[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2018-10925: removed duplicated package entry
Emilio Pozuelo Monfort
pochu at debian.org
Tue Nov 10 13:33:08 GMT 2020
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits:
bf85e8cb by Emilio Pozuelo Monfort at 2020-11-10T13:59:33+01:00
CVE-2018-10925: removed duplicated package entry
- - - - -
3940658f by Emilio Pozuelo Monfort at 2020-11-10T14:00:50+01:00
test_regexpcase.py: use assertEqual, assertEquals is deprecated
- - - - -
cb60c146 by Emilio Pozuelo Monfort at 2020-11-10T14:01:39+01:00
test_xpickle.py: encode data before writing
The tempfile is opened in binary mode.
- - - - -
44983150 by Emilio Pozuelo Monfort at 2020-11-10T14:02:20+01:00
sectracker_test/run.py: run tests under python3
- - - - -
faf9d74a by Emilio Pozuelo Monfort at 2020-11-10T14:03:17+01:00
sectracker/repo.py: don't look for sha1 fields
Release files no longer contain them.
- - - - -
d85a44be by Emilio Pozuelo Monfort at 2020-11-10T14:04:53+01:00
sectracker/repo.py: fix calls to urllib under python3
- - - - -
e58e4d12 by Emilio Pozuelo Monfort at 2020-11-10T14:05:32+01:00
sectracker/repo.py: compare data to a bytes object
Otherwise we'll run into an endless loop under Python 3.
- - - - -
ebc05644 by Emilio Pozuelo Monfort at 2020-11-10T14:11:50+01:00
sectracker: remove future imports
- - - - -
74a19934 by Emilio Pozuelo Monfort at 2020-11-10T14:30:23+01:00
Remove checks for apt_pkg.version_compare
The rename happened too long ago, and VersionCompare is long gone.
We assume it exists in security_db anyway.
- - - - -
9 changed files:
- data/CVE/list
- lib/python/debian_support.py
- lib/python/sectracker/analyzers.py
- lib/python/sectracker/repo.py
- lib/python/sectracker/xpickle.py
- lib/python/sectracker_test/run.py
- lib/python/sectracker_test/test_analyzers.py
- lib/python/sectracker_test/test_regexpcase.py
- lib/python/sectracker_test/test_xpickle.py
Changes:
=====================================
data/CVE/list
=====================================
@@ -150625,7 +150625,6 @@ CVE-2018-10925 (It was discovered that PostgreSQL versions before 10.5, 9.6.10,
- postgresql-10 10.5-1
- postgresql-9.6 <removed>
- postgresql-9.5 <removed>
- - postgresql-9.5 <not-affected> (Only affects PostgreSQL 9.5 onwards)
- postgresql-9.4 <not-affected> (Only affects PostgreSQL 9.5 onwards)
- postgresql-9.1 <not-affected> (Only affects PostgreSQL 9.5 onwards)
NOTE: Fixed in 9.5.14, 9.6.10, 10.5
=====================================
lib/python/debian_support.py
=====================================
@@ -113,10 +113,7 @@ class Version:
return 'Version(%r)' % self.__asString
def __cmp__(self, other):
- try:
- return apt_pkg.version_compare(self.__forCompare, other.__forCompare)
- except AttributeError:
- return apt_pkg.VersionCompare(self.__forCompare, other.__forCompare)
+ return apt_pkg.version_compare(self.__forCompare, other.__forCompare)
def __lt__(self, other):
return self.__cmp__(other) < 0
@@ -139,11 +136,8 @@ def version_compare(a, b):
~bpo and ~volatile suffixes are ignored."""
a = _version_normalize_regexp.sub("", a)
b = _version_normalize_regexp.sub("", b)
- try:
- vc = apt_pkg.version_compare
- except AttributeError:
- vc = apt_pkg.VersionCompare
- return vc(a, b)
+
+ return apt_pkg.version_compare(a, b)
class PackageFile:
"""A Debian package file.
=====================================
lib/python/sectracker/analyzers.py
=====================================
@@ -20,12 +20,8 @@ import re as _re
from collections import namedtuple as _namedtuple
-# vercmp is the Debian version comparison algorithm
+# _apt_pkg.version_compare is the Debian version comparison algorithm
_apt_pkg.init()
-try:
- vercmp = _apt_pkg.version_compare
-except AttributeError:
- vercmp = _apt_pkg.VersionCompare
def mergelists(listfiles, diag):
"""Merge the (already parsed) list files in listfiles.
