Hello community, here is the log from the commit of package python3 for openSUSE:Factory checked in at 2014-04-09 13:01:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3 (Old) and /work/SRC/openSUSE:Factory/.python3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3" Changes: -------- --- /work/SRC/openSUSE:Factory/python3/python3-base.changes 2014-03-31 20:42:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3.new/python3-base.changes 2014-04-09 13:01:10.000000000 +0200 @@ -1,0 +2,8 @@ +Fri Apr 4 16:21:40 UTC 2014 - jmate...@suse.com + +- CVE-2014-2667-mkdir.patch: race condition with reseting umask + in os.makedirs + (CVE-2014-2667, bnc#869222) +- updated multilib patch to include ~/.local/lib64 (bnc#637176) + +------------------------------------------------------------------- python3.changes: same change New: ---- CVE-2014-2667-mkdir.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-base.spec ++++++ --- /var/tmp/diff_new_pack.A5ClVq/_old 2014-04-09 13:01:12.000000000 +0200 +++ /var/tmp/diff_new_pack.A5ClVq/_new 2014-04-09 13:01:12.000000000 +0200 @@ -85,6 +85,8 @@ Patch14: python-3.4.0rc2-sqlite-3.8.4-tests.patch # Raise timeout value for test_subprocess Patch15: subprocess-raise-timeout.patch +# CVE-2014-2667 - race condition with umask in os.makedirs +Patch16: CVE-2014-2667-mkdir.patch ### COMMON-PATCH-END ### BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -216,6 +218,7 @@ %patch13 -p0 %patch14 -p1 %patch15 -p1 +%patch16 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ python3-doc.spec ++++++ --- /var/tmp/diff_new_pack.A5ClVq/_old 2014-04-09 13:01:12.000000000 +0200 +++ /var/tmp/diff_new_pack.A5ClVq/_new 2014-04-09 13:01:12.000000000 +0200 @@ -70,6 +70,10 @@ Patch13: libffi-ppc64le.diff # Fix tests for sqlite 3.8.4 Patch14: python-3.4.0rc2-sqlite-3.8.4-tests.patch +# Raise timeout value for test_subprocess +Patch15: subprocess-raise-timeout.patch +# CVE-2014-2667 - race condition with umask in os.makedirs +Patch16: CVE-2014-2667-mkdir.patch ### COMMON-PATCH-END ### ### COMMON-DEF-BEGIN ### @@ -139,6 +143,8 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ python3.spec ++++++ --- /var/tmp/diff_new_pack.A5ClVq/_old 2014-04-09 13:01:12.000000000 +0200 +++ /var/tmp/diff_new_pack.A5ClVq/_new 2014-04-09 13:01:12.000000000 +0200 @@ -82,6 +82,10 @@ Patch13: libffi-ppc64le.diff # Fix tests for sqlite 3.8.4 Patch14: python-3.4.0rc2-sqlite-3.8.4-tests.patch +# Raise timeout value for test_subprocess +Patch15: subprocess-raise-timeout.patch +# CVE-2014-2667 - race condition with umask in os.makedirs +Patch16: CVE-2014-2667-mkdir.patch ### COMMON-PATCH-END ### BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -184,6 +188,8 @@ %patch12 -p1 %patch13 -p0 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac ++++++ CVE-2014-2667-mkdir.patch ++++++ # HG changeset patch # User Benjamin Peterson <benja...@python.org> # Date 1396394328 14400 # Node ID c24dd53ab4b9ebc13671051d524e25305266994f # Parent 1039d4ebc4bb8655060cf016f5681867d07b7e44# Parent 6370d44013f7e7e0892dd7f78b91d3a929e2d343 merge 3.3 (#21082) Index: Python-3.4.0/Doc/library/os.rst =================================================================== --- Python-3.4.0.orig/Doc/library/os.rst 2014-04-04 18:06:50.821300387 +0200 +++ Python-3.4.0/Doc/library/os.rst 2014-04-04 18:06:59.558350425 +0200 @@ -1619,11 +1619,8 @@ The default *mode* is ``0o777`` (octal). On some systems, *mode* is