summaryrefslogtreecommitdiff
path: root/lang
diff options
context:
space:
mode:
authortron <tron@pkgsrc.org>2010-11-23 08:24:04 +0000
committertron <tron@pkgsrc.org>2010-11-23 08:24:04 +0000
commite5730179d4a188d7673a0dbc1434209184f9bab7 (patch)
tree886e30e287f5d7151d87463d8e1d0b882c326401 /lang
parent2a1c1d47276bbc62a3b3b878717562a94ce62231 (diff)
downloadpkgsrc-e5730179d4a188d7673a0dbc1434209184f9bab7.tar.gz
Add fix for CVE-2010-3492 and update the fix for CVE-2010-3493. Both
fixes taken from the Python 2.7 branch in the Python SVN repository.
Diffstat (limited to 'lang')
-rw-r--r--lang/python26/Makefile4
-rw-r--r--lang/python26/distinfo6
-rw-r--r--lang/python26/patches/patch-aw39
-rw-r--r--lang/python26/patches/patch-ba104
-rw-r--r--lang/python26/patches/patch-bb28
-rw-r--r--lang/python26/patches/patch-bc86
6 files changed, 224 insertions, 43 deletions
diff --git a/lang/python26/Makefile b/lang/python26/Makefile
index f013e4c4a90..3847083b46d 100644
--- a/lang/python26/Makefile
+++ b/lang/python26/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.30 2010/11/17 18:44:06 tez Exp $
+# $NetBSD: Makefile,v 1.31 2010/11/23 08:24:04 tron Exp $
.include "dist.mk"
PKGNAME= python26-${PY_DISTVERSION}
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= lang python
MAINTAINER= pkgsrc-users@NetBSD.org
diff --git a/lang/python26/distinfo b/lang/python26/distinfo
index 953202905e6..91569760727 100644
--- a/lang/python26/distinfo
+++ b/lang/python26/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2010/11/17 18:44:06 tez Exp $
+$NetBSD: distinfo,v 1.29 2010/11/23 08:24:04 tron Exp $
SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50
RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912
@@ -16,4 +16,6 @@ SHA1 (patch-ao) = 8c6a156b0f0c2a6d319658477fff348e6a0c3603
SHA1 (patch-ap) = d23a869a449ab9dc166cfa149913b20c9acad9cb
SHA1 (patch-au) = 38030fc45afc2a8f53a41f26b649e731642b9148
SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e
-SHA1 (patch-aw) = e74bae33eb95c821b5147f5c89c3ee7cb061db95
+SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf
+SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456
+SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858
diff --git a/lang/python26/patches/patch-aw b/lang/python26/patches/patch-aw
deleted file mode 100644
index c3b5f7203ab..00000000000
--- a/lang/python26/patches/patch-aw
+++ /dev/null
@@ -1,39 +0,0 @@
-$NetBSD: patch-aw,v 1.1 2010/11/17 18:44:07 tez Exp $
-
-Fix for SA41968 (CVE-2010-3493) from the 2.7 branch repo
-http://svn.python.org/view/python/branches/release27-maint/Lib/smtpd.py?r1=86084&r2=82503&view=patch
-
---- Lib/smtpd2.6.py.orig 2010-06-30 12:41:25.000000000 -0500
-+++ Lib/smtpd2.6.py 2010-11-17 12:19:14.825489100 -0600
-@@ -121,7 +121,15 @@
- self.__rcpttos = []
- self.__data = ''
- self.__fqdn = socket.getfqdn()
-- self.__peer = conn.getpeername()
-+ try:
-+ self.__peer = conn.getpeername()
-+ except socket.error, err:
-+ # a race condition may occur if the other end is closing
-+ # before we can get the peername
-+ self.close()
-+ if err[0] != errno.ENOTCONN:
-+ raise
-+ return
- print >> DEBUGSTREAM, 'Peer:', repr(self.__peer)
- self.push('220 %s %s' % (self.__fqdn, __version__))
- self.set_terminator('\r\n')
-@@ -291,9 +299,11 @@
- localaddr, remoteaddr)
-
- def handle_accept(self):
