PR#1: Fix CVE-2021-40839 - rpms/python-rencode

rpms / python-rencode

#1 Fix CVE-2021-40839

Merged 2 years ago by sergiomb. Opened 2 years ago by sergiomb.

Unknown source rawhide into rawhide

Fix CVE-2021-40839

Sérgio M. Basto • 2 years ago

4045ac7

python-rencode.spec

file modified

+8 -2

		`@@ -2,7 +2,7 @@`

		`Name: python-rencode`
		`Version: 1.0.6`
		`- Release: 16%{?dist}`
		`+ Release: 17%{?dist}`
		`Summary: Web safe object pickling/unpickling`
		`License: GPLv3+ and BSD`
		`URL: https://github.com/aresch/rencode`
		`@@ -14,6 +14,7 @@`
		`# to be updated.`
		`# https://github.com/aresch/rencode/issues/22`
		`Source1: https://raw.githubusercontent.com/aresch/rencode/53d72ac53d9df007aad3a980f049a80d81836619/rencode/rencode.pyx`
		`+ Patch1: https://github.com/aresch/rencode/compare/v1.0.6...572ff74586d9b1daab904c6f7f7009ce0143bb75.diff`

		`BuildRequires: gcc`

		`@@ -43,12 +44,14 @@`


		`%prep`
		`- %autosetup -n rencode-%{version}`
hobbes1069 commented 2 years ago Could be updated to %autosetup -p1 -n rencode-%{version}
		`+ %setup -n rencode-%{version}`
		`cp -a %{SOURCE1} ./rencode`

		`# Make sure we rebuild the module`
		`rm -f ./rencode/rencode.c`

		`+ %patch1 -p1`
		`+`
		`%build`
		`%py3_build`

		`@@ -72,6 +75,9 @@`


		`%changelog`
		`+ * Tue Jan 25 2022 Sérgio Basto <sergio@serjux.com> - 1.0.6-17`
		`+ - Fix CVE-2021-40839`
		`+`
		`* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.6-16`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

v1.0.6...572ff74586d9b1daab904c6f7f7009ce0143bb75.diff

file added

+1395

The added file is too large to be shown here, see it at: v1.0.6...572ff74586d9b1daab904c6f7f7009ce0143bb75.diff

sergiomb commented 2 years ago

I'd like fix this CVE , the bugs have been open for quite some time .

If you want, I can commit and build it as proven packager

Thank you

hobbes1069 commented on line 22 of python-rencode.spec 2 years ago

Could be updated to %autosetup -p1 -n rencode-%{version}

hobbes1069 commented 2 years ago

The source diff seems largely superfluous, changing spacing and '' with "". What's the ACTUAL difference? I think a minimal patch for the real changes would be preferred.

churchyard commented 2 years ago

This is the entire diff between v1.0.6 tag and 572ff74586d9b1daab904c6f7f7009ce0143bb75a. Would it make more sense to package a git snapshot instead if backporting the actual fixer is problematic?

sergiomb commented 2 years ago

after testing , I think this PR is the best solution .
I can't use %autosetup because misses a file and do a snapshot requires change versions , upload sources etc .
In this way we just apply the latest 18 commits

hobbes1069 commented 2 years ago

after testing , I think this PR is the best solution .
I can't use %autosetup because misses a file and do a snapshot requires change versions , upload sources etc .
In this way we just apply the latest 18 commits

True, but the majority of the patch is for rencode.py, why not just check the patched version into git. Sure, you won't have the URL anymore but it just seems silly to download a separate source from a github url and then turn around and patch it.

Pull-Request has been merged by sergiomb

2 years ago