#28 F28: Security fix for CVE-2018-1000802 (#1631662)
Merged 5 years ago by churchyard. Opened 5 years ago by churchyard.
rpms/ churchyard/python2 f28-309  into  f28

@@ -0,0 +1,61 @@ 

+ From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001

+ From: Benjamin Peterson <benjamin@python.org>

+ Date: Tue, 28 Aug 2018 22:12:56 -0700

+ Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use

+  subprocess rather than distutils.spawn.

+ 

+ ---

+  Lib/shutil.py                                    | 16 ++++++++++------

+  .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst     |  3 +++

+  2 files changed, 13 insertions(+), 6 deletions(-)

+  create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst

+ 

+ diff --git a/Lib/shutil.py b/Lib/shutil.py

+ index 3462f7c5e91c..0ab1a06f5260 100644

+ --- a/Lib/shutil.py

+ +++ b/Lib/shutil.py

+ @@ -413,17 +413,21 @@ def _set_uid_gid(tarinfo):

+  

+      return archive_name

+  

+ -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):

+ +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):

+      # XXX see if we want to keep an external call here

+      if verbose:

+          zipoptions = "-r"

+      else:

+          zipoptions = "-rq"

+ -    from distutils.errors import DistutilsExecError

+ -    from distutils.spawn import spawn

+ +    cmd = ["zip", zipoptions, zip_filename, base_dir]

+ +    if logger is not None:

+ +        logger.info(' '.join(cmd))

+ +    if dry_run:

+ +        return

+ +    import subprocess

+      try:

+ -        spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)

+ -    except DistutilsExecError:

+ +        subprocess.check_call(cmd)

+ +    except subprocess.CalledProcessError:

+          # XXX really should distinguish between "couldn't find

+          # external 'zip' command" and "zip failed".

+          raise ExecError, \

+ @@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):

+          zipfile = None

+  

+      if zipfile is None:

+ -        _call_external_zip(base_dir, zip_filename, verbose, dry_run)

+ +        _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)

+      else:

+          if logger is not None:

+              logger.info("creating '%s' and adding '%s' to it",

+ diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst

+ new file mode 100644

+ index 000000000000..4f686962a87b

+ --- /dev/null

+ +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst

+ @@ -0,0 +1,3 @@

+ +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it

+ +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This

+ +closes a possible shell injection vector.

file modified
+16 -1
@@ -70,6 +70,10 @@ 

  # available in /usr/bin when Python is built. Also, the bytecompilation fails

  # on files that test invalid syntax.

  %undefine __brp_python_bytecompile

+ # The above is broken now

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1597664

+ # This is an older non-standard way to disable the brp script, as a workaround

+ %undefine py_auto_byte_compile

  

  # We need to get a newer configure generated out of configure.in for the following

  # patches:
@@ -108,7 +112,7 @@ 

  Name: %{python}

  # Remember to also rebase python2-docs when changing this:

  Version: 2.7.15

- Release: 2%{?dist}

+ Release: 3%{?dist}

  License: Python

  Group: Development/Languages

  Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -734,6 +738,13 @@ 

  # (we handle it it in Setup.dist, see Patch0)

  Patch289: 00289-disable-nis-detection.patch

  

+ # 00309 #

+ # CVE-2018-1000802

+ # shutil._call_external_zip to use subprocess instead of distutils.spawn

+ # rhbz#1631662

+ # Fixed upstream https://bugs.python.org/issue34540

+ Patch309: 00309-shutil-spawn-subprocess.patch

+ 

  # (New patches go here ^^^)

  #

  # When adding new patches to "python2" and "python3" in Fedora, EL, etc.,
@@ -1049,6 +1060,7 @@ 

  %endif

  %patch288 -p1

  %patch289 -p1

+ %patch309 -p1

  

  

  %if 0%{?_module_build}
@@ -1952,6 +1964,9 @@ 

  # ======================================================

  

  %changelog

+ * Fri Sep 21 2018 Miro Hrončok <mhroncok@redhat.com> - 2.7.15-3

+ - Security fix for CVE-2018-1000802 (#1631662)

+ 

  * Tue May 15 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.7.15-2

  - Fix loading of the gdb python plugin (rhbz#1578001)