From ec549f64c923643d4b13dd7d364e080840ae3e29 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 16 Apr 2011 13:48:38 +0000 Subject: Sat Apr 16 13:48:38 UTC 2011 --- extra/fvwm-devel/PKGBUILD | 16 ++--- extra/fvwm/PKGBUILD | 37 ++++++---- extra/python/CVE-2011-1521.patch | 134 ++++++++++++++++++++++++++++++++++++ extra/python/PKGBUILD | 23 ++++--- extra/python2/CVE-2011-1521.patch | 98 ++++++++++++++++++++++++++ extra/python2/PKGBUILD | 22 +++--- extra/python2/python-2.7-db51.patch | 42 +++++++++++ 7 files changed, 334 insertions(+), 38 deletions(-) create mode 100644 extra/python/CVE-2011-1521.patch create mode 100644 extra/python2/CVE-2011-1521.patch create mode 100644 extra/python2/python-2.7-db51.patch (limited to 'extra') diff --git a/extra/fvwm-devel/PKGBUILD b/extra/fvwm-devel/PKGBUILD index f5fd92bc6..66d4180dd 100644 --- a/extra/fvwm-devel/PKGBUILD +++ b/extra/fvwm-devel/PKGBUILD @@ -1,9 +1,8 @@ -# $Id: PKGBUILD 87047 2010-08-10 02:32:22Z eric $ -# Maintainer: Eric Belanger -# Contributor: Tobias Kieslich +# $Id: PKGBUILD 119857 2011-04-16 04:00:46Z eric $ +# Maintainer: Eric Bélanger pkgname=fvwm-devel -pkgver=2.5.31 +pkgver=2.7.0 pkgrel=1 pkgdesc="A multiple large virtual desktop window manager originally derived from twm" arch=('i686' 'x86_64') @@ -13,10 +12,11 @@ depends=('imlib' 'fribidi' 'perl' 'libstroke' 'libxpm' 'readline' 'librsvg') makedepends=('pkg-config') conflicts=('fvwm') provides=("fvwm=${pkgver}") -changelog=ChangeLog source=(ftp://ftp.fvwm.org/pub/fvwm/version-2/fvwm-${pkgver}.tar.bz2 fvwm-devel.desktop) -md5sums=('bc0a64cee2b76a91b1b3f1aa716f564d' '3f5bcb246e035ff29aa5bf54487a3db4') -sha1sums=('0a59ac1c17f37dbfb1e042f4df3f86a5eb2d719c' '17db773870637b410ceb4f68743dbd517bc5c599') +md5sums=('c7dbb0c067f570e478005edb95dcccc3' + '3f5bcb246e035ff29aa5bf54487a3db4') +sha1sums=('bc8f84902b0926df171d059eff75780a25c8a97a' + '17db773870637b410ceb4f68743dbd517bc5c599') build() { cd "${srcdir}/fvwm-${pkgver}" @@ -31,6 +31,6 @@ package() { install -d "${pkgdir}/etc/fvwm" install -D -m644 sample.fvwmrc/* "${pkgdir}/etc/fvwm" rm -f "${pkgdir}"/etc/fvwm/Makefile* - install -D -m644 ../fvwm-devel.desktop "${pkgdir}/etc/X11/sessions/fvwm-devel.desktop" + install -D -m644 ../fvwm-devel.desktop "${pkgdir}/usr/share/xsessions/fvwm-devel.desktop" install -D -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING" } diff --git a/extra/fvwm/PKGBUILD b/extra/fvwm/PKGBUILD index e32a5e22d..3dbdd37b3 100644 --- a/extra/fvwm/PKGBUILD +++ b/extra/fvwm/PKGBUILD @@ -1,25 +1,34 @@ -# $Id: PKGBUILD 42788 2009-06-18 20:20:03Z eric $ -# Maintainer: Eric Belanger -# Contributor: judd +# $Id: PKGBUILD 119852 2011-04-16 03:57:41Z eric $ +# Maintainer: Eric Bélanger pkgname=fvwm -pkgver=2.4.20 -pkgrel=4 +pkgver=2.6.0 +pkgrel=1 pkgdesc="A multiple large virtual desktop window manager originally derived from twm" arch=('i686' 'x86_64') url="http://www.fvwm.org" license=('GPL' 'custom') -depends=('readline>=6.0.00' 'libxpm' 'libxinerama' 'gtk' 'imlib' 'libstroke') +depends=('imlib' 'fribidi' 'perl' 'libstroke' 'libxpm' 'readline' 'librsvg') conflicts=('fvwm-devel') -source=(ftp://ftp.fvwm.org/pub/fvwm/version-2/${pkgname}-${pkgver}.tar.gz fvwm2.desktop) -md5sums=('3ac10558411c896f3afba285697cf42c' 'e52a6ef25a936dcf3ad0e58f2e9ed0ea') -sha1sums=('2130a16590462cbbf15f255a46abe8b8a6cb4401' 'e0924164329e7eb14e0d6137d8ff18cf6230191c') +source=(ftp://ftp.fvwm.org/pub/fvwm/version-2/${pkgname}-${pkgver}.tar.bz2 fvwm2.desktop) +md5sums=('e4b4b065b2185be9071a9a55ac49b39a' + 