[arch-commits] Commit in python/repos (8 files)

Stéphane Gaudreault stephane at nymeria.archlinux.org
Thu May 23 16:40:15 EDT 2013


    Date: Thursday, May 23, 2013 @ 22:40:14
  Author: stephane
Revision: 186286

db-move: moved python from [testing] to [extra] (i686, x86_64)

Added:
  python/repos/extra-i686/PKGBUILD
    (from rev 186284, python/repos/testing-i686/PKGBUILD)
  python/repos/extra-i686/python-3.3.2-CVE-2013-2099.patch
    (from rev 186284, python/repos/testing-i686/python-3.3.2-CVE-2013-2099.patch)
  python/repos/extra-x86_64/PKGBUILD
    (from rev 186284, python/repos/testing-x86_64/PKGBUILD)
  python/repos/extra-x86_64/python-3.3.2-CVE-2013-2099.patch
    (from rev 186284, python/repos/testing-x86_64/python-3.3.2-CVE-2013-2099.patch)
Deleted:
  python/repos/extra-i686/PKGBUILD
  python/repos/extra-x86_64/PKGBUILD
  python/repos/testing-i686/
  python/repos/testing-x86_64/

-----------------------------------------------+
 /PKGBUILD                                     |  156 ++++++++++++++++++++++++
 extra-i686/PKGBUILD                           |   75 -----------
 extra-i686/python-3.3.2-CVE-2013-2099.patch   |   50 +++++++
 extra-x86_64/PKGBUILD                         |   75 -----------
 extra-x86_64/python-3.3.2-CVE-2013-2099.patch |   50 +++++++
 5 files changed, 256 insertions(+), 150 deletions(-)

Deleted: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD	2013-05-23 20:40:13 UTC (rev 186285)
+++ extra-i686/PKGBUILD	2013-05-23 20:40:14 UTC (rev 186286)
@@ -1,75 +0,0 @@
-# $Id$
-# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
-# Contributor: Allan McRae <allan at archlinux.org>
-# Contributor: Jason Chu <jason at archlinux.org>
-
-pkgname=python
-pkgver=3.3.1
-pkgrel=1
-_pybasever=3.3
-pkgdesc="Next generation of the python high-level scripting language"
-arch=('i686' 'x86_64')
-license=('custom')
-url="http://www.python.org/"
-depends=('expat' 'bzip2' 'gdbm' 'openssl' 'libffi' 'zlib')
-makedepends=('tk>=8.6.0' 'sqlite' 'valgrind' 'bluez')
-optdepends=('tk: for tkinter' 'sqlite')
-provides=('python3')
-replaces=('python3')
-options=('!makeflags')
-source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz)
-sha1sums=('393d7302c48bc911cd7faa7fa9b5fbcb9919bddc')
-
-build() {
-  cd "${srcdir}/Python-${pkgver}"
-
-  # FS#23997
-  sed -i -e "s|^#.* /usr/local/bin/python|#!/usr/bin/python|" Lib/cgi.py
-
-  # Ensure that we are using the system copy of various libraries (expat, zlib and libffi),
-  # rather than copies shipped in the tarball
-  rm -r Modules/expat
-  rm -r Modules/zlib
-  rm -r Modules/_ctypes/{darwin,libffi}*
-
-  ./configure --prefix=/usr \
-              --enable-shared \
-              --with-threads \
-              --with-computed-gotos \
-              --enable-ipv6 \
-              --with-valgrind \
-              --with-system-expat \
-              --with-dbmliborder=gdbm:ndbm \
-              --with-system-ffi
-
-  make
-}
-
-check() {
-  cd "${srcdir}/Python-${pkgver}"
-  LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
-     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site \
-     test_urllib test_uuid test_pydoc test_logging
-}
-
-package() {
-  cd "${srcdir}/Python-${pkgver}"
-  make DESTDIR="${pkgdir}" install maninstall
-
-  # Why are these not done by default...
-  ln -sf python3               "${pkgdir}/usr/bin/python"
-  ln -sf python3-config        "${pkgdir}/usr/bin/python-config"
-  ln -sf idle3                 "${pkgdir}/usr/bin/idle"
-  ln -sf pydoc3                "${pkgdir}/usr/bin/pydoc"
-  ln -sf python${_pybasever}.1 "${pkgdir}/usr/share/man/man1/python3.1"
-
-  # Fix FS#22552
-  ln -sf ../../libpython${_pybasever}m.so \
-    "${pkgdir}/usr/lib/python${_pybasever}/config-${_pybasever}m/libpython${_pybasever}m.so"
-
-  # Clean-up reference to build directory
-  sed -i "s|$srcdir/Python-${pkgver}:||" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}m/Makefile"
-
-  # License
-  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
-}