-- conn, addr = self.accept()
-- print >> DEBUGSTREAM, 'Incoming connection from %s' % repr(addr)
-- channel = SMTPChannel(self, conn, addr)
-+ pair = self.accept()
-+ if pair is not None:
-+ conn, addr = pair
-+ print >> DEBUGSTREAM, 'Incoming connection from %s' % repr(addr)
-+ channel = SMTPChannel(self, conn, addr)
-
- # API for "doing something useful with the message"
- def process_message(self, peer, mailfrom, rcpttos, data):
diff --git a/lang/python26/patches/patch-ba b/lang/python26/patches/patch-ba
new file mode 100644
index 00000000000..4c9af031344
--- /dev/null
+++ b/lang/python26/patches/patch-ba
@@ -0,0 +1,104 @@
+$NetBSD: patch-ba,v 1.1 2010/11/23 08:24:04 tron Exp $
+
+Fix for CVE-2010-3492, taken from the Python SVN repository:
+
+http://svn.python.org/view?view=rev&revision=86084
+
+--- Doc/library/asyncore.rst.orig 2010-05-19 15:14:45.000000000 +0100
++++ Doc/library/asyncore.rst 2010-11-22 18:11:58.000000000 +0000
+@@ -211,10 +211,13 @@
+ .. method:: accept()
+
+ Accept a connection. The socket must be bound to an address and listening
+- for connections. The return value is a pair ``(conn, address)`` where
+- *conn* is a *new* socket object usable to send and receive data on the
+- connection, and *address* is the address bound to the socket on the other
+- end of the connection.
++ for connections. The return value can be either ``None`` or a pair
++ ``(conn, address)`` where *conn* is a *new* socket object usable to send
++ and receive data on the connection, and *address* is the address bound to
++ the socket on the other end of the connection.
++ When ``None`` is returned it means the connection didn't take place, in
++ which case the server should just ignore this event and keep listening
++ for further incoming connections.
+
+
+ .. method:: close()
+@@ -224,6 +227,12 @@
+ flushed). Sockets are automatically closed when they are
+ garbage-collected.
+
++.. class:: dispatcher_with_send()
++
++ A :class:`dispatcher` subclass which adds simple buffered output capability,
++ useful for simple clients. For more sophisticated usage use
++ :class:`asynchat.async_chat`.
++
+ .. class:: file_dispatcher()
+
+ A file_dispatcher takes a file descriptor or file object along with an
+@@ -240,7 +249,7 @@
+ socket for use by the :class:`file_dispatcher` class. Availability: UNIX.
+
+
+-.. _asyncore-example:
++.. _asyncore-example-1:
+
+ asyncore Example basic HTTP client
+ ----------------------------------
+@@ -250,7 +259,7 @@
+
+ import asyncore, socket
+
+- class http_client(asyncore.dispatcher):
++ class HTTPClient(asyncore.dispatcher):
+
+ def __init__(self, host, path):
+ asyncore.dispatcher.__init__(self)
+@@ -274,6 +283,45 @@
+ sent = self.send(self.buffer)
+ self.buffer = self.buffer[sent:]
+
+- c = http_client('www.python.org', '/')
+
++ client = HTTPClient('www.python.org', '/')
+ asyncore.loop()
++
++.. _asyncore-example-2:
++
++asyncore Example basic echo server
++----------------------------------
++
++Here is abasic echo server that uses the :class:`dispatcher` class to accept
++connections and dispatches the incoming connections to a handler::
++
++ import asyncore
++ import socket
++
++ class EchoHandler(asyncore.dispatcher_with_send):
++
++ def handle_read(self):
++ data = self.recv(8192)
++ self.send(data)
++
++ class EchoServer(asyncore.dispatcher):
++
