# HG changeset patch # User April Chin # Date 1395686021 25200 # Node ID baadf45ecbdd38af48d7400506358b88c9f55c96 # Parent 44bcab9cfdeecab360d276856e0ab484f224c81f 18299226 problem in PYTHON-MOD/LOGILAB-COMMON diff -r 44bcab9cfdee -r baadf45ecbdd components/logilab-common/logilab-common-26.p5m --- a/components/logilab-common/logilab-common-26.p5m Tue Jan 07 04:04:31 2014 -0800 +++ b/components/logilab-common/logilab-common-26.p5m Mon Mar 24 11:33:41 2014 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability uncommitted> @@ -37,17 +37,6 @@ value=LSARC/2009/298 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) -dir path=usr -dir path=usr/bin -dir path=usr/lib -dir path=usr/lib/python2.6 -dir path=usr/lib/python2.6/vendor-packages -dir path=usr/lib/python2.6/vendor-packages/logilab -dir path=usr/lib/python2.6/vendor-packages/logilab/common -dir path=usr/lib/python2.6/vendor-packages/logilab/common/ureports -dir \ - path=usr/lib/python2.6/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.6.egg-info - file path=usr/bin/pytest-2.6 file path=usr/lib/python2.6/vendor-packages/logilab/__init__.py file path=usr/lib/python2.6/vendor-packages/logilab/common/__init__.py @@ -74,7 +63,6 @@ file path=usr/lib/python2.6/vendor-packages/logilab/common/modutils.py file path=usr/lib/python2.6/vendor-packages/logilab/common/optik_ext.py file path=usr/lib/python2.6/vendor-packages/logilab/common/optparser.py -file path=usr/lib/python2.6/vendor-packages/logilab/common/pdf_ext.py file path=usr/lib/python2.6/vendor-packages/logilab/common/proc.py file path=usr/lib/python2.6/vendor-packages/logilab/common/pyro_ext.py file path=usr/lib/python2.6/vendor-packages/logilab/common/pytest.py diff -r 44bcab9cfdee -r baadf45ecbdd components/logilab-common/logilab-common-27.p5m --- a/components/logilab-common/logilab-common-27.p5m Tue Jan 07 04:04:31 2014 -0800 +++ b/components/logilab-common/logilab-common-27.p5m Mon Mar 24 11:33:41 2014 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability uncommitted> @@ -37,16 +37,6 @@ value=LSARC/2009/298 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) -dir path=usr -dir path=usr/bin -dir path=usr/lib -dir path=usr/lib/python2.7 -dir path=usr/lib/python2.7/vendor-packages -dir path=usr/lib/python2.7/vendor-packages/logilab -dir path=usr/lib/python2.7/vendor-packages/logilab/common -dir path=usr/lib/python2.7/vendor-packages/logilab/common/ureports -dir path=usr/lib/python2.7/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.7.egg-info - file \ path=usr/lib/python2.7/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.7-nspkg.pth file \ @@ -85,7 +75,6 @@ file path=usr/lib/python2.7/vendor-packages/logilab/common/modutils.py file path=usr/lib/python2.7/vendor-packages/logilab/common/optik_ext.py file path=usr/lib/python2.7/vendor-packages/logilab/common/optparser.py -file path=usr/lib/python2.7/vendor-packages/logilab/common/pdf_ext.py file path=usr/lib/python2.7/vendor-packages/logilab/common/proc.py file path=usr/lib/python2.7/vendor-packages/logilab/common/pyro_ext.py file path=usr/lib/python2.7/vendor-packages/logilab/common/pytest.py diff -r 44bcab9cfdee -r baadf45ecbdd components/logilab-common/patches/01-CVE-2014-1838.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/logilab-common/patches/01-CVE-2014-1838.patch Mon Mar 24 11:33:41 2014 -0700 @@ -0,0 +1,145 @@ +Patch from upstream, not yet available in latest stable release-- +http://www.logilab.org/revision/207574 +--to fix CVE-2014-1838. + +diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog +--- logilab-common-0.58.2-orig/ChangeLog 2012-07-30 06:06:59.000000000 -0700 ++++ logilab-common-0.58.2/ChangeLog 2014-03-14 10:34:00.085719000 -0700 +@@ -1,6 +1,10 @@ + ChangeLog for logilab.common + ============================ + ++2014-02-03 ++ * pdf_ext: removed, it had no known users (CVE-2014-1838) ++ ++ + 2012-07-30 -- 0.58.2 + * modutils: fixes (closes #100757 and #100935) + +diff -rupN logilab-common-0.58.2-orig/pdf_ext.py logilab-common-0.58.2/pdf_ext.py +--- logilab-common-0.58.2-orig/pdf_ext.py 2012-07-30 06:06:59.000000000 -0700 ++++ logilab-common-0.58.2/pdf_ext.py 1969-12-31 16:00:00.000000000 -0800 +@@ -1,111 +0,0 @@ +-# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved. +-# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr +-# +-# This file is part of logilab-common. +-# +-# logilab-common is free software: you can redistribute it and/or modify it under +-# the terms of the GNU Lesser General Public License as published by the Free +-# Software Foundation, either version 2.1 of the License, or (at your option) any +-# later version. +-# +-# logilab-common is distributed in the hope that it will be useful, but WITHOUT +-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +-# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more +-# details. +-# +-# You should have received a copy of the GNU Lesser General Public License along +-# with logilab-common. If not, see . +-"""Manipulate pdf and fdf files (pdftk