Copied: python/repos/extra-i686/PKGBUILD (from rev 186284, python/repos/testing-i686/PKGBUILD)
===================================================================
--- extra-i686/PKGBUILD	                        (rev 0)
+++ extra-i686/PKGBUILD	2013-05-23 20:40:14 UTC (rev 186286)
@@ -0,0 +1,78 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+# Contributor: Allan McRae <allan at archlinux.org>
+# Contributor: Jason Chu <jason at archlinux.org>
+
+pkgname=python
+pkgver=3.3.2
+pkgrel=1
+_pybasever=3.3
+pkgdesc="Next generation of the python high-level scripting language"
+arch=('i686' 'x86_64')
+license=('custom')
+url="http://www.python.org/"
+depends=('expat' 'bzip2' 'gdbm' 'openssl' 'libffi' 'zlib')
+makedepends=('tk>=8.6.0' 'sqlite' 'valgrind' 'bluez')
+optdepends=('tk: for tkinter' 'sqlite')
+provides=('python3')
+replaces=('python3')
+options=('!makeflags')
+source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz
+        python-3.3.2-CVE-2013-2099.patch)
+sha1sums=('87009d0c156c6e1354dfec5c98c328cae93950ad'
+          'b7a386b2e2f0811b344898500860ec31ba81ed4d')
+
+build() {
+  cd "${srcdir}/Python-${pkgver}"
+
+  # FS#23997
+  sed -i -e "s|^#.* /usr/local/bin/python|#!/usr/bin/python|" Lib/cgi.py
+
+  # Ensure that we are using the system copy of various libraries (expat, zlib and libffi),
+  # rather than copies shipped in the tarball
+  rm -r Modules/expat
+  rm -r Modules/zlib
+  rm -r Modules/_ctypes/{darwin,libffi}*
+
+  patch -Np1 -i ../python-3.3.2-CVE-2013-2099.patch
+
+  ./configure --prefix=/usr \
+              --enable-shared \
+              --with-threads \
+              --with-computed-gotos \
+              --enable-ipv6 \
+              --with-valgrind \
+              --with-system-expat \
+              --with-dbmliborder=gdbm:ndbm \
+              --with-system-ffi
+
+  make
+}
+
+check() {
+  cd "${srcdir}/Python-${pkgver}"
+  LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
+     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_posixpath test_logging
+}
+
+package() {
+  cd "${srcdir}/Python-${pkgver}"
+  make DESTDIR="${pkgdir}" install maninstall
+
+  # Why are these not done by default...
+  ln -sf python3               "${pkgdir}/usr/bin/python"
+  ln -sf python3-config        "${pkgdir}/usr/bin/python-config"
+  ln -sf idle3                 "${pkgdir}/usr/bin/idle"
+  ln -sf pydoc3                "${pkgdir}/usr/bin/pydoc"
+  ln -sf python${_pybasever}.1 "${pkgdir}/usr/share/man/man1/python3.1"
+
+  # Fix FS#22552
+  ln -sf ../../libpython${_pybasever}m.so \
+    "${pkgdir}/usr/lib/python${_pybasever}/config-${_pybasever}m/libpython${_pybasever}m.so"
+
+  # Clean-up reference to build directory
+  sed -i "s|$srcdir/Python-${pkgver}:||" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}m/Makefile"
+
+  # License
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}

Copied: python/repos/extra-i686/python-3.3.2-CVE-2013-2099.patch (from rev 186284, python/repos/testing-i686/python-3.3.2-CVE-2013-2099.patch)
===================================================================
--- extra-i686/python-3.3.2-CVE-2013-2099.patch	                        (rev 0)
+++ extra-i686/python-3.3.2-CVE-2013-2099.patch	2013-05-23 20:40:14 UTC (rev 186286)
@@ -0,0 +1,50 @@
+
+# HG changeset patch
+# User Antoine Pitrou <solipsis at pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -129,9 +129,16 @@ class CertificateError(ValueError):
+     pass
+ 
+ 
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
++        if frag.count('*') > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survery of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
+         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
+         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ 
++        # Issue #17980: avoid denials of service by refusing more than one
++        # wildcard per fragment.
++        cert = {'subject': ((('commonName', 'a*b.com'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
++        with self.assertRaises(ssl.CertificateError) as cm:
++            ssl.match_hostname(cert, 'axxbxxc.com')
++        self.assertIn("too many wildcards", str(cm.exception))
++
+     def test_server_side(self):
+         # server_hostname doesn't work for server sockets
+         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)

