diff options
Diffstat (limited to 'extra/python')
| -rw-r--r-- | extra/python/PKGBUILD | 15 | ||||
| -rw-r--r-- | extra/python/python-3.3.2-CVE-2013-2099.patch | 50 |
2 files changed, 59 insertions, 6 deletions
diff --git a/extra/python/PKGBUILD b/extra/python/PKGBUILD index 0d2f87b48..d295893d5 100644 --- a/extra/python/PKGBUILD +++ b/extra/python/PKGBUILD @@ -1,10 +1,10 @@ -# $Id: PKGBUILD 182150 2013-04-08 10:27:25Z stephane $ +# $Id: PKGBUILD 186286 2013-05-23 20:40:14Z stephane $ # Maintainer: Stéphane Gaudreault <stephane@archlinux.org> # Contributor: Allan McRae <allan@archlinux.org> # Contributor: Jason Chu <jason@archlinux.org> pkgname=python -pkgver=3.3.1 +pkgver=3.3.2 pkgrel=1 _pybasever=3.3 pkgdesc="Next generation of the python high-level scripting language" @@ -17,8 +17,10 @@ optdepends=('tk: for tkinter' 'sqlite') provides=('python3') replaces=('python3') options=('!makeflags') -source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz) -sha1sums=('393d7302c48bc911cd7faa7fa9b5fbcb9919bddc') +source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz + python-3.3.2-CVE-2013-2099.patch) +sha1sums=('87009d0c156c6e1354dfec5c98c328cae93950ad' + 'b7a386b2e2f0811b344898500860ec31ba81ed4d') build() { cd "${srcdir}/Python-${pkgver}" @@ -32,6 +34,8 @@ build() { rm -r Modules/zlib rm -r Modules/_ctypes/{darwin,libffi}* + patch -Np1 -i ../python-3.3.2-CVE-2013-2099.patch + ./configure --prefix=/usr \ --enable-shared \ --with-threads \ @@ -48,8 +52,7 @@ build() { check() { cd "${srcdir}/Python-${pkgver}" LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \ - "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site \ - test_urllib test_uuid test_pydoc test_logging + "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_posixpath test_logging } package() { diff --git a/extra/python/python-3.3.2-CVE-2013-2099.patch b/extra/python/python-3.3.2-CVE-2013-2099.patch new file mode 100644 index 000000000..8162d8e54 --- /dev/null +++ b/extra/python/python-3.3.2-CVE-2013-2099.patch @@ -0,0 +1,50 @@ + +# HG changeset patch +# User Antoine Pitrou <solipsis@pitrou.net> +# Date 1368892602 -7200 +# Node ID c627638753e2d25a98950585b259104a025937a9 +# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d +Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099). + +diff --git a/Lib/ssl.py b/Lib/ssl.py +--- a/Lib/ssl.py ++++ b/Lib/ssl.py +@@ -129,9 +129,16 @@ class CertificateError(ValueError): + pass + + +-def _dnsname_to_pat(dn): ++def _dnsname_to_pat(dn, max_wildcards=1): + pats = [] + for frag in dn.split(r'.'): ++ if frag.count('*') > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survery of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) + if frag == '*': + # When '*' is a fragment by itself, it matches a non-empty dotless + # fragment. +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase + self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com') + self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com') + ++ # Issue #17980: avoid denials of service by refusing more than one ++ # wildcard per fragment. ++ cert = {'subject': ((('commonName', 'a*b.com'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b.co*'),),)} ++ ok(cert, 'axxb.com') ++ cert = {'subject': ((('commonName', 'a*b*.com'),),)} ++ with self.assertRaises(ssl.CertificateError) as cm: ++ ssl.match_hostname(cert, 'axxbxxc.com') ++ self.assertIn("too many wildcards", str(cm.exception)) ++ + def test_server_side(self): + # server_hostname doesn't work for server sockets + ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) |