Tue Nov 23 08:24:05 2010 UTC ()
Add fix for CVE-2010-3492 and update the fix for CVE-2010-3493. Both
fixes taken from the Python 2.7 branch in the Python SVN repository.
(tron)
diff -r1.30 -r1.31 pkgsrc/lang/python26/Makefile
diff -r1.28 -r1.29 pkgsrc/lang/python26/distinfo
diff -r1.1 -r0 pkgsrc/lang/python26/patches/patch-aw
diff -r0 -r1.1 pkgsrc/lang/python26/patches/patch-ba
diff -r0 -r1.1 pkgsrc/lang/python26/patches/patch-bb
diff -r0 -r1.1 pkgsrc/lang/python26/patches/patch-bc
--- pkgsrc/lang/python26/Attic/Makefile 2010/11/17 18:44:06 1.30
+++ pkgsrc/lang/python26/Attic/Makefile 2010/11/23 08:24:04 1.31
| @@ -1,19 +1,19 @@ | | | @@ -1,19 +1,19 @@ |
1 | # $NetBSD: Makefile,v 1.30 2010/11/17 18:44:06 tez Exp $ | | 1 | # $NetBSD: Makefile,v 1.31 2010/11/23 08:24:04 tron Exp $ |
2 | | | 2 | |
3 | .include "dist.mk" | | 3 | .include "dist.mk" |
4 | | | 4 | |
5 | PKGNAME= python26-${PY_DISTVERSION} | | 5 | PKGNAME= python26-${PY_DISTVERSION} |
6 | PKGREVISION= 3 | | 6 | PKGREVISION= 4 |
7 | CATEGORIES= lang python | | 7 | CATEGORIES= lang python |
8 | | | 8 | |
9 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
10 | HOMEPAGE= http://www.python.org/ | | 10 | HOMEPAGE= http://www.python.org/ |
11 | COMMENT= Interpreted, interactive, object-oriented programming language | | 11 | COMMENT= Interpreted, interactive, object-oriented programming language |
12 | LICENSE= python-software-foundation | | 12 | LICENSE= python-software-foundation |
13 | | | 13 | |
14 | PKG_DESTDIR_SUPPORT= user-destdir | | 14 | PKG_DESTDIR_SUPPORT= user-destdir |
15 | | | 15 | |
16 | CONFLICTS+= python-[0-9]* | | 16 | CONFLICTS+= python-[0-9]* |
17 | | | 17 | |
18 | GNU_CONFIGURE= yes | | 18 | GNU_CONFIGURE= yes |
19 | CONFIGURE_ARGS+= --with-threads | | 19 | CONFIGURE_ARGS+= --with-threads |
--- pkgsrc/lang/python26/Attic/distinfo 2010/11/17 18:44:06 1.28
+++ pkgsrc/lang/python26/Attic/distinfo 2010/11/23 08:24:04 1.29
| @@ -1,19 +1,21 @@ | | | @@ -1,19 +1,21 @@ |
1 | $NetBSD: distinfo,v 1.28 2010/11/17 18:44:06 tez Exp $ | | 1 | $NetBSD: distinfo,v 1.29 2010/11/23 08:24:04 tron Exp $ |
2 | | | 2 | |
3 | SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 | | 3 | SHA1 (Python-2.6.6.tar.bz2) = a1daf2c2c7cffe0939c015260447572fe75c7e50 |
4 | RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 | | 4 | RMD160 (Python-2.6.6.tar.bz2) = 2d63f4f0ad3c124a8e62215ca94bd0231350e912 |
5 | Size (Python-2.6.6.tar.bz2) = 11080872 bytes | | 5 | Size (Python-2.6.6.tar.bz2) = 11080872 bytes |
6 | SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113 | | 6 | SHA1 (patch-aa) = 0528fc5da76d5f1d19586ea3dda1acd09a4b0113 |
7 | SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5 | | 7 | SHA1 (patch-ab) = b47aa9d18a7c1a99ac8cc8b29c64867443f303e5 |
8 | SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2 | | 8 | SHA1 (patch-ac) = 57c88d47f82630e67bcd27ab61bf4362035da2f2 |
9 | SHA1 (patch-ad) = a997e39d16a8f0023125362b180d19ee97ab519b | | 9 | SHA1 (patch-ad) = a997e39d16a8f0023125362b180d19ee97ab519b |