Deleted: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD	2013-05-23 20:40:13 UTC (rev 186285)
+++ extra-x86_64/PKGBUILD	2013-05-23 20:40:14 UTC (rev 186286)
@@ -1,75 +0,0 @@
-# $Id$
-# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
-# Contributor: Allan McRae <allan at archlinux.org>
-# Contributor: Jason Chu <jason at archlinux.org>
-
-pkgname=python
-pkgver=3.3.1
-pkgrel=1
-_pybasever=3.3
-pkgdesc="Next generation of the python high-level scripting language"
-arch=('i686' 'x86_64')
-license=('custom')
-url="http://www.python.org/"
-depends=('expat' 'bzip2' 'gdbm' 'openssl' 'libffi' 'zlib')
-makedepends=('tk>=8.6.0' 'sqlite' 'valgrind' 'bluez')
-optdepends=('tk: for tkinter' 'sqlite')
-provides=('python3')
-replaces=('python3')
-options=('!makeflags')
-source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz)
-sha1sums=('393d7302c48bc911cd7faa7fa9b5fbcb9919bddc')
-
-build() {
-  cd "${srcdir}/Python-${pkgver}"
-
-  # FS#23997
-  sed -i -e "s|^#.* /usr/local/bin/python|#!/usr/bin/python|" Lib/cgi.py
-
-  # Ensure that we are using the system copy of various libraries (expat, zlib and libffi),
-  # rather than copies shipped in the tarball
-  rm -r Modules/expat
-  rm -r Modules/zlib
-  rm -r Modules/_ctypes/{darwin,libffi}*
-
-  ./configure --prefix=/usr \
-              --enable-shared \
-              --with-threads \
-              --with-computed-gotos \
-              --enable-ipv6 \
-              --with-valgrind \
-              --with-system-expat \
-              --with-dbmliborder=gdbm:ndbm \
-              --with-system-ffi
-
-  make
-}
-
-check() {
-  cd "${srcdir}/Python-${pkgver}"
-  LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
-     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site \
-     test_urllib test_uuid test_pydoc test_logging
-}
-
-package() {
-  cd "${srcdir}/Python-${pkgver}"
-  make DESTDIR="${pkgdir}" install maninstall
-
-  # Why are these not done by default...
-  ln -sf python3               "${pkgdir}/usr/bin/python"
-  ln -sf python3-config        "${pkgdir}/usr/bin/python-config"
-  ln -sf idle3                 "${pkgdir}/usr/bin/idle"
-  ln -sf pydoc3                "${pkgdir}/usr/bin/pydoc"
-  ln -sf python${_pybasever}.1 "${pkgdir}/usr/share/man/man1/python3.1"
-
-  # Fix FS#22552
-  ln -sf ../../libpython${_pybasever}m.so \
-    "${pkgdir}/usr/lib/python${_pybasever}/config-${_pybasever}m/libpython${_pybasever}m.so"
-
-  # Clean-up reference to build directory
-  sed -i "s|$srcdir/Python-${pkgver}:||" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}m/Makefile"
-
-  # License
-  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
-}

