[Python-modules-commits] r27455 - in packages/pyxdg/trunk/debian (3 files)
asb at users.alioth.debian.org
asb at users.alioth.debian.org
Mon Jan 27 18:04:36 UTC 2014
Date: Monday, January 27, 2014 @ 18:04:35
Author: asb
Revision: 27455
Backport upstream patch that fixes the insecure use
of /tmp in xdg.BaseDirectory.get_runtime_dir(strict=False)
(Closes: #736247). Fixes CVE-2014-1624.
Added:
packages/pyxdg/trunk/debian/patches/fix-insecure-use-of-tmp.patch
Modified:
packages/pyxdg/trunk/debian/changelog
packages/pyxdg/trunk/debian/patches/series
Modified: packages/pyxdg/trunk/debian/changelog
===================================================================
--- packages/pyxdg/trunk/debian/changelog 2014-01-27 17:48:15 UTC (rev 27454)
+++ packages/pyxdg/trunk/debian/changelog 2014-01-27 18:04:35 UTC (rev 27455)
@@ -1,3 +1,11 @@
+pyxdg (0.25-4) UNRELEASED; urgency=high
+
+ * Backport upstream patch that fixes the insecure use
+ of /tmp in xdg.BaseDirectory.get_runtime_dir(strict=False)
+ (Closes: #736247). Fixes CVE-2014-1624.
+
+ -- Andrew Starr-Bochicchio <asb at debian.org> Mon, 27 Jan 2014 12:58:29 -0500
+
pyxdg (0.25-3) unstable; urgency=low
[ Jakub Wilk ]
Added: packages/pyxdg/trunk/debian/patches/fix-insecure-use-of-tmp.patch
===================================================================
--- packages/pyxdg/trunk/debian/patches/fix-insecure-use-of-tmp.patch (rev 0)
+++ packages/pyxdg/trunk/debian/patches/fix-insecure-use-of-tmp.patch 2014-01-27 18:04:35 UTC (rev 27455)
@@ -0,0 +1,67 @@
+From bd999c1c3fe7ee5f30ede2cf704cf03e400347b4 Mon Sep 17 00:00:00 2001
+From: Thomas Kluyver <takowl at gmail.com>
+Date: Thu, 23 Jan 2014 15:09:51 -0800
+Subject: [PATCH] Improve security of get_runtime_dir(strict=False)
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=73878
+Debian-Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247
+Origin: upstream, https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4
+
+Fixes fd.o bug #73878.
+---
+ xdg/BaseDirectory.py | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/xdg/BaseDirectory.py b/xdg/BaseDirectory.py
+index cececa3..a7c31b1 100644
+--- a/xdg/BaseDirectory.py
++++ b/xdg/BaseDirectory.py
+@@ -25,7 +25,7 @@
+ Note: see the rox.Options module for a higher-level API for managing options.
+ """
+
+-import os
++import os, stat
+
+ _home = os.path.expanduser('~')
+ xdg_data_home = os.environ.get('XDG_DATA_HOME') or \
+@@ -131,15 +131,30 @@ def get_runtime_dir(strict=True):
+
+ import getpass
+ fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()
++ create = False
++
+ try:
+- os.mkdir(fallback, 0o700)
++ # This must be a real directory, not a symlink, so attackers can't
++ # point it elsewhere. So we use lstat to check it.
++ st = os.lstat(fallback)
+ except OSError as e:
+ import errno
+- if e.errno == errno.EEXIST:
+- # Already exists - set 700 permissions again.
+- import stat
+- os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
+- else: # pragma: no cover
++ if e.errno == errno.ENOENT:
++ create = True
++ else:
+ raise
+-
++ else:
++ # The fallback must be a directory
++ if not stat.S_ISDIR(st.st_mode):
++ os.unlink(fallback)
++ create = True
++ # Must be owned by the user and not accessible by anyone else
++ elif (st.st_uid != os.getuid()) \
++ or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):
++ os.rmdir(fallback)
++ create = True
++
++ if create:
++ os.mkdir(fallback, 0o700)
++
+ return fallback
+--
+1.8.5.1
+
Modified: packages/pyxdg/trunk/debian/patches/series
===================================================================
--- packages/pyxdg/trunk/debian/patches/series 2014-01-27 17:48:15 UTC (rev 27454)
+++ packages/pyxdg/trunk/debian/patches/series 2014-01-27 18:04:35 UTC (rev 27455)
@@ -2,3 +2,4 @@
set-default-menu.patch
gettext-support.patch
prefer-first-glob-for-finding-mimetype.patch
+fix-insecure-use-of-tmp.patch
More information about the Python-modules-commits
mailing list