10 | SHA1 (patch-ae) = a6d578b5f12eb42fbbcc11791576d2686a4807d9 | | 10 | SHA1 (patch-ae) = a6d578b5f12eb42fbbcc11791576d2686a4807d9 |
11 | SHA1 (patch-ah) = 501d220b41e578402f3400fe88e582aa2408a147 | | 11 | SHA1 (patch-ah) = 501d220b41e578402f3400fe88e582aa2408a147 |
12 | SHA1 (patch-al) = e5bf2a7f50534a18bb18f7111b3c5d097b528778 | | 12 | SHA1 (patch-al) = e5bf2a7f50534a18bb18f7111b3c5d097b528778 |
13 | SHA1 (patch-am) = 60c108d05a16c531ee6cf99e5c7ad9a5f27c5f01 | | 13 | SHA1 (patch-am) = 60c108d05a16c531ee6cf99e5c7ad9a5f27c5f01 |
14 | SHA1 (patch-an) = 17b4e17b3b562c29a050e9bb20447084ce82b8ab | | 14 | SHA1 (patch-an) = 17b4e17b3b562c29a050e9bb20447084ce82b8ab |
15 | SHA1 (patch-ao) = 8c6a156b0f0c2a6d319658477fff348e6a0c3603 | | 15 | SHA1 (patch-ao) = 8c6a156b0f0c2a6d319658477fff348e6a0c3603 |
16 | SHA1 (patch-ap) = d23a869a449ab9dc166cfa149913b20c9acad9cb | | 16 | SHA1 (patch-ap) = d23a869a449ab9dc166cfa149913b20c9acad9cb |
17 | SHA1 (patch-au) = 38030fc45afc2a8f53a41f26b649e731642b9148 | | 17 | SHA1 (patch-au) = 38030fc45afc2a8f53a41f26b649e731642b9148 |
18 | SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e | | 18 | SHA1 (patch-av) = d6bf0419015656a8d2f13d3132873e453c8a6b6e |
19 | SHA1 (patch-aw) = e74bae33eb95c821b5147f5c89c3ee7cb061db95 | | 19 | SHA1 (patch-ba) = 97dcf72d7380a2d257220669845c52a698165fcf |
| | | 20 | SHA1 (patch-bb) = 6cdd94dd1e69630159194c7c153b6c4e46c81456 |
| | | 21 | SHA1 (patch-bc) = 09aaa254a54109026bb262a949b4006235df7858 |
$NetBSD: patch-ba,v 1.1 2010/11/23 08:24:04 tron Exp $
Fix for CVE-2010-3492, taken from the Python SVN repository:
http://svn.python.org/view?view=rev&revision=86084
--- Doc/library/asyncore.rst.orig 2010-05-19 15:14:45.000000000 +0100
+++ Doc/library/asyncore.rst 2010-11-22 18:11:58.000000000 +0000
@@ -211,10 +211,13 @@
.. method:: accept()
Accept a connection. The socket must be bound to an address and listening
- for connections. The return value is a pair ``(conn, address)`` where
- *conn* is a *new* socket object usable to send and receive data on the
- connection, and *address* is the address bound to the socket on the other
- end of the connection.
+ for connections. The return value can be either ``None`` or a pair
+ ``(conn, address)`` where *conn* is a *new* socket object usable to send
+ and receive data on the connection, and *address* is the address bound to
+ the socket on the other end of the connection.
+ When ``None`` is returned it means the connection didn't take place, in
+ which case the server should just ignore this event and keep listening
+ for further incoming connections.
.. method:: close()
@@ -224,6 +227,12 @@
flushed). Sockets are automatically closed when they are
garbage-collected.
+.. class:: dispatcher_with_send()
+
+ A :class:`dispatcher` subclass which adds simple buffered output capability,
+ useful for simple clients. For more sophisticated usage use
+ :class:`asynchat.async_chat`.
+
.. class:: file_dispatcher()
A file_dispatcher takes a file descriptor or file object along with an
@@ -240,7 +249,7 @@
socket for use by the :class:`file_dispatcher` class. Availability: UNIX.
