVN repository: + +http://svn.python.org/view?view=rev&revision=86084 + +--- Doc/library/asyncore.rst.orig 2010-05-19 15:14:45.000000000 +0100 ++++ Doc/library/asyncore.rst 2010-11-22 18:11:58.000000000 +0000 +@@ -211,10 +211,13 @@ + .. method:: accept() + + Accept a connection. The socket must be bound to an address and listening +- for connections. The return value is a pair ``(conn, address)`` where +- *conn* is a *new* socket object usable to send and receive data on the +- connection, and *address* is the address bound to the socket on the other +- end of the connection. ++ for connections. The return value can be either ``None`` or a pair ++ ``(conn, address)`` where *conn* is a *new* socket object usable to send ++ and receive data on the connection, and *address* is the address bound to ++ the socket on the other end of the connection. ++ When ``None`` is returned it means the connection didn't take place, in ++ which case the server should just ignore this event and keep listening ++ for further incoming connections. + + + .. method:: close() +@@ -224,6 +227,12 @@ + flushed). Sockets are automatically closed when they are + garbage-collected. + ++.. class:: dispatcher_with_send() ++ ++ A :class:`dispatcher` subclass which adds simple buffered output capability, ++ useful for simple clients. For more sophisticated usage use ++ :class:`asynchat.async_chat`. ++ + .. class:: file_dispatcher() + + A file_dispatcher takes a file descriptor or file object along with an +@@ -240,7 +249,7 @@ + socket for use by the :class:`file_dispatcher` class. Availability: UNIX. + + +-.. _asyncore-example: ++.. _asyncore-example-1: + + asyncore Example basic HTTP client + ---------------------------------- +@@ -250,7 +259,7 @@ + + import asyncore, socket + +- class http_client(asyncore.dispatcher): ++ class HTTPClient(asyncore.dispatcher): + + def __init__(self, host, path): + asyncore.dispatcher.__init__(self) +@@ -274,6 +283,45 @@ + sent = self.send(self.buffer) + self.buffer = self.buffer[sent:] + +- c = http_client('www.python.org', '/') + ++ client = HTTPClient('www.python.org', '/') + asyncore.loop() ++ ++.. _asyncore-example-2: ++ ++asyncore Example basic echo server ++---------------------------------- ++ ++Here is abasic echo server that uses the :class:`dispatcher` class to accept ++connections and dispatches the incoming connections to a handler:: ++ ++ import asyncore ++ import socket ++ ++ class EchoHandler(asyncore.dispatcher_with_send): ++ ++ def handle_read(self): ++ data = self.recv(8192) ++ self.send(data) ++ ++ class EchoServer(asyncore.dispatcher): ++ ++ def __init__(self, host, port): ++ asyncore.dispatcher.__init__(self) ++ self.create_socket(socket.AF_INET, socket.SOCK_STREAM) ++ self.set_reuse_addr() ++ self.bind((host, port)) ++ self.listen(5) ++ ++ def handle_accept(self): ++ pair = self.accept() ++ if pair is None: ++ pass ++ else: ++ sock, addr = pair ++ print 'Incoming connection from %s' % repr(addr) ++ handler = EchoHandler(sock) ++ ++ server = EchoServer('localhost', 8080) ++ asyncore.loop() ++ diff --git a/lang/python26/patches/patch-bb b/lang/python26/patches/patch-bb new file mode 100644 index 00000000000..7cde546eff2 --- /dev/null +++ b/lang/python26/patches/patch-bb @@ -0,0 +1,28 @@ +$NetBSD: patch-bb,v 1.1 2010/11/23 08:24:04 tron Exp $ + +Fix for CVE-2010-3492, taken from the Python SVN repository: + +http://svn.python.org/view?view=rev&revision=86084 + +--- Lib/asyncore.py.orig 2010-08-13 02:30:39.000000000 +0100 ++++ Lib/asyncore.py 2010-11-22 18:13:52.000000000 +0000 +@@ -348,12 +348,15 @@ + # XXX can return either an address pair or None + try: + conn, addr = self.socket.accept() +- return conn, addr +- except socket.error, why: +- if why.args[0] == EWOULDBLOCK: +- pass ++ except TypeError: ++ return None ++ except socket.error as why: ++ if why.args[0] in (EWOULDBLOCK, ECONNABORTED): ++ return None + else: + raise ++ else: ++ return conn, addr + + def send(self, data): + try: diff --git a/lang/python26/patches/patch-bc b/lang/python26/patches/patch-bc new file mode 100644 index 00000000000..346ea056b15 --- /dev/null +++ b/lang/python26/patches/patch-bc @@ -0,0 +1,86 @@ +$NetBSD: patch-bc,v 1.1 2010/11/23 08:24:04 tron Exp $ + +Fix for CVE-2010-3492 and CVE-2010-3493, taken from the Python SVN repository: + +http://svn.python.org/view?view=rev&revision=86084 + +--- Lib/smtpd2.6.py.orig 2010-11-22 18:18:59.000000000 +0000 ++++ Lib/smtpd2.6.py 2010-11-22 18:19:03.000000000 +0000 +@@ -35,7 +35,6 @@ + and if remoteport is not given, then 25 is used. + """ + +- + # Overview: + # + # This file implements the minimal SMTP protocol as defined in RFC 821. It +@@ -96,7 +95,6 @@ + COMMASPACE = ', ' + + +- + def usage(code, msg=''): + print >> sys.stderr, __doc__ % globals() + if msg: +@@ -104,7 +102,6 @@ + sys.exit(code) + + +- + class SMTPChannel(asynchat.async_chat): + COMMAND = 0 + DATA = 1 +@@ -276,7 +273,6 @@ + self.push('354 End data with <CR><LF>.<CR><LF>') + + +- + class SMTPServer(asyncore.dispatcher): + def __init__(self, localaddr, remoteaddr): + self._localaddr = localaddr +@@ -331,7 +327,6 @@ + raise NotImplementedError + + +- + class DebuggingServer(SMTPServer): + # Do something with the gathered message + def process_message(self, peer, mailfrom, rcpttos, data): +@@ -347,7 +342,6 @@ + print '------------ END MESSAGE ------------' + + +- + class PureProxy(SMTPServer): + def process_message(self, peer, mailfrom, rcpttos, data): + lines = data.split('\n') +@@ -388,7 +382,6 @@ + return refused + + +- + class MailmanProxy(PureProxy): + def process_message(self, peer, mailfrom, rcpttos, data): + from cStringIO import StringIO +@@ -467,13 +460,11 @@ + msg.Enqueue(mlist, torequest=1) + + +- + class Options: + setuid = 1 + classname = 'PureProxy' + + +- + def parseargs(): + global DEBUGSTREAM + try: +@@ -530,7 +521,6 @@ + return options + + +- + if __name__ == '__main__': + options = parseargs() + # Become nobody |