--- a/components/logilab-common/logilab-common-26.p5m Thu Mar 13 11:32:25 2014 -0700
+++ b/components/logilab-common/logilab-common-26.p5m Sat Mar 15 00:26:21 2014 -0700
@@ -64,7 +64,6 @@
file path=usr/lib/python2.6/vendor-packages/logilab/common/modutils.py
file path=usr/lib/python2.6/vendor-packages/logilab/common/optik_ext.py
file path=usr/lib/python2.6/vendor-packages/logilab/common/optparser.py
-file path=usr/lib/python2.6/vendor-packages/logilab/common/pdf_ext.py
file path=usr/lib/python2.6/vendor-packages/logilab/common/proc.py
file path=usr/lib/python2.6/vendor-packages/logilab/common/pyro_ext.py
file path=usr/lib/python2.6/vendor-packages/logilab/common/pytest.py
--- a/components/logilab-common/logilab-common-27.p5m Thu Mar 13 11:32:25 2014 -0700
+++ b/components/logilab-common/logilab-common-27.p5m Sat Mar 15 00:26:21 2014 -0700
@@ -76,7 +76,6 @@
file path=usr/lib/python2.7/vendor-packages/logilab/common/modutils.py
file path=usr/lib/python2.7/vendor-packages/logilab/common/optik_ext.py
file path=usr/lib/python2.7/vendor-packages/logilab/common/optparser.py
-file path=usr/lib/python2.7/vendor-packages/logilab/common/pdf_ext.py
file path=usr/lib/python2.7/vendor-packages/logilab/common/proc.py
file path=usr/lib/python2.7/vendor-packages/logilab/common/pyro_ext.py
file path=usr/lib/python2.7/vendor-packages/logilab/common/pytest.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/logilab-common/patches/01-CVE-2014-1838.patch Sat Mar 15 00:26:21 2014 -0700
@@ -0,0 +1,145 @@
+Patch from upstream, not yet available in latest stable release--
+http://www.logilab.org/revision/207574
+--to fix CVE-2014-1838.
+
+diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog
+--- logilab-common-0.58.2-orig/ChangeLog 2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/ChangeLog 2014-03-14 10:34:00.085719000 -0700
+@@ -1,6 +1,10 @@
+ ChangeLog for logilab.common
+ ============================
+
++2014-02-03
++ * pdf_ext: removed, it had no known users (CVE-2014-1838)
++
++
+ 2012-07-30 -- 0.58.2
+ * modutils: fixes (closes #100757 and #100935)
+
+diff -rupN logilab-common-0.58.2-orig/pdf_ext.py logilab-common-0.58.2/pdf_ext.py
+--- logilab-common-0.58.2-orig/pdf_ext.py 2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/pdf_ext.py 1969-12-31 16:00:00.000000000 -0800
+@@ -1,111 +0,0 @@
+-# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+-# contact http://www.logilab.fr/ -- mailto:[email protected]
+-#
+-# This file is part of logilab-common.
+-#
+-# logilab-common is free software: you can redistribute it and/or modify it under
+-# the terms of the GNU Lesser General Public License as published by the Free
+-# Software Foundation, either version 2.1 of the License, or (at your option) any
+-# later version.
+-#
+-# logilab-common is distributed in the hope that it will be useful, but WITHOUT
+-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+-# details.
+-#
+-# You should have received a copy of the GNU Lesser General Public License along
+-# with logilab-common. If not, see <http://www.gnu.org/licenses/>.
+-"""Manipulate pdf and fdf files (pdftk recommended).
+-
+-Notes regarding pdftk, pdf forms and fdf files (form definition file)
+-fields names can be extracted with:
+-
+- pdftk orig.pdf generate_fdf output truc.fdf
+-
+-to merge fdf and pdf:
+-
+- pdftk orig.pdf fill_form test.fdf output result.pdf [flatten]
+-
+-without flatten, one could further edit the resulting form.
+-with flatten, everything is turned into text.
