18299226 problem in PYTHON-MOD/LOGILAB-COMMON s11-update
authorApril Chin <april.chin@oracle.com>
Mon, 24 Mar 2014 11:33:41 -0700
branchs11-update
changeset 3002 baadf45ecbdd
parent 3000 44bcab9cfdee
child 3004 856505663cc3
18299226 problem in PYTHON-MOD/LOGILAB-COMMON
components/logilab-common/logilab-common-26.p5m
components/logilab-common/logilab-common-27.p5m
components/logilab-common/patches/01-CVE-2014-1838.patch
components/logilab-common/patches/02-CVE-2014-1839.patch
--- a/components/logilab-common/logilab-common-26.p5m	Tue Jan 07 04:04:31 2014 -0800
+++ b/components/logilab-common/logilab-common-26.p5m	Mon Mar 24 11:33:41 2014 -0700
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -37,17 +37,6 @@
     value=LSARC/2009/298
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 
-dir path=usr
-dir path=usr/bin
-dir path=usr/lib
-dir path=usr/lib/python2.6
-dir path=usr/lib/python2.6/vendor-packages
-dir path=usr/lib/python2.6/vendor-packages/logilab
-dir path=usr/lib/python2.6/vendor-packages/logilab/common
-dir path=usr/lib/python2.6/vendor-packages/logilab/common/ureports
-dir \
-    path=usr/lib/python2.6/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.6.egg-info
-
 file path=usr/bin/pytest-2.6
 file path=usr/lib/python2.6/vendor-packages/logilab/__init__.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/__init__.py
@@ -74,7 +63,6 @@
 file path=usr/lib/python2.6/vendor-packages/logilab/common/modutils.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/optik_ext.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/optparser.py
-file path=usr/lib/python2.6/vendor-packages/logilab/common/pdf_ext.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/proc.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/pyro_ext.py
 file path=usr/lib/python2.6/vendor-packages/logilab/common/pytest.py
--- a/components/logilab-common/logilab-common-27.p5m	Tue Jan 07 04:04:31 2014 -0800
+++ b/components/logilab-common/logilab-common-27.p5m	Mon Mar 24 11:33:41 2014 -0700
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -37,16 +37,6 @@
     value=LSARC/2009/298
 set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
 
-dir path=usr
-dir path=usr/bin
-dir path=usr/lib
-dir path=usr/lib/python2.7
-dir path=usr/lib/python2.7/vendor-packages
-dir path=usr/lib/python2.7/vendor-packages/logilab
-dir path=usr/lib/python2.7/vendor-packages/logilab/common
-dir path=usr/lib/python2.7/vendor-packages/logilab/common/ureports
-dir path=usr/lib/python2.7/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.7.egg-info
-
 file \
     path=usr/lib/python2.7/vendor-packages/logilab_common-$(COMPONENT_VERSION)-py2.7-nspkg.pth
 file \
@@ -85,7 +75,6 @@
 file path=usr/lib/python2.7/vendor-packages/logilab/common/modutils.py
 file path=usr/lib/python2.7/vendor-packages/logilab/common/optik_ext.py
 file path=usr/lib/python2.7/vendor-packages/logilab/common/optparser.py
-file path=usr/lib/python2.7/vendor-packages/logilab/common/pdf_ext.py
 file path=usr/lib/python2.7/vendor-packages/logilab/common/proc.py
 file path=usr/lib/python2.7/vendor-packages/logilab/common/pyro_ext.py
 file path=usr/lib/python2.7/vendor-packages/logilab/common/pytest.py
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/logilab-common/patches/01-CVE-2014-1838.patch	Mon Mar 24 11:33:41 2014 -0700
@@ -0,0 +1,145 @@
+Patch from upstream, not yet available in latest stable release--
+http://www.logilab.org/revision/207574
+--to fix CVE-2014-1838.
+
+diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog
+--- logilab-common-0.58.2-orig/ChangeLog	2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/ChangeLog	2014-03-14 10:34:00.085719000 -0700
[email protected]@ -1,6 +1,10 @@
+ ChangeLog for logilab.common
+ ============================
+ 
++2014-02-03
++   * pdf_ext: removed, it had no known users (CVE-2014-1838)
++
++
+ 2012-07-30  --  0.58.2
+     * modutils: fixes (closes #100757 and #100935)
+ 
+diff -rupN logilab-common-0.58.2-orig/pdf_ext.py logilab-common-0.58.2/pdf_ext.py
+--- logilab-common-0.58.2-orig/pdf_ext.py	2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/pdf_ext.py	1969-12-31 16:00:00.000000000 -0800
[email protected]@ -1,111 +0,0 @@
+-# copyright 2003-2011 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+-# contact http://www.logilab.fr/ -- mailto:[email protected]
+-#
+-# This file is part of logilab-common.
+-#
+-# logilab-common is free software: you can redistribute it and/or modify it under
+-# the terms of the GNU Lesser General Public License as published by the Free
+-# Software Foundation, either version 2.1 of the License, or (at your option) any
+-# later version.
+-#
+-# logilab-common is distributed in the hope that it will be useful, but WITHOUT
+-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-# FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more
+-# details.
+-#
+-# You should have received a copy of the GNU Lesser General Public License along
+-# with logilab-common.  If not, see <http://www.gnu.org/licenses/>.
+-"""Manipulate pdf and fdf files (pdftk recommended).
+-
+-Notes regarding pdftk, pdf forms and fdf files (form definition file)
+-fields names can be extracted with:
+-
+-    pdftk orig.pdf generate_fdf output truc.fdf
+-
+-to merge fdf and pdf:
+-
+-    pdftk orig.pdf fill_form test.fdf output result.pdf [flatten]
+-
+-without flatten, one could further edit the resulting form.