Copied: python/repos/extra-x86_64/PKGBUILD (from rev 186284, python/repos/testing-x86_64/PKGBUILD)
===================================================================
--- extra-x86_64/PKGBUILD	                        (rev 0)
+++ extra-x86_64/PKGBUILD	2013-05-23 20:40:14 UTC (rev 186286)
@@ -0,0 +1,78 @@
+# $Id$
+# Maintainer: Stéphane Gaudreault <stephane at archlinux.org>
+# Contributor: Allan McRae <allan at archlinux.org>
+# Contributor: Jason Chu <jason at archlinux.org>
+
+pkgname=python
+pkgver=3.3.2
+pkgrel=1
+_pybasever=3.3
+pkgdesc="Next generation of the python high-level scripting language"
+arch=('i686' 'x86_64')
+license=('custom')
+url="http://www.python.org/"
+depends=('expat' 'bzip2' 'gdbm' 'openssl' 'libffi' 'zlib')
+makedepends=('tk>=8.6.0' 'sqlite' 'valgrind' 'bluez')
+optdepends=('tk: for tkinter' 'sqlite')
+provides=('python3')
+replaces=('python3')
+options=('!makeflags')
+source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz
+        python-3.3.2-CVE-2013-2099.patch)
+sha1sums=('87009d0c156c6e1354dfec5c98c328cae93950ad'
+          'b7a386b2e2f0811b344898500860ec31ba81ed4d')
+
+build() {
+  cd "${srcdir}/Python-${pkgver}"
+
+  # FS#23997
+  sed -i -e "s|^#.* /usr/local/bin/python|#!/usr/bin/python|" Lib/cgi.py
+
+  # Ensure that we are using the system copy of various libraries (expat, zlib and libffi),
+  # rather than copies shipped in the tarball
+  rm -r Modules/expat
+  rm -r Modules/zlib
+  rm -r Modules/_ctypes/{darwin,libffi}*
+
+  patch -Np1 -i ../python-3.3.2-CVE-2013-2099.patch
+
+  ./configure --prefix=/usr \
+              --enable-shared \
+              --with-threads \
+              --with-computed-gotos \
+              --enable-ipv6 \
+              --with-valgrind \
+              --with-system-expat \
+              --with-dbmliborder=gdbm:ndbm \
+              --with-system-ffi
+
+  make
+}
+
+check() {
+  cd "${srcdir}/Python-${pkgver}"
+  LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
+     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_posixpath test_logging
+}
+
+package() {
+  cd "${srcdir}/Python-${pkgver}"
+  make DESTDIR="${pkgdir}" install maninstall
+
+  # Why are these not done by default...
+  ln -sf python3               "${pkgdir}/usr/bin/python"
+  ln -sf python3-config        "${pkgdir}/usr/bin/python-config"
+  ln -sf idle3                 "${pkgdir}/usr/bin/idle"
+  ln -sf pydoc3                "${pkgdir}/usr/bin/pydoc"
+  ln -sf python${_pybasever}.1 "${pkgdir}/usr/share/man/man1/python3.1"
+
+  # Fix FS#22552
+  ln -sf ../../libpython${_pybasever}m.so \
+    "${pkgdir}/usr/lib/python${_pybasever}/config-${_pybasever}m/libpython${_pybasever}m.so"
+
+  # Clean-up reference to build directory
+  sed -i "s|$srcdir/Python-${pkgver}:||" "$pkgdir/usr/lib/python${_pybasever}/config-${_pybasever}m/Makefile"
+
+  # License
+  install -Dm644 LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}

Copied: python/repos/extra-x86_64/python-3.3.2-CVE-2013-2099.patch (from rev 186284, python/repos/testing-x86_64/python-3.3.2-CVE-2013-2099.patch)
===================================================================
--- extra-x86_64/python-3.3.2-CVE-2013-2099.patch	                        (rev 0)
+++ extra-x86_64/python-3.3.2-CVE-2013-2099.patch	2013-05-23 20:40:14 UTC (rev 186286)
@@ -0,0 +1,50 @@
+
+# HG changeset patch
+# User Antoine Pitrou <solipsis at pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -129,9 +129,16 @@ class CertificateError(ValueError):
+     pass
+ 
+ 
+-def _dnsname_to_pat(dn):
++def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
++        if frag.count('*') > max_wildcards:
++            # Issue #17980: avoid denials of service by refusing more
++            # than one wildcard per fragment.  A survery of established
++            # policy among SSL implementations showed it to be a
++            # reasonable choice.
++            raise CertificateError(
++                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
+         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
+         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ 
++        # Issue #17980: avoid denials of service by refusing more than one
++        # wildcard per fragment.
++        cert = {'subject': ((('commonName', 'a*b.com'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
++        ok(cert, 'axxb.com')
++        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
++        with self.assertRaises(ssl.CertificateError) as cm:
++            ssl.match_hostname(cert, 'axxbxxc.com')
++        self.assertIn("too many wildcards", str(cm.exception))
++
+     def test_server_side(self):
+         # server_hostname doesn't work for server sockets
+         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)



More information about the arch-commits mailing list