[Python-modules-commits] r19138 - in packages/python-django-piston/trunk/debian (3 files)

svedrin-guest at users.alioth.debian.org svedrin-guest at users.alioth.debian.org
Tue Nov 1 18:42:09 UTC 2011 

    Date: Tuesday, November 1, 2011 @ 18:42:06
  Author: svedrin-guest
Revision: 19138

Fix a security issue with the pickle loader (Closes: #646517).

Added:
  packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff
Modified:
  packages/python-django-piston/trunk/debian/changelog
  packages/python-django-piston/trunk/debian/patches/series

Modified: packages/python-django-piston/trunk/debian/changelog
===================================================================
--- packages/python-django-piston/trunk/debian/changelog	2011-11-01 18:40:48 UTC (rev 19137)
+++ packages/python-django-piston/trunk/debian/changelog	2011-11-01 18:42:06 UTC (rev 19138)
@@ -5,8 +5,9 @@
     whitespace in copyright.
   * Fix a copy-paste error in copyright.
   * Fix a security issue in the YAML emitter.
+  * Fix a security issue with the pickle loader (Closes: #646517).
 
- -- Michael Ziegler <diese-addy at funzt-halt.net>  Tue, 01 Nov 2011 19:29:12 +0100
+ -- Michael Ziegler <diese-addy at funzt-halt.net>  Tue, 01 Nov 2011 19:37:58 +0100
 
 python-django-piston (0.2.2-1) unstable; urgency=low
 

Added: packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff
===================================================================
--- packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff	                        (rev 0)
+++ packages/python-django-piston/trunk/debian/patches/03-fix-pickle-load.diff	2011-11-01 18:42:06 UTC (rev 19138)
@@ -0,0 +1,24 @@
+Description: Fix a security bug in the pickle loader.
+ See Bug Report #646517
+Forwarded: not-needed
+Author: Michael Ziegler <diese-addy at funzt-halt.net>
+
+Index: python-django-piston-0.2.2/piston/emitters.py
+===================================================================
+--- python-django-piston-0.2.2.orig/piston/emitters.py	2011-11-01 19:34:51.029580091 +0100
++++ python-django-piston-0.2.2/piston/emitters.py	2011-11-01 19:37:42.993577140 +0100
+@@ -395,7 +395,13 @@
+         return pickle.dumps(self.construct())
+         
+ Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
+-Mimer.register(pickle.loads, ('application/python-pickle',))
++
++# Safe unpickler. See Bug #646517
++def unpickle(inputfd):
++    unp = pickle.Unpickler(inputfd)
++    unp.find_global = None
++    return unp.load()
++Mimer.register(unpickle, ('application/python-pickle',))
+ 
+ class DjangoEmitter(Emitter):
+     """

Modified: packages/python-django-piston/trunk/debian/patches/series
===================================================================
--- packages/python-django-piston/trunk/debian/patches/series	2011-11-01 18:40:48 UTC (rev 19137)
+++ packages/python-django-piston/trunk/debian/patches/series	2011-11-01 18:42:06 UTC (rev 19138)
@@ -1,2 +1,3 @@
 01-fix-oauth-import.diff
 02-fix-yaml-load.diff
+03-fix-pickle-load.diff

More information about the Python-modules-commits mailing list