ignored. Where it is used, the current umask value is first masked out. - If *exist_ok* is ``False`` (the default), an :exc:`OSError` is raised if - the target directory already exists. If *exist_ok* is ``True`` an - :exc:`OSError` is still raised if the umask-masked *mode* is different from - the existing mode, on systems where the mode is used. :exc:`OSError` will - also be raised if the directory creation fails. + If *exist_ok* is ``False`` (the default), an :exc:`OSError` is raised if the + target directory already exists. .. note:: @@ -1635,6 +1632,13 @@ .. versionadded:: 3.2 The *exist_ok* parameter. + .. versionchanged:: 3.3.6 + + Before Python 3.3.6, if *exist_ok* was ``True`` and the directory existed, + :func:`makedirs` would still raise an error if *mode* did not match the + mode of the existing directory. Since this behavior was impossible to + implement safely, it was removed in Python 3.3.6. See :issue:`21082`. + .. function:: mkfifo(path, mode=0o666, *, dir_fd=None) Index: Python-3.4.0/Lib/os.py =================================================================== --- Python-3.4.0.orig/Lib/os.py 2014-04-04 18:06:50.821300387 +0200 +++ Python-3.4.0/Lib/os.py 2014-04-04 18:20:44.057141177 +0200 @@ -206,23 +206,16 @@ SEEK_CUR = 1 SEEK_END = 2 - -def _get_masked_mode(mode): - mask = umask(0) - umask(mask) - return mode & ~mask - # Super directory utilities. # (Inspired by Eric Raymond; the doc strings are mostly his) def makedirs(name, mode=0o777, exist_ok=False): """makedirs(path [, mode=0o777][, exist_ok=False]) - Super-mkdir; create a leaf directory and all intermediate ones. - Works like mkdir, except that any intermediate path segment (not - just the rightmost) will be created if it does not exist. If the - target directory with the same mode as we specified already exists, - raises an OSError if exist_ok is False, otherwise no exception is + Super-mkdir; create a leaf directory and all intermediate ones. Works like + mkdir, except that any intermediate path segment (not just the rightmost) + will be created if it does not exist. If the target directory already + exists, raise an OSError if exist_ok is False. Otherwise no exception is raised. This is recursive. """ @@ -243,20 +236,7 @@ try: mkdir(name, mode) except OSError as e: - dir_exists = path.isdir(name) - expected_mode = _get_masked_mode(mode) - if dir_exists: - # S_ISGID is automatically copied by the OS from parent to child - # directories on mkdir. Don't consider it being set to be a mode - # mismatch as mkdir does not unset it when not specified in mode. - actual_mode = st.S_IMODE(lstat(name).st_mode) & ~st.S_ISGID - else: - actual_mode = -1 - if not (e.errno == errno.EEXIST and exist_ok and dir_exists and - actual_mode == expected_mode): - if dir_exists and actual_mode != expected_mode: - e.strerror += ' (mode %o != expected mode %o)' % ( - actual_mode, expected_mode) + if not exist_ok or e.errno != errno.EEXIST or not path.isdir(name): raise def removedirs(name): Index: Python-3.4.0/Lib/test/test_os.py =================================================================== --- Python-3.4.0.orig/Lib/test/test_os.py 2014-04-04 18:06:50.822300392 +0200 +++ Python-3.4.0/Lib/test/test_os.py 2014-04-04 18:06:59.559350431 +0200 @@ -901,7 +901,7 @@ os.makedirs(path, mode) self.assertRaises(OSError, os.makedirs, path, mode) self.assertRaises(OSError, os.makedirs, path, mode, exist_ok=False) - self.assertRaises(OSError, os.makedirs, path, 