extra/python to 3.3.2-1

2025-02-16 23:57:11 +00:00 · 2013-05-23 21:52:06 +00:00 · 2013-05-23 21:52:06 +00:00 · 5f806797cf
commit 5f806797cf
parent 46e4cb1163
2 changed files with 64 additions and 10 deletions
--- a/extra/python/PKGBUILD
+++ b/extra/python/PKGBUILD
@ -8,7 +8,7 @@
 #  - removed --with-valgrind from configure line

 pkgname=python
-pkgver=3.3.1
+pkgver=3.3.2
 pkgrel=1
 _pybasever=3.3
 pkgdesc="Next generation of the python high-level scripting language"
@ -21,8 +21,10 @@ optdepends=('tk: for tkinter' 'sqlite')
 provides=('python3')
 replaces=('python3')
 options=('!makeflags')
-source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz)
-sha1sums=('393d7302c48bc911cd7faa7fa9b5fbcb9919bddc')
+source=(http://www.python.org/ftp/python/${pkgver%rc*}/Python-${pkgver}.tar.xz
+        python-3.3.2-CVE-2013-2099.patch)
+sha1sums=('87009d0c156c6e1354dfec5c98c328cae93950ad'
+          'b7a386b2e2f0811b344898500860ec31ba81ed4d')

 build() {
  cd "${srcdir}/Python-${pkgver}"
@ -36,6 +38,8 @@ build() {
  rm -r Modules/zlib
  rm -r Modules/_ctypes/{darwin,libffi}*

+  patch -Np1 -i ../python-3.3.2-CVE-2013-2099.patch
+
  ./configure --prefix=/usr \
              --enable-shared \
              --with-threads \
@ -51,8 +55,7 @@ build() {
 check() {
  cd "${srcdir}/Python-${pkgver}"
  LD_LIBRARY_PATH="${srcdir}/Python-${pkgver}":${LD_LIBRARY_PATH} \
-     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_distutils test_site \
-     test_urllib test_uuid test_pydoc test_logging
+     "${srcdir}/Python-${pkgver}/python" -m test.regrtest -x test_posixpath test_logging
 }

 package() {
@ -60,11 +63,12 @@ package() {
  make DESTDIR="${pkgdir}" install maninstall

  # Why are these not done by default...
-  ln -sf python3               "${pkgdir}/usr/bin/python"
-  ln -sf python3-config        "${pkgdir}/usr/bin/python-config"
-  ln -sf idle3                 "${pkgdir}/usr/bin/idle"
-  ln -sf pydoc3                "${pkgdir}/usr/bin/pydoc"
-  ln -sf python${_pybasever}.1 "${pkgdir}/usr/share/man/man1/python3.1"
+  ln -sf python3               "${pkgdir}"/usr/bin/python
+  ln -sf python3-config        "${pkgdir}"/usr/bin/python-config
+  ln -sf idle3                 "${pkgdir}"/usr/bin/idle
+  ln -sf pydoc3                "${pkgdir}"/usr/bin/pydoc
+  ln -sf python${_pybasever}.1 "${pkgdir}"/usr/share/man/man1/python3.1
+  ln -sf python${_pybasever}.1 "${pkgdir}"/usr/share/man/man1/python.1

  # Fix FS#22552
  ln -sf ../../libpython${_pybasever}m.so \
--- a/extra/python/python-3.3.2-CVE-2013-2099.patch
+++ b/extra/python/python-3.3.2-CVE-2013-2099.patch
@ -0,0 +1,50 @@
+
+# HG changeset patch
+# User Antoine Pitrou <solipsis@pitrou.net>
+# Date 1368892602 -7200
+# Node ID c627638753e2d25a98950585b259104a025937a9
+# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
+Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+--- a/Lib/ssl.py
+++ b/Lib/ssl.py
+@@ -129,9 +129,16 @@ class CertificateError(ValueError):
+     pass
+ 
+ 
+-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
+     pats = []
+     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
+         if frag == '*':
+             # When '*' is a fragment by itself, it matches a non-empty dotless
+             # fragment.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
+         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
+         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
+ 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
+     def test_server_side(self):
+         # server_hostname doesn't work for server sockets
+         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)