++ def __init__(self, host, port):
++ asyncore.dispatcher.__init__(self)
++ self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
++ self.set_reuse_addr()
++ self.bind((host, port))
++ self.listen(5)
++
++ def handle_accept(self):
++ pair = self.accept()
++ if pair is None:
++ pass
++ else:
++ sock, addr = pair
++ print 'Incoming connection from %s' % repr(addr)
++ handler = EchoHandler(sock)
++
++ server = EchoServer('localhost', 8080)
++ asyncore.loop()
++
diff --git a/lang/python26/patches/patch-bb b/lang/python26/patches/patch-bb
new file mode 100644
index 00000000000..7cde546eff2
--- /dev/null
+++ b/lang/python26/patches/patch-bb
@@ -0,0 +1,28 @@
+$NetBSD: patch-bb,v 1.1 2010/11/23 08:24:04 tron Exp $
+
+Fix for CVE-2010-3492, taken from the Python SVN repository:
+
+http://svn.python.org/view?view=rev&revision=86084
+
+--- Lib/asyncore.py.orig 2010-08-13 02:30:39.000000000 +0100
++++ Lib/asyncore.py 2010-11-22 18:13:52.000000000 +0000
+@@ -348,12 +348,15 @@
+ # XXX can return either an address pair or None
+ try:
+ conn, addr = self.socket.accept()
+- return conn, addr
+- except socket.error, why:
+- if why.args[0] == EWOULDBLOCK:
+- pass
++ except TypeError:
++ return None
++ except socket.error as why:
++ if why.args[0] in (EWOULDBLOCK, ECONNABORTED):
++ return None
+ else:
+ raise
++ else:
++ return conn, addr
+
+ def send(self, data):
+ try:
diff --git a/lang/python26/patches/patch-bc b/lang/python26/patches/patch-bc
new file mode 100644
index 00000000000..346ea056b15
--- /dev/null
+++ b/lang/python26/patches/patch-bc
@@ -0,0 +1,86 @@
+$NetBSD: patch-bc,v 1.1 2010/11/23 08:24:04 tron Exp $
+
+Fix for CVE-2010-3492 and CVE-2010-3493, taken from the Python SVN repository:
+
+http://svn.python.org/view?view=rev&revision=86084
+
+--- Lib/smtpd2.6.py.orig 2010-11-22 18:18:59.000000000 +0000
++++ Lib/smtpd2.6.py 2010-11-22 18:19:03.000000000 +0000
+@@ -35,7 +35,6 @@
+ and if remoteport is not given, then 25 is used.
+ """
+
+-
+ # Overview:
+ #
+ # This file implements the minimal SMTP protocol as defined in RFC 821. It
+@@ -96,7 +95,6 @@
+ COMMASPACE = ', '
+
+
+-
+ def usage(code, msg=''):
+ print >> sys.stderr, __doc__ % globals()
+ if msg:
+@@ -104,7 +102,6 @@
+ sys.exit(code)
+
+
+-
+ class SMTPChannel(asynchat.async_chat):
+ COMMAND = 0
+ DATA = 1
+@@ -276,7 +273,6 @@
+ self.push('354 End data with <CR><LF>.<CR><LF>')
+
+
+-
+ class SMTPServer(asyncore.dispatcher):
+ def __init__(self, localaddr, remoteaddr):
+ self._localaddr = localaddr
+@@ -331,7 +327,6 @@
+ raise NotImplementedError
+
+
+-
+ class DebuggingServer(SMTPServer):
+ # Do something with the gathered message
+ def process_message(self, peer, mailfrom, rcpttos, data):
+@@ -347,7 +342,6 @@
+ print '------------ END MESSAGE ------------'
+
+
+-
+ class PureProxy(SMTPServer):
+ def process_message(self, peer, mailfrom, rcpttos, data):
+ lines = data.split('\n')
+@@ -388,7 +382,6 @@
+ return refused
+
+
+-
+ class MailmanProxy(PureProxy):
+ def process_message(self, peer, mailfrom, rcpttos, data):
+ from cStringIO import StringIO
+@@ -467,13 +460,11 @@
+ msg.Enqueue(mlist, torequest=1)
+
+
+-
+ class Options:
+ setuid = 1
+ classname = 'PureProxy'
+
+
+-
+ def parseargs():
+ global DEBUGSTREAM
+ try:
+@@ -530,7 +521,6 @@
+ return options
+
+
+-
+ if __name__ == '__main__':
+ options = parseargs()
+ # Become nobody