0o776, exist_ok=True) + os.makedirs(path, 0o776, exist_ok=True) os.makedirs(path, mode=mode, exist_ok=True) os.umask(old_mask) @@ -938,9 +938,8 @@ os.makedirs(path, mode, exist_ok=True) # remove the bit. os.chmod(path, stat.S_IMODE(os.lstat(path).st_mode) & ~S_ISGID) - with self.assertRaises(OSError): - # Should fail when the bit is not already set when demanded. - os.makedirs(path, mode | S_ISGID, exist_ok=True) + # May work even when the bit is not already set when demanded. + os.makedirs(path, mode | S_ISGID, exist_ok=True) finally: os.umask(old_mask) ++++++ Python-3.3.0b2-multilib.patch ++++++ --- /var/tmp/diff_new_pack.A5ClVq/_old 2014-04-09 13:01:12.000000000 +0200 +++ /var/tmp/diff_new_pack.A5ClVq/_new 2014-04-09 13:01:12.000000000 +0200 @@ -68,6 +68,66 @@ =================================================================== --- Python-3.4.0b3.orig/Lib/site.py 2014-01-27 05:13:49.000000000 +0100 +++ Python-3.4.0b3/Lib/site.py 2014-02-04 17:18:37.568144174 +0100 +@@ -244,28 +244,37 @@ + USER_BASE = get_config_var('userbase') + return USER_BASE + +-def getusersitepackages(): ++def getusersitepackages(lib_kind = 'purelib'): + """Returns the user-specific site-packages directory path. + + If the global variable ``USER_SITE`` is not initialized yet, this + function will also set it. + """ ++ ++ set_user_site = (lib_kind == 'purelib') ++ + global USER_SITE + user_base = getuserbase() # this will also set USER_BASE + +- if USER_SITE is not None: ++ if USER_SITE is not None and set_user_site: + return USER_SITE + + from sysconfig import get_path + ++ user_site = None ++ + if sys.platform == 'darwin': + from sysconfig import get_config_var + if get_config_var('PYTHONFRAMEWORK'): +- USER_SITE = get_path('purelib', 'osx_framework_user') +- return USER_SITE ++ user_site = get_path('purelib', 'osx_framework_user') ++ ++ if user_site is None: ++ user_site = get_path('purelib', '%s_user' % os.name) + +- USER_SITE = get_path('purelib', '%s_user' % os.name) +- return USER_SITE ++ if set_user_site: ++ USER_SITE = user_site ++ ++ return user_site + + def addusersitepackages(known_paths): + """Add a per user site-package to sys.path +@@ -275,10 +284,12 @@ + """ + # get the per user site-package path + # this call will also make sure USER_BASE and USER_SITE are set +- user_site = getusersitepackages() ++ for kind in ('purelib', 'platlib'): ++ user_site = getusersitepackages() ++ ++ if ENABLE_USER_SITE and os.path.isdir(user_site): ++ addsitedir(user_site, known_paths) + +- if ENABLE_USER_SITE and os.path.isdir(user_site): +- addsitedir(user_site, known_paths) + return known_paths + + def getsitepackages(prefixes=None): @@ -304,13 +304,19 @@ seen.add(prefix) @@ -295,20 +355,6 @@ 'include': '{installed_base}/include/python{py_version_short}{abiflags}', 'platinclude': -@@ -32,10 +32,10 @@ - 'data': '{base}', - }, - 'posix_home': { -- 'stdlib': '{installed_base}/lib/python', -- 'platstdlib': '{base}/lib/python', -+ 'stdlib': '{installed_base}/'+sys.lib+'/python', -+ 'platstdlib': '{base}/'+sys.lib+'/python', - 'purelib': '{base}/lib/python', -- 'platlib': '{base}/lib/python', -+ 'platlib': '{base}/'+sys.lib+'/python', - 'include': '{installed_base}/include/python', - 'platinclude': '{installed_base}/include/python', - 'scripts': '{base}/bin', @@ -61,10 +61,10 @@ 'data': '{userbase}', }, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org