-.. _asyncore-example:
+.. _asyncore-example-1:
asyncore Example basic HTTP client
----------------------------------
@@ -250,7 +259,7 @@
import asyncore, socket
- class http_client(asyncore.dispatcher):
+ class HTTPClient(asyncore.dispatcher):
def __init__(self, host, path):
asyncore.dispatcher.__init__(self)
@@ -274,6 +283,45 @@
sent = self.send(self.buffer)
self.buffer = self.buffer[sent:]
- c = http_client('www.python.org', '/')
+ client = HTTPClient('www.python.org', '/')
asyncore.loop()
+
+.. _asyncore-example-2:
+
+asyncore Example basic echo server
+----------------------------------
+
+Here is abasic echo server that uses the :class:`dispatcher` class to accept
+connections and dispatches the incoming connections to a handler::
+
+ import asyncore
+ import socket
+
+ class EchoHandler(asyncore.dispatcher_with_send):
+
+ def handle_read(self):
+ data = self.recv(8192)
+ self.send(data)
+
+ class EchoServer(asyncore.dispatcher):
+
+ def __init__(self, host, port):
+ asyncore.dispatcher.__init__(self)
+ self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.set_reuse_addr()
+ self.bind((host, port))
+ self.listen(5)
+
+ def handle_accept(self):
+ pair = self.accept()
+ if pair is None:
+ pass
+ else:
+ sock, addr = pair
+ print 'Incoming connection from %s' % repr(addr)
+ handler = EchoHandler(sock)
+
+ server = EchoServer('localhost', 8080)
+ asyncore.loop()
+
$NetBSD: patch-bb,v 1.1 2010/11/23 08:24:04 tron Exp $
Fix for CVE-2010-3492, taken from the Python SVN repository:
http://svn.python.org/view?view=rev&revision=86084
--- Lib/asyncore.py.orig 2010-08-13 02:30:39.000000000 +0100
+++ Lib/asyncore.py 2010-11-22 18:13:52.000000000 +0000
@@ -348,12 +348,15 @@
# XXX can return either an address pair or None
try:
conn, addr = self.socket.accept()
- return conn, addr
- except socket.error, why:
- if why.args[0] == EWOULDBLOCK:
- pass
+ except TypeError:
+ return None
+ except socket.error as why:
+ if why.args[0] in (EWOULDBLOCK, ECONNABORTED):
+ return None
else:
raise
+ else:
+ return conn, addr
def send(self, data):
try:
$NetBSD: patch-bc,v 1.1 2010/11/23 08:24:04 tron Exp $
Fix for CVE-2010-3492 and CVE-2010-3493, taken from the Python SVN repository:
http://svn.python.org/view?view=rev&revision=86084
--- Lib/smtpd2.6.py.orig 2010-11-22 18:18:59.000000000 +0000
+++ Lib/smtpd2.6.py 2010-11-22 18:19:03.000000000 +0000
@@ -35,7 +35,6 @@
and if remoteport is not given, then 25 is used.
"""
-
# Overview:
#
# This file implements the minimal SMTP protocol as defined in RFC 821. It
@@ -96,7 +95,6 @@
COMMASPACE = ', '
-
def usage(code, msg=''):
print >> sys.stderr, __doc__ % globals()
if msg:
@@ -104,7 +102,6 @@
sys.exit(code)
-
class SMTPChannel(asynchat.async_chat):
COMMAND = 0
DATA = 1
@@ -276,7 +273,6 @@
self.push('354 End data with <CR><LF>.<CR><LF>')
-
class SMTPServer(asyncore.dispatcher):
def __init__(self, localaddr, remoteaddr):
self._localaddr = localaddr
@@ -331,7 +327,6 @@
raise NotImplementedError
-
class DebuggingServer(SMTPServer):
# Do something with the gathered message
def process_message(self, peer, mailfrom, rcpttos, data):
@@ -347,7 +342,6 @@
print '------------ END MESSAGE ------------'
-
class PureProxy(SMTPServer):
def process_message(self, peer, mailfrom, rcpttos, data):
lines = data.split('\n')
@@ -388,7 +382,6 @@
return refused
-
class MailmanProxy(PureProxy):
def process_message(self, peer, mailfrom, rcpttos, data):
from cStringIO import StringIO
@@ -467,13 +460,11 @@
msg.Enqueue(mlist, torequest=1)
-
class Options:
setuid = 1
classname = 'PureProxy'
-
def parseargs():
global DEBUGSTREAM
try:
@@ -530,7 +521,6 @@
return options
-
if __name__ == '__main__':
options = parseargs()
# Become nobody