'e52a6ef25a936dcf3ad0e58f2e9ed0ea') +sha1sums=('7c6ed1075c3faa1cd13c2ebc31f720d971564f5e' + 'e0924164329e7eb14e0d6137d8ff18cf6230191c') build() { cd "${srcdir}/${pkgname}-${pkgver}" - ./configure --prefix=/usr --libexecdir=/usr/lib --with-stroke || return 1 - make || return 1 - make DESTDIR="${pkgdir}" install || return 1 - install -D -m644 ../fvwm2.desktop "${pkgdir}/etc/X11/sessions/fvwm2.desktop" || return 1 - install -D -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING" || return 1 + ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib --with-stroke-library + make +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + + install -d "${pkgdir}/etc/fvwm" + install -D -m644 sample.fvwmrc/* "${pkgdir}/etc/fvwm" + rm -f "${pkgdir}"/etc/fvwm/Makefile* + install -D -m644 ../fvwm2.desktop "${pkgdir}/usr/share/xsessions/fvwm2.desktop" + install -D -m644 COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING" } diff --git a/extra/python/CVE-2011-1521.patch b/extra/python/CVE-2011-1521.patch new file mode 100644 index 000000000..91f4946c4 --- /dev/null +++ b/extra/python/CVE-2011-1521.patch @@ -0,0 +1,134 @@ +diff -Naur Python-3.2.ori/Doc/library/urllib.request.rst Python-3.2/Doc/library/urllib.request.rst +--- Python-3.2.ori/Doc/library/urllib.request.rst 2011-02-11 03:25:47.000000000 -0800 ++++ Python-3.2/Doc/library/urllib.request.rst 2011-04-15 03:49:02.778745379 -0700 +@@ -650,6 +650,10 @@ + is the case, :exc:`HTTPError` is raised. See :rfc:`2616` for details of the + precise meanings of the various redirection codes. + ++ An :class:`HTTPError` exception raised as a security consideration if the ++ HTTPRedirectHandler is presented with a redirected url which is not an HTTP, ++ HTTPS or FTP url. ++ + + .. method:: HTTPRedirectHandler.redirect_request(req, fp, code, msg, hdrs, newurl) + +diff -Naur Python-3.2.ori/Lib/test/test_urllib2.py Python-3.2/Lib/test/test_urllib2.py +--- Python-3.2.ori/Lib/test/test_urllib2.py 2011-02-11 03:25:47.000000000 -0800 ++++ Python-3.2/Lib/test/test_urllib2.py 2011-04-15 03:50:29.705417290 -0700 +@@ -8,6 +8,7 @@ + + import urllib.request + from urllib.request import Request, OpenerDirector ++import urllib.error + + # XXX + # Request +@@ -1029,6 +1030,29 @@ + self.assertEqual(count, + urllib.request.HTTPRedirectHandler.max_redirections) + ++ ++ def test_invalid_redirect(self): ++ from_url = "http://example.com/a.html" ++ valid_schemes = ['http','https','ftp'] ++ invalid_schemes = ['file','imap','ldap'] ++ schemeless_url = "example.com/b.html" ++ h = urllib.request.HTTPRedirectHandler() ++ o = h.parent = MockOpener() ++ req = Request(from_url) ++ req.timeout = socket._GLOBAL_DEFAULT_TIMEOUT ++ ++ for scheme in invalid_schemes: ++ invalid_url = scheme + '://' + schemeless_url ++ self.assertRaises(urllib.error.HTTPError, h.http_error_302, ++ req, MockFile(), 302, "Security Loophole", ++ MockHeaders({"location": invalid_url})) ++ ++ for scheme in valid_schemes: ++ valid_url = scheme + '://' + schemeless_url ++ h.http_error_302(req, MockFile(), 302, "That's fine", ++ MockHeaders({"location": valid_url})) ++ self.assertEqual(o.req.get_full_url(), valid_url) ++ + def test_cookie_redirect(self): + # cookies shouldn't leak into redirected requests + from http.cookiejar import CookieJar +diff -Naur Python-3.2.ori/Lib/test/test_urllib.py Python-3.2/Lib/test/test_urllib.py +--- Python-3.2.ori/Lib/test/test_urllib.py 2010-12-17 09:35:56.000000000 -0800 ++++ Python-3.2/Lib/test/test_urllib.py 2011-04-15 03:49:02.778745379 -0700 +@@ -2,6 +2,7 @@ + + import urllib.parse + import urllib.request ++import urllib.error + import http.client + import email.message + import io +@@ -198,6 +199,21 @@ + finally: + self.unfakehttp() + ++ def test_invalid_redirect(self): ++ # urlopen() should raise IOError for many error codes. ++ self.fakehttp(b'''HTTP/1.1 302 Found ++Date: Wed, 02 Jan 2008 03:03:54 GMT ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e ++Location: file://guidocomputer.athome.com:/python/license ++Connection: close ++Content-Type: text/html; charset=iso-8859-1 ++''') ++ try: ++ self.assertRaises(urllib.error.HTTPError, urlopen, ++ "http://python.org/") ++ finally: ++ self.unfakehttp() ++ + def test_empty_socket(self): + # urlopen() raises IOError if the underlying socket does not send any + # data. (#1680230) +diff -Naur Python-3.2.ori/Lib/urllib/request.py Python-3.2/Lib/urllib/request.py +--- Python-3.2.ori/Lib/urllib/request.py 2011-02-11 03:25:47.000000000 -0800 ++++ Python-3.2/Lib/urllib/request.py 2011-04-15 03:49:02.778745379 -0700 +@@ -545,6 +545,17 @@ + + # fix a possible malformed URL + urlparts = urlparse(newurl) ++ ++ # For security reasons we don't allow redirection to anything other ++ # than http, https or ftp. ++ ++ if not urlparts.scheme in ('http', 'https', 'ftp'): ++ raise HTTPError(newurl, code, ++ msg + ++ " - Redirection to url '%s' is not allowed" % ++ newurl, ++ headers, fp) ++ + if not urlparts.path: + urlparts = list(urlparts) + urlparts[2] = "/" +@@ -1897,8 +1908,24 @@ + return + void = fp.read() + fp.close() ++ + # In case the server sent a relative URL, join with original: + newurl = urljoin(self.type + ":" + url, newurl) ++ ++ urlparts = urlparse(newurl) ++ ++ # For security reasons, we don't allow redirection to anything other ++ # than http, https and ftp. ++ ++ # We are using newer HTTPError with older redirect_internal method ++ # This older method will get deprecated in 3.3 ++ ++ if not urlparts.scheme in ('http', 'https', 'ftp'): ++ raise HTTPError(newurl, errcode, ++ errmsg + ++ " Redirection to url '%s' is not allowed." % newurl, ++ headers, fp) ++ + return self.open(newurl) + + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/extra/python/PKGBUILD b/extra/python/PKGBUILD index b8d376acc..fc8fce46d 100644 --- a/extra/python/PKGBUILD +++ b/extra/python/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 110651 2011-02-21 01:21:12Z stephane $ +# $Id: PKGBUILD 119805 2011-04-15 11:51:39Z stephane $ # Maintainer: Stéphane Gaudreault # Maintainer: Allan McRae # Contributer: Jason Chu pkgname=python pkgver=3.2 -pkgrel=1 +pkgrel=2 _pybasever=3.2 pkgdesc="Next generation of the python high-level scripting language" arch=('i686' 'x86_64') @@ -17,9 +17,10 @@ optdepends=('tk: for tkinter') provides=('python3') replaces=('python3') options=('!makeflags') -source=(http://www.python.org/ftp/python/${_pybasever}/Python-${pkgver}.tar.xz) -sha1sums=('55a3a9d39f31563370d0c494373bb6d38e4d1a00') - +source=(http://www.python.org/ftp/python/${_pybasever}/Python-${pkgver}.tar.xz + CVE-2011-1521.patch) +sha1sums=('55a3a9d39f31563370d0c494373bb6d38e4d1a00' + '561161ce5ae3a91254352c09a33e3e4434444e14') build() { cd "${srcdir}/Python-${pkgver}" @@ -29,6 +30,10 @@ build() { rm -r Modules/zlib rm -r Modules/_ctypes/{darwin,libffi}* + # urllib Security Vulnerability + # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html + patch -Np1 -i ../CVE-2011-1521.patch + ./configure --prefix=/usr \ --enable-shared \ --with-threads \ @@ -40,10 +45,12 @@ build() { --with-system-ffi make +} - # Run the upstream test suite -# LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \ -# "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils +check() { + cd "${srcdir}/Python-${pkgver}" + LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \ + "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site } package() { diff --git a/extra/python2/CVE-2011-1521.patch b/extra/python2/CVE-2011-1521.patch new file mode 100644 index 000000000..d68ec3323 --- /dev/null +++ b/extra/python2/CVE-2011-1521.patch @@ -0,0 +1,98 @@ +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib2.py Python-2.7.1/Lib/test/test_urllib2.py +--- Python-2.7.1.ori/Lib/test/test_urllib2.py 2010-11-21 21:04:33.000000000 -0800 ++++ Python-2.7.1/Lib/test/test_urllib2.py 2011-04-15 05:02:13.278853672 -0700 +@@ -969,6 +969,27 @@ + self.assertEqual(count, + urllib2.HTTPRedirectHandler.max_redirections) + ++ def test_invalid_redirect(self): ++ from_url = "http://example.com/a.html" ++ valid_schemes = ['http', 'https', 'ftp'] ++ invalid_schemes = ['file', 'imap', 'ldap'] ++ schemeless_url = "example.com/b.html" ++ h = urllib2.HTTPRedirectHandler() ++ o = h.parent = MockOpener() ++ req = Request(from_url) ++ ++ for scheme in invalid_schemes: ++ invalid_url = scheme + '://' + schemeless_url ++ self.assertRaises(urllib2.HTTPError, h.http_error_302, ++ req, MockFile(), 302, "Security Loophole", ++ MockHeaders({"location": invalid_url})) ++ ++ for scheme in valid_schemes: ++ valid_url = scheme + '://' + schemeless_url ++ h.http_error_302(req, MockFile(), 302, "That's fine", ++ MockHeaders({"location": valid_url})) ++ self.assertEqual(o.req.get_full_url(), valid_url) ++ + def test_cookie_redirect(self): + # cookies shouldn't leak into redirected requests + from cookielib import CookieJar +diff -Naur Python-2.7.1.ori/Lib/test/test_urllib.py Python-2.7.1/Lib/test/test_urllib.py +--- Python-2.7.1.ori/Lib/test/test_urllib.py 2010-11-21 05:34:58.000000000 -0800 ++++ Python-2.7.1/Lib/test/test_urllib.py 2011-04-15 05:02:13.278853672 -0700 +@@ -161,6 +161,20 @@ + finally: + self.unfakehttp() + ++ def test_invalid_redirect(self): ++ # urlopen() should raise IOError for many error codes. ++ self.fakehttp("""HTTP/1.1 302 Found ++Date: Wed, 02 Jan 2008 03:03:54 GMT ++Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e ++Location: file:README ++Connection: close ++Content-Type: text/html; charset=iso-8859-1 ++""") ++ try: ++ self.assertRaises(IOError, urllib.urlopen, "http://python.org/") ++ finally: ++ self.unfakehttp() ++ + def test_empty_socket(self): + # urlopen() raises IOError if the underlying socket does not send any + # data. (#1680230) +diff -Naur Python-2.7.1.ori/Lib/urllib2.py Python-2.7.1/Lib/urllib2.py +--- Python-2.7.1.ori/Lib/urllib2.py 2010-11-20 03:24:08.000000000 -0800 ++++ Python-2.7.1/Lib/urllib2.py 2011-04-15 05:02:13.278853672 -0700 +@@ -579,6 +579,17 @@ + + newurl = urlparse.urljoin(req.get_full_url(), newurl) + ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ raise HTTPError(newurl, code, ++ msg + " - Redirection to url '%s' is not allowed" % ++ newurl, ++ headers, fp) ++ + # XXX Probably want to forget about the state of the current + # request, although that might interact poorly with other + # handlers that also use handler-specific request attributes +diff -Naur Python-2.7.1.ori/Lib/urllib.py Python-2.7.1/Lib/urllib.py +--- Python-2.7.1.ori/Lib/urllib.py 2010-11-21 21:04:33.000000000 -0800 ++++ Python-2.7.1/Lib/urllib.py 2011-04-15 05:02:13.278853672 -0700 +@@ -644,6 +644,18 @@ + fp.close() + # In case the server sent a relative URL, join with original: + newurl = basejoin(self.type + ":" + url, newurl) ++ ++ # For security reasons we do not allow redirects to protocols ++ # other than HTTP, HTTPS or FTP. ++ newurl_lower = newurl.lower() ++ if not (newurl_lower.startswith('http://') or ++ newurl_lower.startswith('https://') or ++ newurl_lower.startswith('ftp://')): ++ raise IOError('redirect error', errcode, ++ errmsg + " - Redirection to url '%s' is not allowed" % ++ newurl, ++ headers) ++ + return self.open(newurl) + + def http_error_301(self, url, fp, errcode, errmsg, headers, data=None): diff --git a/extra/python2/PKGBUILD b/extra/python2/PKGBUILD index 2dadb1ec3..af34f960a 100644 --- a/extra/python2/PKGBUILD +++ b/extra/python2/PKGBUILD @@ -1,11 +1,11 @@ -# $Id: PKGBUILD 119684 2011-04-13 16:35:24Z stephane $ +# $Id: PKGBUILD 119810 2011-04-15 12:17:53Z stephane $ # Maintainer: Allan McRae # Contributer: Stéphane Gaudreault # Contributer: Jason Chu pkgname=python2 pkgver=2.7.1 -pkgrel=8 +pkgrel=9 _pybasever=2.7 pkgdesc="A high-level scripting language" arch=('i686' 'x86_64') @@ -17,16 +17,22 @@ optdepends=('tk: for IDLE') conflicts=('python<3') options=('!makeflags') source=(http://www.python.org/ftp/python/${pkgver}/Python-${pkgver}.tar.bz2 - python-2.7-db51.diff - python-2.7.1-fix-decimal-in-turkish-locale.patch) -md5sums=('aa27bc25725137ba155910bd8e5ddc4f' - 'd9b8161568ce17a305c1b71e61ccd4b5' - '5032449f1ff2abfe18d14cc674165b23') + CVE-2011-1521.patch + python-2.7.1-fix-decimal-in-turkish-locale.patch + python-2.7-db51.patch) +sha1sums=('fbe1894322ff91b80726e269c97454f4129fc2a3' + '31cdc76092d0f598289aaeb18e492874c981904d' + 'baf470682ae7d2b55caaa173696d08d3f468a569' + '9667a2a2f8594902b352793e649f78696a77bd13') build() { cd "${srcdir}/Python-${pkgver}" - patch -Np1 -i ../python-2.7-db51.diff + patch -Np1 -i ../python-2.7-db51.patch + + # Fix urllib Security Vulnerability + # http://blog.python.org/2011/04/urllib-security-vulnerability-fixed.html + patch -Np1 -i ../CVE-2011-1521.patch # Fix "import decimal" in the Turkish locale # cf : https://bugzilla.redhat.com/show_bug.cgi?id=694928 diff --git a/extra/python2/python-2.7-db51.patch b/extra/python2/python-2.7-db51.patch new file mode 100644 index 000000000..2da95c375 --- /dev/null +++ b/extra/python2/python-2.7-db51.patch @@ -0,0 +1,42 @@ +diff -Naur Python-2.7-orig//Modules/_bsddb.c Python-2.7/Modules/_bsddb.c +--- Python-2.7-orig//Modules/_bsddb.c 2010-05-10 00:46:46.000000000 +1000 ++++ Python-2.7/Modules/_bsddb.c 2010-10-20 13:19:26.436669911 +1000 +@@ -9765,8 +9765,11 @@ + + ADD_INT(d, DB_REP_PERMANENT); + +-#if (DBVER >= 44) ++#if (DBVER >= 44) && (DBVER <= 48) + ADD_INT(d, DB_REP_CONF_NOAUTOINIT); ++#endif ++ ++#if (DBVER >= 44) + ADD_INT(d, DB_REP_CONF_DELAYCLIENT); + ADD_INT(d, DB_REP_CONF_BULK); + ADD_INT(d, DB_REP_CONF_NOWAIT); +diff -Naur Python-2.7-orig//setup.py Python-2.7/setup.py +--- Python-2.7-orig//setup.py 2010-06-27 22:36:16.000000000 +1000 ++++ Python-2.7/setup.py 2010-10-20 13:10:48.256670026 +1000 +@@ -765,7 +765,7 @@ + # a release. Most open source OSes come with one or more + # versions of BerkeleyDB already installed. + +- max_db_ver = (4, 8) ++ max_db_ver = (5, 1) + min_db_ver = (4, 1) + db_setup_debug = False # verbose debug prints from this script? + +@@ -787,8 +787,12 @@ + return True + + def gen_db_minor_ver_nums(major): +- if major == 4: ++ if major == 5: + for x in range(max_db_ver[1]+1): ++ if allow_db_ver((5, x)): ++ yield x ++ if major == 4: ++ for x in range(9): + if allow_db_ver((4, x)): + yield x + elif major == 3: -- cgit v1.2.3-54-g00ecf