recommended). +- +-Notes regarding pdftk, pdf forms and fdf files (form definition file) +-fields names can be extracted with: +- +- pdftk orig.pdf generate_fdf output truc.fdf +- +-to merge fdf and pdf: +- +- pdftk orig.pdf fill_form test.fdf output result.pdf [flatten] +- +-without flatten, one could further edit the resulting form. +-with flatten, everything is turned into text. +- +- +- +- +-""" +-__docformat__ = "restructuredtext en" +-# XXX seems very unix specific +-# TODO: check availability of pdftk at import +- +- +-import os +- +-HEAD="""%FDF-1.2 +-%\xE2\xE3\xCF\xD3 +-1 0 obj +-<< +-/FDF +-<< +-/Fields [ +-""" +- +-TAIL="""] +->> +->> +-endobj +-trailer +- +-<< +-/Root 1 0 R +->> +-%%EOF +-""" +- +-def output_field( f ): +- return "\xfe\xff" + "".join( [ "\x00"+c for c in f ] ) +- +-def extract_keys(lines): +- keys = [] +- for line in lines: +- if line.startswith('/V'): +- pass #print 'value',line +- elif line.startswith('/T'): +- key = line[7:-2] +- key = ''.join(key.split('\x00')) +- keys.append( key ) +- return keys +- +-def write_field(out, key, value): +- out.write("<<\n") +- if value: +- out.write("/V (%s)\n" %value) +- else: +- out.write("/V /\n") +- out.write("/T (%s)\n" % output_field(key) ) +- out.write(">> \n") +- +-def write_fields(out, fields): +- out.write(HEAD) +- for (key, value, comment) in fields: +- write_field(out, key, value) +- write_field(out, key+"a", value) # pour copie-carbone sur autres pages +- out.write(TAIL) +- +-def extract_keys_from_pdf(filename): +- # what about using 'pdftk filename dump_data_fields' and parsing the output ? +- os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename) +- lines = file('/tmp/toto.fdf').readlines() +- return extract_keys(lines) +- +- +-def fill_pdf(infile, outfile, fields): +- write_fields(file('/tmp/toto.fdf', 'w'), fields) +- os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile)) +- +-def testfill_pdf(infile, outfile): +- keys = extract_keys_from_pdf(infile) +- fields = [] +- for key in keys: +- fields.append( (key, key, '') ) +- fill_pdf(infile, outfile, fields) +- +diff -rupN logilab-common-0.58.2-orig/README logilab-common-0.58.2/README +--- logilab-common-0.58.2-orig/README 2012-07-30 06:06:59.000000000 -0700 ++++ logilab-common-0.58.2/README 2014-03-14 10:26:18.058139000 -0700 +@@ -123,8 +123,6 @@ Modules extending some external modules + + * `hg`, some Mercurial_ utility functions. + +-* `pdf_ext`, pdf and fdf file manipulations, with pdftk. +- + * `pyro_ext`, some Pyro_ utility functions. + + * `sphinx_ext`, Sphinx_ plugin defining a `autodocstring` directive. diff -r 44bcab9cfdee -r baadf45ecbdd components/logilab-common/patches/02-CVE-2014-1839.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/logilab-common/patches/02-CVE-2014-1839.patch Mon Mar 24 11:33:41 2014 -0700 @@ -0,0 +1,60 @@ +Patch from upstream, not yet available in latest stable release-- +http://www.logilab.org/revision/210454 +--to fix CVE-2014-1839. + +diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog +--- logilab-common-0.58.2-orig/ChangeLog 2014-03-14 10:39:51.021176000 -0700 ++++ logilab-common-0.58.2/ChangeLog 2014-03-14 10:43:43.925212000 -0700 +@@ -4,6 +4,9 @@ ChangeLog for logilab.common + 2014-02-03 + * pdf_ext: removed, it had no known users (CVE-2014-1838) + ++ * shellutils: fix tempfile issue in Execute, and deprecate it ++ (CVE-2014-1839) ++ + + 2012-07-30 -- 0.58.2 + * modutils: fixes (closes #100757 and #100935) +diff -rupN logilab-common-0.58.2-orig/shellutils.py logilab-common-0.58.2/shellutils.py +--- logilab-common-0.58.2-orig/shellutils.py 2012-07-30 06:06:59.000000000 -0700 ++++ logilab-common-0.58.2/shellutils.py 2014-03-14 10:46:41.707010000 -0700 +@@ -31,11 +31,13 @@ import fnmatch + import errno + import string + import random ++import subprocess + from os.path import exists, isdir, islink, basename, join + + from logilab.common import STD_BLACKLIST, _handle_blacklist + from logilab.common.compat import raw_input + from logilab.common.compat import str_to_bytes ++from logilab.common.deprecation import deprecated + + try: + from logilab.common.proc import ProcInfo, NoSuchProcess +@@ -224,20 +226,17 @@ def unzip(archive, destdir): + outfile.write(zfobj.read(name)) + outfile.close() + ++@deprecated('Use subprocess.Popen instead') + class Execute: + """This is a deadlock safe version of popen2 (no stdin), that returns + an object with errorlevel, out and err. + """ + + def __init__(self, command): +- outfile = tempfile.mktemp() +- errfile = tempfile.mktemp() +- self.status = os.system("( %s ) >%s 2>%s" % +- (command, outfile, errfile)) >> 8 +- self.out = open(outfile, "r").read() +- self.err = open(errfile, "r").read() +- os.remove(outfile) +- os.remove(errfile) ++ cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ self.out, self.err = cmd.communicate() ++ self.status = os.WEXITSTATUS(cmd.returncode) ++ + + def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600): + """Acquire a lock represented by a file on the file system