+-with flatten, everything is turned into text.
+-
+-
+-
+-
+-"""
+-__docformat__ = "restructuredtext en"
+-# XXX seems very unix specific
+-# TODO: check availability of pdftk at import
+-
+-
+-import os
+-
+-HEAD="""%FDF-1.2
+-%\xE2\xE3\xCF\xD3
+-1 0 obj
+-<<
+-/FDF
+-<<
+-/Fields [
+-"""
+-
+-TAIL="""]
+->>
+->>
+-endobj
+-trailer
+-
+-<<
+-/Root 1 0 R
+->>
+-%%EOF
+-"""
+-
+-def output_field( f ):
+-    return "\xfe\xff" + "".join( [ "\x00"+c for c in f ] )
+-
+-def extract_keys(lines):
+-    keys = []
+-    for line in lines:
+-        if line.startswith('/V'):
+-            pass #print 'value',line
+-        elif line.startswith('/T'):
+-            key = line[7:-2]
+-            key = ''.join(key.split('\x00'))
+-            keys.append( key )
+-    return keys
+-
+-def write_field(out, key, value):
+-    out.write("<<\n")
+-    if value:
+-        out.write("/V (%s)\n" %value)
+-    else:
+-        out.write("/V /\n")
+-    out.write("/T (%s)\n" % output_field(key) )
+-    out.write(">> \n")
+-
+-def write_fields(out, fields):
+-    out.write(HEAD)
+-    for (key, value, comment) in fields:
+-        write_field(out, key, value)
+-        write_field(out, key+"a", value) # pour copie-carbone sur autres pages
+-    out.write(TAIL)
+-
+-def extract_keys_from_pdf(filename):
+-    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
+-    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
+-    lines = file('/tmp/toto.fdf').readlines()
+-    return extract_keys(lines)
+-
+-
+-def fill_pdf(infile, outfile, fields):
+-    write_fields(file('/tmp/toto.fdf', 'w'), fields)
+-    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
+-
+-def testfill_pdf(infile, outfile):
+-    keys = extract_keys_from_pdf(infile)
+-    fields = []
+-    for key in keys:
+-        fields.append( (key, key, '') )
+-    fill_pdf(infile, outfile, fields)
+-
+diff -rupN logilab-common-0.58.2-orig/README logilab-common-0.58.2/README
+--- logilab-common-0.58.2-orig/README	2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/README	2014-03-14 10:26:18.058139000 -0700
[email protected]@ -123,8 +123,6 @@ Modules extending some external modules
+ 
+ * `hg`, some Mercurial_ utility functions.
+ 
+-* `pdf_ext`, pdf and fdf file manipulations, with pdftk.
+-
+ * `pyro_ext`, some Pyro_ utility functions.
+ 
+ * `sphinx_ext`, Sphinx_ plugin defining a `autodocstring` directive.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/logilab-common/patches/02-CVE-2014-1839.patch	Mon Mar 24 11:33:41 2014 -0700
@@ -0,0 +1,60 @@
+Patch from upstream, not yet available in latest stable release--
+http://www.logilab.org/revision/210454
+--to fix CVE-2014-1839.
+
+diff -rupN logilab-common-0.58.2-orig/ChangeLog logilab-common-0.58.2/ChangeLog
+--- logilab-common-0.58.2-orig/ChangeLog	2014-03-14 10:39:51.021176000 -0700
++++ logilab-common-0.58.2/ChangeLog	2014-03-14 10:43:43.925212000 -0700
[email protected]@ -4,6 +4,9 @@ ChangeLog for logilab.common
+ 2014-02-03
+    * pdf_ext: removed, it had no known users (CVE-2014-1838)
+ 
++   * shellutils: fix tempfile issue in Execute, and deprecate it
++     (CVE-2014-1839)
++
+ 
+ 2012-07-30  --  0.58.2
+     * modutils: fixes (closes #100757 and #100935)
+diff -rupN logilab-common-0.58.2-orig/shellutils.py logilab-common-0.58.2/shellutils.py
+--- logilab-common-0.58.2-orig/shellutils.py	2012-07-30 06:06:59.000000000 -0700
++++ logilab-common-0.58.2/shellutils.py	2014-03-14 10:46:41.707010000 -0700
[email protected]@ -31,11 +31,13 @@ import fnmatch
+ import errno
+ import string
+ import random
++import subprocess
+ from os.path import exists, isdir, islink, basename, join
+ 
+ from logilab.common import STD_BLACKLIST, _handle_blacklist
+ from logilab.common.compat import raw_input
+ from logilab.common.compat import str_to_bytes
++from logilab.common.deprecation import deprecated
+ 
+ try:
+     from logilab.common.proc import ProcInfo, NoSuchProcess
[email protected]@ -224,20 +226,17 @@ def unzip(archive, destdir):
+             outfile.write(zfobj.read(name))
+             outfile.close()
+ 
[email protected]('Use subprocess.Popen instead')
+ class Execute:
+     """This is a deadlock safe version of popen2 (no stdin), that returns
+     an object with errorlevel, out and err.
+     """
+ 
+     def __init__(self, command):
+-        outfile = tempfile.mktemp()
+-        errfile = tempfile.mktemp()
+-        self.status = os.system("( %s ) >%s 2>%s" %
+-                                (command, outfile, errfile)) >> 8
+-        self.out = open(outfile, "r").read()
+-        self.err = open(errfile, "r").read()
+-        os.remove(outfile)
+-        os.remove(errfile)
++        cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++        self.out, self.err = cmd.communicate()
++        self.status = os.WEXITSTATUS(cmd.returncode)
++
+ 
+ def acquire_lock(lock_file, max_try=10, delay=10, max_delay=3600):
+     """Acquire a lock represented by a file on the file system