[Frugalware-darcs] frugalware-0.6: python-2.5-3terminus2-i686

voroskoi voroskoi at frugalware.org
Fri Sep 7 10:00:33 CEST 2007


Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070907074127-dd049-f03e19d97b070533c4835512f0161cee45e83dc5.gz;

[python-2.5-3terminus2-i686
voroskoi <voroskoi at frugalware.org>**20070907074127
 secfix relbump, closes #2382
] {
hunk ./source/devel/python/FrugalBuild 7
-pkgrel=3terminus1
+pkgrel=3terminus2
hunk ./source/devel/python/FrugalBuild 20
-	CVE-2007-2052.diff)
-signatures=(http://www.python.org/download/releases/$pkgver/Python-$pkgver.tar.bz2.asc '' '' '' '')
+	CVE-2007-2052.diff insecure_pathnames.diff)
+signatures=(http://www.python.org/download/releases/$pkgver/Python-$pkgver.tar.bz2.asc '' '' '' '' '')
addfile ./source/devel/python/insecure_pathnames.diff
hunk ./source/devel/python/insecure_pathnames.diff 1
+From: http://bugs.python.org/file8339/insecure_pathnames.diff
+
+Index: Lib/tarfile.py
+===================================================================
+--- a/Lib/tarfile.py	(revision 57571)
++++ b/Lib/tarfile.py	(working copy)
+@@ -340,6 +340,9 @@
+ class ExtractError(TarError):
+     """General exception for extract errors."""
+     pass
++class SecurityError(ExtractError):
++    """Exception for insecure pathnames."""
++    pass
+ class ReadError(TarError):
+     """Exception for unreadble tar archives."""
+     pass
+@@ -2006,12 +2009,13 @@
+ 
+         self.members.append(tarinfo)
+ 
+-    def extractall(self, path=".", members=None):
++    def extractall(self, path=".", members=None, check_paths=True):
+         """Extract all members from the archive to the current working
+            directory and set owner, modification time and permissions on
+            directories afterwards. `path' specifies a different directory
+            to extract to. `members' is optional and must be a subset of the
+-           list returned by getmembers().
++           list returned by getmembers(). If `check_paths' is True insecure
++           pathnames are not extracted.
+         """
+         directories = []
+ 
+@@ -2019,6 +2023,20 @@
+             members = self
+ 
+         for tarinfo in members:
++            if check_paths:
++                try:
++                    self._check_path(tarinfo.name)
++                    if tarinfo.islnk():
++                        self._check_path(tarinfo.linkname)
++                    if tarinfo.issym():
++                        self._check_path(os.path.join(tarinfo.name, tarinfo.linkname))
++                except SecurityError, e:
++                    if self.errorlevel > 1:
++                        raise
++                    else:
++                        self._dbg(1, "tarfile: %s" % e)
++                        continue
++
+             if tarinfo.isdir():
+                 # Extract directory with a safe mode, so that
+                 # all files below can be extracted as well.
+@@ -2329,6 +2347,15 @@
+     #--------------------------------------------------------------------------
+     # Little helper methods:
+ 
++    def _check_path(self, path):
++        """Raise an SecurityError if `path' is an insecure pathname.
++        """
++        path = normpath(path)
++        if path.startswith("/"):
++            raise SecurityError("found insecure absolute path %r" % path)
++        if path.startswith("../"):
++            raise SecurityError("found insecure relative path %r" % path)
++
+     def _getmember(self, name, tarinfo=None):
+         """Find an archive member by name from bottom to top.
+            If tarinfo is given, it is used as the starting point.
}


More information about the Frugalware-darcs mailing list