|
1 Patch from upstream, not yet available in latest stable release-- |
|
2 http://www.logilab.org/revision/210454 |
|
3 --to fix CVE-2014-1839. |
|
4 |
|
5 diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog |
|
6 --- logilab-common-0.58.2-orig/ChangeLog 2014-03-14 10:39:51.021176000 -0700 |
|
7 +++ logilab-common-0.58.2/ChangeLog 2014-03-14 10:43:43.925212000 -0700 |
|
8 @@ -4,6 +4,9 @@ ChangeLog for logilab.common |
|
9 2014-02-03 |
|
10 * pdf_ext: removed, it had no known users (CVE-2014-1838) |
|
11 |
|
12 + * shellutils: fix tempfile issue in Execute, and deprecate it |
|
13 + (CVE-2014-1839) |
|
14 + |
|
15 |
|
16 2012-07-30 -- 0.58.2 |
|
17 * modutils: fixes (closes #100757 and #100935) |
|
18 diff -rupN logilab-common-0.58.2-orig/shellutils.py logilab-common-0.58.2/shellutils.py |
|
19 --- logilab-common-0.58.2-orig/shellutils.py 2012-07-30 06:06:59.000000000 -0700 |
|
20 +++ logilab-common-0.58.2/shellutils.py 2014-03-14 10:46:41.707010000 -0700 |
|
21 @@ -31,11 +31,13 @@ import fnmatch |
|
22 import errno |
|
23 import string |
|
24 import random |
|
25 +import subprocess |
|
26 from os.path import exists, isdir, islink, basename, join |
|
27 |
|
28 from logilab.common import STD_BLACKLIST, _handle_blacklist |
|
29 from logilab.common.compat import raw_input |
|
30 from logilab.common.compat import str_to_bytes |
|
31 +from logilab.common.deprecation import deprecated |
|
32 |
|
33 try: |
|
34 from logilab.common.proc import ProcInfo, NoSuchProcess |
|
35 @@ -224,20 +226,17 @@ def unzip(archive, destdir): |
|
36 outfile.write(zfobj.read(name)) |
|
37 outfile.close() |
|
38 |
|
39 +@deprecated('Use subprocess.Popen instead') |
|
40 class Execute: |
|
41 """This is a deadlock safe version of popen2 (no stdin), that returns |
|
42 an object with errorlevel, out and err. |
|
43 """ |
|
44 |
|
45 def __init__(self, command): |
|
46 - outfile = tempfile.mktemp() |
|
47 - errfile = tempfile.mktemp() |
|
48 - self.status = os.system("( %s ) >%s 2>%s" % |
|
49 - (command, outfile, errfile)) >> 8 |
|
50 - self.out = open(outfile, "r").read() |
|
51 - self.err = open(errfile, "r").read() |
|
52 - os.remove(outfile) |
|
53 - os.remove(errfile) |
|
54 + cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|
55 + self.out, self.err = cmd.communicate() |
|
56 + self.status = os.WEXITSTATUS(cmd.returncode) |
|
57 + |
|
58 |
|
59 def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600): |
|
60 """Acquire a lock represented by a file on the file system |