+-
+-
+-
+-
+-"""
+-__docformat__ = "restructuredtext en"
+-# XXX seems very unix specific
+-# TODO: check availability of pdftk at import
+-
+-
+-import os
+-
+-HEAD="""%FDF-1.2
+-%\xE2\xE3\xCF\xD3
+-1 0 obj
+-<<
+-/FDF
+-<<
+-/Fields [
+-"""
+-
+-TAIL="""]
+->>
+->>
+-endobj
+-trailer
+-
+-<<
+-/Root 1 0 R
+->>
+-%%EOF
+-"""
+-
+-def output_field( f ):
+- return "\xfe\xff" + "".join( [ "\x00"+c for c in f ] )
+-
+-def extract_keys(lines):
+- keys = []
+- for line in lines:
+- if line.startswith('/V'):
+- pass #print 'value',line
+- elif line.startswith('/T'):
+- key = line[7:-2]
+- key = ''.join(key.split('\x00'))
+- keys.append( key )
+- return keys
+-
+-def write_field(out, key, value):
+- out.write("<<\n")
+- if value:
+- out.write("/V (%s)\n" %value)
+- else:
+- out.write("/V /\n")
+- out.write("/T (%s)\n" % output_field(key) )
+- out.write(">> \n")
+-
+-def write_fields(out, fields):
+- out.write(HEAD)
+- for (key, value, comment) in fields:
+- write_field(out, key, value)
+- write_field(out, key+"a", value) # pour copie-carbone sur autres pages
+- out.write(TAIL)
+-
+-def extract_keys_from_pdf(filename):
+- # what about using 'pdftk filename dump_data_fields' and parsing the output ?
+- os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
+- lines = file('/tmp/toto.fdf').readlines()
+- return extract_keys(lines)
+-
+-
+-def fill_pdf(infile, outfile, fields):
+- write_fields(file('/tmp/toto.fdf', 'w'), fields)
+- os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
+-
+-def testfill_pdf(infile, outfile):
+- keys = extract_keys_from_pdf(infile)
+- fields = []
+- for key in keys:
+- fields.append( (key, key, '') )
+- fill_pdf(infile, outfile, fields)
+-
+diff -rupN logilab-common-0.58.2-orig/README logilab-common-0.58.2/README
+--- logilab-common-0.58.2-orig/README 2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/README 2014-03-14 10:26:18.058139000 -0700
+@@ -123,8 +123,6 @@ Modules extending some external modules
+
+ * `hg`, some Mercurial_ utility functions.
+
+-* `pdf_ext`, pdf and fdf file manipulations, with pdftk.
+-
+ * `pyro_ext`, some Pyro_ utility functions.
+
+ * `sphinx_ext`, Sphinx_ plugin defining a `autodocstring` directive.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/logilab-common/patches/02-CVE-2014-1839.patch Sat Mar 15 00:26:21 2014 -0700
@@ -0,0 +1,60 @@
+Patch from upstream, not yet available in latest stable release--
+http://www.logilab.org/revision/210454
+--to fix CVE-2014-1839.
+
+diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog
+--- logilab-common-0.58.2-orig/ChangeLog 2014-03-14 10:39:51.021176000 -0700
++++ logilab-common-0.58.2/ChangeLog 2014-03-14 10:43:43.925212000 -0700
+@@ -4,6 +4,9 @@ ChangeLog for logilab.common
+ 2014-02-03
+ * pdf_ext: removed, it had no known users (CVE-2014-1838)
+
++ * shellutils: fix tempfile issue in Execute, and deprecate it
++ (CVE-2014-1839)
++
+
+ 2012-07-30 -- 0.58.2
+ * modutils: fixes (closes #100757 and #100935)
+diff -rupN logilab-common-0.58.2-orig/shellutils.py logilab-common-0.58.2/shellutils.py
+--- logilab-common-0.58.2-orig/shellutils.py 2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/shellutils.py 2014-03-14 10:46:41.707010000 -0700
+@@ -31,11 +31,13 @@ import fnmatch
+ import errno
+ import string
+ import random
++import subprocess
+ from os.path import exists, isdir, islink, basename, join
+
+ from logilab.common import STD_BLACKLIST, _handle_blacklist
+ from logilab.common.compat import raw_input
+ from logilab.common.compat import str_to_bytes
++from logilab.common.deprecation import deprecated
+
+ try:
+ from logilab.common.proc import ProcInfo, NoSuchProcess
+@@ -224,20 +226,17 @@ def unzip(archive, destdir):
+ outfile.write(zfobj.read(name))
+ outfile.close()
+
++@deprecated('Use subprocess.Popen instead')
+ class Execute:
+ """This is a deadlock safe version of popen2 (no stdin), that returns
+ an object with errorlevel, out and err.
+ """
+
+ def __init__(self, command):
+- outfile = tempfile.mktemp()
+- errfile = tempfile.mktemp()
+- self.status = os.system("( %s ) >%s 2>%s" %
+- (command, outfile, errfile)) >> 8
+- self.out = open(outfile, "r").read()
+- self.err = open(errfile, "r").read()
+- os.remove(outfile)
+- os.remove(errfile)
++ cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++ self.out, self.err = cmd.communicate()
++ self.status = os.WEXITSTATUS(cmd.returncode)
++
+
+ def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600):
+ """Acquire a lock represented by a file on the file system