@@ -208,7 +204,7 @@ def fixedversions(bugdb, copysrc, versions, diag):
other_versions = set()
for rel, ver in getversions(pname):
if unstable_fixed is not None \
- and vercmp(ver, unstable_fixed) >= 0:
+ and _apt_pkg.version_compare(ver, unstable_fixed) >= 0:
# This version is already covered by the
# unstable fix.
continue
@@ -220,7 +216,7 @@ def fixedversions(bugdb, copysrc, versions, diag):
# Annotations like <not-affected>.
other_versions.add(ver)
continue
- if vercmp(ver, refver) >= 0:
+ if _apt_pkg.version_compare(ver, refver) >= 0:
other_versions.add(ver)
result.append(Vulnerability(bug.header.name, pname,
unstable_fixed, other_versions))
@@ -240,7 +236,7 @@ def bestversion(config, codename, pkg, requested_members=None):
if pkg in comp:
curpkg = comp[pkg]
curver = curpkg.version
- if bestver is None or vercmp(curver, bestver) > 0:
+ if bestver is None or _apt_pkg.version_compare(curver, bestver) > 0:
bestver = curver
bestpkg = curpkg
return bestpkg
=====================================
lib/python/sectracker/repo.py
=====================================
@@ -15,8 +15,6 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-from __future__ import with_statement
-
import bz2 as _bz2
import hashlib as _hashlib
import gzip as _gzip
@@ -63,7 +61,6 @@ def _parserelease(path, f):
_splitfield(data, "components")
_splitfield(data, "architectures")
_splithashes(path, data, "md5sum")
- _splithashes(path, data, "sha1")
_splithashes(path, data, "sha256")
return data
@@ -81,7 +78,7 @@ def _unbzip2hash(src, dst):
def _downloadbz2(url, target, expecteddigest):
try:
- bz2src = _urllib.urlopen(url)
+ bz2src = _urllib.request.urlopen(url)
try:
dgst = _xpickle.replacefile(
target, lambda fname, f: _unbzip2hash(bz2src, f))
@@ -96,7 +93,7 @@ def _downloadbz2(url, target, expecteddigest):
def _downloadgz(url, target, expecteddigest):
with _tempfile.NamedTemporaryFile() as t:
try:
- (filename, headers) = _urllib.urlretrieve(url, t.name)
+ (filename, headers) = _urllib.request.urlretrieve(url, t.name)
except IOError:
return False
gfile = _gzip.GzipFile(t.name)
@@ -105,7 +102,7 @@ def _downloadgz(url, target, expecteddigest):
digest = _hashlib.sha256()
while True:
data = gfile.read(8192)
- if data == "":
+ if data == b'':
break
f.write(data)
digest.update(data)
@@ -182,7 +179,7 @@ class RepoCollection(object):
self._markused(relname)
try:
def download(fname, f):
- _urllib.urlretrieve(url + 'Release', fname)
+ _urllib.request.urlretrieve(url + 'Release', fname)
_xpickle.replacefile(relname, download)
return True
except IOError:
=====================================
lib/python/sectracker/xpickle.py
=====================================
@@ -15,8 +15,6 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-from __future__ import with_statement
-
import errno as _errno
import os as _os
import pickle as _pickle
=====================================
lib/python/sectracker_test/run.py
=====================================
@@ -14,7 +14,6 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-from __future__ import print_function
if __name__ != "__main__":
raise Exception("run must be executed directly")
@@ -47,7 +46,7 @@ for name in files:
continue
fullpath = "%s/%s" % (ourpath, name)
print("* Running", name)
- p = subprocess.Popen(("python", "--", fullpath), env=env)
+ p = subprocess.Popen(("python3", "--", fullpath), env=env)
ret = p.wait()
if ret != 0:
print("Test exited with status", ret)
=====================================
lib/python/sectracker_test/test_analyzers.py
=====================================
@@ -14,7 +14,6 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-from __future__ import print_function
import os
=====================================
lib/python/sectracker_test/test_regexpcase.py
=====================================
@@ -38,7 +38,7 @@ class TestRegexpCase(unittest.TestCase):
self.assertEqual(3, rc["three"])
self.assertEqual(5, rc["five"])
self.assertEqual(None, rc["seven"])
- self.assertEquals((None, None), rc.match("seven"))
+ self.assertEqual((None, None), rc.match("seven"))
self.assertRaises(TypeError, rc.__call__, ())
def testcallstrings(self):
=====================================
lib/python/sectracker_test/test_xpickle.py
=====================================
@@ -15,21 +15,19 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-from __future__ import with_statement
-
import tempfile
import sectracker.xpickle as x
with tempfile.NamedTemporaryFile() as t:
try:
data = "foo bar baz\n"
- t.write(data)
+ t.write(data.encode())
t.flush()
l = x._wraploader("foo", lambda p, f: f.read())
assert l(t.name) == data
assert l(t.name) == data
- t.write(data)
+ t.write(data.encode())
t.flush()
assert l(t.name) == (data + data)
finally:
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b295b0a18c8879f224735893bc8efae73be0ff9d...74a19934f0ebeb875cdba74d88264b6242d0f3e5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b295b0a18c8879f224735893bc8efae73be0ff9d...74a19934f0ebeb875cdba74d88264b6242d0f3e5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201110/00e27784/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list