Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-nltk for openSUSE:Factory
checked in at 2024-07-26 16:16:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-nltk (Old)
and /work/SRC/openSUSE:Factory/.python-nltk.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-nltk"
Fri Jul 26 16:16:05 2024 rev:17 rq:1189727 version:3.8.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-nltk/python-nltk.changes 2024-07-04
16:25:22.072097966 +0200
+++ /work/SRC/openSUSE:Factory/.python-nltk.new.1882/python-nltk.changes
2024-07-26 16:16:30.880155750 +0200
@@ -1,0 +2,8 @@
+Fri Jul 26 07:14:33 UTC 2024 - Daniel Garcia <daniel.gar...@suse.com>
+
+- Add CVE-2024-39705.patch upstream patch to fix unsafe pickle usage.
+ (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174).
+- Drop CVE-2024-39705-disable-download.patch as it's not needed
+ anymore.
+
+-------------------------------------------------------------------
Old:
----
CVE-2024-39705-disable-download.patch
New:
----
CVE-2024-39705.patch
BETA DEBUG BEGIN:
Old: (CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174).
- Drop CVE-2024-39705-disable-download.patch as it's not needed
anymore.
BETA DEBUG END:
BETA DEBUG BEGIN:
New:
- Add CVE-2024-39705.patch upstream patch to fix unsafe pickle usage.
(CVE-2024-39705, gh#nltk/nltk#3266, bsc#1227174).
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-nltk.spec ++++++
--- /var/tmp/diff_new_pack.G8VrHs/_old 2024-07-26 16:16:35.236331053 +0200
+++ /var/tmp/diff_new_pack.G8VrHs/_new 2024-07-26 16:16:35.252331697 +0200
@@ -63,9 +63,8 @@
Patch0: skip-networked-test.patch
# PATCH-FIX-UPSTREAM nltk-pr3207-py312.patch gh#nltk/nltk#3207
Patch1: nltk-pr3207-py312.patch
-# PATCH-FIX-UPSTREAM CVE-2024-39705-disable-download.patch bsc#1227174
mc...@suse.com
-# this patch makes things totally awesome
-Patch2: CVE-2024-39705-disable-download.patch
+# PATCH-FIX-UPSTREAM CVE-2024-39705.patch bsc#1227174 gh#nltk/nltk#3290
+Patch2: CVE-2024-39705.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools}
++++++ CVE-2024-39705-disable-download.patch -> CVE-2024-39705.patch ++++++
---
/work/SRC/openSUSE:Factory/python-nltk/CVE-2024-39705-disable-download.patch
2024-07-04 16:25:21.136063781 +0200
+++ /work/SRC/openSUSE:Factory/.python-nltk.new.1882/CVE-2024-39705.patch
2024-07-26 16:16:30.856154784 +0200
@@ -1,104 +1,38 @@
+From a12d0a6a8cdba58d5e4e5f92ac62bb80fc26c624 Mon Sep 17 00:00:00 2001
+From: Eric Kafe <kafe.e...@gmail.com>
+Date: Tue, 23 Jul 2024 09:09:09 +0200
+Subject: [PATCH] Prevent data.load from unpickling classes or functions
+
---
- nltk/app/chartparser_app.py | 13 +++++++++++++
- nltk/corpus/reader/util.py | 2 ++
- nltk/data.py | 2 ++
- nltk/parse/transitionparser.py | 2 ++
- nltk/tbl/demo.py | 4 +++-
- 5 files changed, 22 insertions(+), 1 deletion(-)
+ nltk/data.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
---- a/nltk/app/chartparser_app.py
-+++ b/nltk/app/chartparser_app.py
-@@ -800,6 +800,10 @@ class ChartComparer:
- showerror("Error Saving Chart", f"Unable to open file:
{filename!r}\n{e}")
-
- def load_chart_dialog(self, *args):
-+ showerror("Security Error",
-+ "Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
-+ return
- filename = askopenfilename(
- filetypes=self.CHART_FILE_TYPES, defaultextension=".pickle"
- )
-@@ -811,6 +815,8 @@ class ChartComparer:
- showerror("Error Loading Chart", f"Unable to open file:
{filename!r}\n{e}")
-
- def load_chart(self, filename):
-+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
- with open(filename, "rb") as infile:
- chart = pickle.load(infile)
- name = os.path.basename(filename)
-@@ -2268,6 +2274,10 @@ class ChartParserApp:
- if not filename:
- return
- try:
-+ showerror("Security Error",
-+ "Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
-+ return
- with open(filename, "rb") as infile:
- chart = pickle.load(infile)
- self._chart = chart
-@@ -2306,6 +2316,9 @@ class ChartParserApp:
- return
- try:
- if filename.endswith(".pickle"):
-+ showerror("Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
-+ return
- with open(filename, "rb") as infile:
- grammar = pickle.load(infile)
- else:
---- a/nltk/corpus/reader/util.py
-+++ b/nltk/corpus/reader/util.py
-@@ -521,6 +521,8 @@ class PickleCorpusView(StreamBackedCorpu
-
- def read_block(self, stream):
- result = []
-+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
- for i in range(self.BLOCK_SIZE):
- try:
- result.append(pickle.load(stream))
+diff --git a/nltk/data.py b/nltk/data.py
+index cc9229b0a2..fb242721c5 100644
--- a/nltk/data.py
+++ b/nltk/data.py
-@@ -752,6 +752,8 @@ def load(
+@@ -658,6 +658,15 @@ def retrieve(resource_url, filename=None, verbose=True):
+ }
+
+
++def restricted_pickle_load(string):
++ """
++ Prevents any class or function from loading.
++ """
++ from nltk.app.wordnet_app import RestrictedUnpickler
++
++ return RestrictedUnpickler(BytesIO(string)).load()
++
++
+ def load(
+ resource_url,
+ format="auto",
+@@ -751,7 +760,7 @@ def load(
if format == "raw":
resource_val = opened_resource.read()
elif format == "pickle":
-+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
- resource_val = pickle.load(opened_resource)
+- resource_val = pickle.load(opened_resource)
++ resource_val = restricted_pickle_load(opened_resource.read())
elif format == "json":
import json
---- a/nltk/parse/transitionparser.py
-+++ b/nltk/parse/transitionparser.py
-@@ -553,6 +553,8 @@ class TransitionParser(ParserI):
- """
- result = []
- # First load the model
-+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from " +
-+ "a pickle is forbidden.")
- model = pickle.load(open(modelFile, "rb"))
- operation = Transition(self._algorithm)
---- a/nltk/tbl/demo.py
-+++ b/nltk/tbl/demo.py
-@@ -253,6 +253,8 @@ def postag(
- )
- )
- with open(cache_baseline_tagger) as print_rules:
-+ raise RuntimeError("Due to gh#nltk/nltk#3266, deserializing from
" +
-+ "a pickle is forbidden.")
- baseline_tagger = pickle.load(print_rules)
- print(f"Reloaded pickled tagger from {cache_baseline_tagger}")
- else:
-@@ -327,7 +329,7 @@ def postag(
- with open(serialize_output) as print_rules:
- brill_tagger_reloaded = pickle.load(print_rules)
- print(f"Reloaded pickled tagger from {serialize_output}")
-- taggedtest_reloaded = brill_tagger.tag_sents(testing_data)
-+ taggedtest_reloaded = brill_tagger_reloaded.tag_sents(testing_data)
- if taggedtest == taggedtest_reloaded:
- print("Reloaded tagger tried on test set, results identical")
- else:
