From 3b0753062e7abc99473e945d3787eb410b77b8da Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Wed, 3 Feb 2016 22:44:24 -0500 Subject: [PATCH] Update to 3.2.1 (#1304137). Additionally: - Remove use of needless defattr macros (#1303426). - Remove lots of if statements as this spec file will only be used on Rawhide. - Remove dependency on python-backports-ssl_match_hostname as it is not needed in Fedora. - Rework the patch for CVE-2013-7440 and CVE-2013-2099 so that it exclusively uses code from Python. --- ...atch_hostname-from-the-Python-stdlib.patch | 154 ++++++++++++++++++ ...se-ssl_match_hostname-from-backports.patch | 39 ----- python-pymongo.spec | 82 ++-------- 3 files changed, 170 insertions(+), 105 deletions(-) create mode 100644 0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch delete mode 100644 0002-Use-ssl_match_hostname-from-backports.patch diff --git a/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch b/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch new file mode 100644 index 0000000..d621f65 --- /dev/null +++ b/0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch @@ -0,0 +1,154 @@ +From ceb275ef3c63d4324e05539242283de083bd08d6 Mon Sep 17 00:00:00 2001 +From: Randy Barlow +Date: Wed, 3 Feb 2016 22:10:28 -0500 +Subject: [PATCH] Use ssl.match_hostname from the Python stdlib. + +--- + pymongo/errors.py | 5 +-- + pymongo/pool.py | 6 +-- + pymongo/ssl_match_hostname.py | 100 ------------------------------------------ + 3 files changed, 2 insertions(+), 109 deletions(-) + delete mode 100644 pymongo/ssl_match_hostname.py + +diff --git a/pymongo/errors.py b/pymongo/errors.py +index fe7b71a..0ba6006 100644 +--- a/pymongo/errors.py ++++ b/pymongo/errors.py +@@ -16,10 +16,7 @@ + + from bson.errors import * + +-try: +- from ssl import CertificateError +-except ImportError: +- from pymongo.ssl_match_hostname import CertificateError ++from ssl import CertificateError + + + class PyMongoError(Exception): +diff --git a/pymongo/pool.py b/pymongo/pool.py +index 904c6b1..5fe663c 100644 +--- a/pymongo/pool.py ++++ b/pymongo/pool.py +@@ -44,11 +44,7 @@ from pymongo.server_type import SERVER_TYPE + # main thread, to avoid the deadlock. See PYTHON-607. + u('foo').encode('idna') + +-try: +- from ssl import match_hostname, CertificateError +-except ImportError: +- # These don't require the ssl module +- from pymongo.ssl_match_hostname import match_hostname, CertificateError ++from ssl import match_hostname, CertificateError + + + def _raise_connection_failure(address, error): +diff --git a/pymongo/ssl_match_hostname.py b/pymongo/ssl_match_hostname.py +deleted file mode 100644 +index f74df15..0000000 +--- a/pymongo/ssl_match_hostname.py ++++ /dev/null +@@ -1,100 +0,0 @@ +-# Backport of the match_hostname logic introduced in python 3.2 +-# http://hg.python.org/releasing/3.3.5/file/993955b807b3/Lib/ssl.py +- +-import re +- +- +-class CertificateError(ValueError): +- pass +- +- +-def _dnsname_match(dn, hostname, max_wildcards=1): +- """Matching according to RFC 6125, section 6.4.3 +- +- http://tools.ietf.org/html/rfc6125#section-6.4.3 +- """ +- pats = [] +- if not dn: +- return False +- +- parts = dn.split(r'.') +- leftmost = parts[0] +- remainder = parts[1:] +- +- wildcards = leftmost.count('*') +- if wildcards > max_wildcards: +- # Issue #17980: avoid denials of service by refusing more +- # than one wildcard per fragment. A survey of established +- # policy among SSL implementations showed it to be a +- # reasonable choice. +- raise CertificateError( +- "too many wildcards in certificate DNS name: " + repr(dn)) +- +- # speed up common case w/o wildcards +- if not wildcards: +- return dn.lower() == hostname.lower() +- +- # RFC 6125, section 6.4.3, subitem 1. +- # The client SHOULD NOT attempt to match a presented identifier in which +- # the wildcard character comprises a label other than the left-most label. +- if leftmost == '*': +- # When '*' is a fragment by itself, it matches a non-empty dotless +- # fragment. +- pats.append('[^.]+') +- elif leftmost.startswith('xn--') or hostname.startswith('xn--'): +- # RFC 6125, section 6.4.3, subitem 3. +- # The client SHOULD NOT attempt to match a presented identifier +- # where the wildcard character is embedded within an A-label or +- # U-label of an internationalized domain name. +- pats.append(re.escape(leftmost)) +- else: +- # Otherwise, '*' matches any dotless string, e.g. www* +- pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) +- +- # add the remaining fragments, ignore any wildcards +- for frag in remainder: +- pats.append(re.escape(frag)) +- +- pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) +- return pat.match(hostname) +- +- +-def match_hostname(cert, hostname): +- """Verify that *cert* (in decoded format as returned by +- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 +- rules are followed, but IP addresses are not accepted for *hostname*. +- +- CertificateError is raised on failure. On success, the function +- returns nothing. +- """ +- if not cert: +- raise ValueError("empty or no certificate") +- dnsnames = [] +- san = cert.get('subjectAltName', ()) +- for key, value in san: +- if key == 'DNS': +- if _dnsname_match(value, hostname): +- return +- dnsnames.append(value) +- if not dnsnames: +- # The subject is only checked when there is no dNSName entry +- # in subjectAltName +- for sub in cert.get('subject', ()): +- for key, value in sub: +- # XXX according to RFC 2818, the most specific Common Name +- # must be used. +- if key == 'commonName': +- if _dnsname_match(value, hostname): +- return +- dnsnames.append(value) +- if len(dnsnames) > 1: +- raise CertificateError("hostname %r " +- "doesn't match either of %s" +- % (hostname, ', '.join(map(repr, dnsnames)))) +- elif len(dnsnames) == 1: +- raise CertificateError("hostname %r " +- "doesn't match %r" +- % (hostname, dnsnames[0])) +- else: +- raise CertificateError("no appropriate commonName or " +- "subjectAltName fields were found") +-- +2.7.0 + diff --git a/0002-Use-ssl_match_hostname-from-backports.patch b/0002-Use-ssl_match_hostname-from-backports.patch deleted file mode 100644 index a3ea38a..0000000 --- a/0002-Use-ssl_match_hostname-from-backports.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d6d5496f555e1bdb3d5f4ca44a0141ce3bd80074 Mon Sep 17 00:00:00 2001 -From: Haikel Guemar -Date: Thu, 1 Oct 2015 11:45:17 +0200 -Subject: [PATCH 2/2] Use ssl_match_hostname from backports - ---- - pymongo/errors.py | 2 +- - pymongo/pool.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pymongo/errors.py b/pymongo/errors.py -index bcd0df5..82bfd5f 100644 ---- a/pymongo/errors.py -+++ b/pymongo/errors.py -@@ -19,7 +19,7 @@ from bson.errors import * - try: - from ssl import CertificateError - except ImportError: -- from pymongo.ssl_match_hostname import CertificateError -+ from backports.ssl_match_hostname import CertificateError - - - class PyMongoError(Exception): -diff --git a/pymongo/pool.py b/pymongo/pool.py -index e557ab5..50593bd 100644 ---- a/pymongo/pool.py -+++ b/pymongo/pool.py -@@ -45,7 +45,7 @@ try: - from ssl import match_hostname, CertificateError - except ImportError: - # These don't require the ssl module -- from pymongo.ssl_match_hostname import match_hostname, CertificateError -+ from backports.ssl_match_hostname import match_hostname, CertificateError - - - def _raise_connection_failure(address, error): --- -2.5.0 - diff --git a/python-pymongo.spec b/python-pymongo.spec index eca9502..e4de379 100644 --- a/python-pymongo.spec +++ b/python-pymongo.spec @@ -1,13 +1,3 @@ -%if 0%{?fedora} -%global with_python3 1 -%endif - -%if 0%{?rhel} && 0%{?rhel} <= 6 -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -%endif - # Fix private-shared-object-provides error %{?filter_setup: %filter_provides_in %{python_sitearch}.*\.so$ @@ -15,33 +5,27 @@ } Name: python-pymongo -Version: 3.2 +Version: 3.2.1 Release: 1%{?dist} -Summary: Python driver for MongoDB -Group: Development/Languages +Summary: Python driver for MongoDB # All code is ASL 2.0 except bson/time64*.{c,h} which is MIT License: ASL 2.0 and MIT URL: http://api.mongodb.org/python Source0: https://github.com/mongodb/mongo-python-driver/archive/%{version}.tar.gz Patch01: 0001-Serverless-test-suite-workaround.patch -Patch02: 0002-Use-ssl_match_hostname-from-backports.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +# This patch removes the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440 +# and CVE-2013-2099, and wasn't needed anyway since Fedora >= 22 has the needed module in the Python +# standard library. It also adjusts imports so that they exclusively use the code from Python. +Patch02: 0002-Use-ssl.match_hostname-from-the-Python-stdlib.patch -BuildRequires: python2-devel BuildRequires: python-nose -BuildRequires: python-setuptools -%if 0%{?rhel} && 0%{?rhel} <= 6 -BuildRequires: python-unittest2 -%endif -BuildRequires: python-backports-ssl_match_hostname - -%if 0%{?with_python3} BuildRequires: python-tools +BuildRequires: python2-devel +BuildRequires: python2-setuptools BuildRequires: python2-sphinx BuildRequires: python3-devel BuildRequires: python3-setuptools -%endif # if with_python3 # Mongodb must run on a little-endian CPU (see bug #630898) ExcludeArch: ppc ppc64 %{sparc} s390 s390x @@ -61,7 +45,6 @@ Documentation for python-pymongo. %package -n python2-bson Summary: Python bson library -Group: Development/Libraries %{?python_provide:%python_provide python2-bson} @@ -71,10 +54,8 @@ to be lightweight, traversable, and efficient. BSON, like JSON, supports the embedding of objects and arrays within other objects and arrays. -%if 0%{?with_python3} %package -n python3-bson Summary: Python bson library -Group: Development/Libraries %{?python_provide:%python_provide python3-bson} @@ -83,15 +64,12 @@ BSON is a binary-encoded serialization of JSON-like documents. BSON is designed to be lightweight, traversable, and efficient. BSON, like JSON, supports the embedding of objects and arrays within other objects and arrays. This package contains the python3 version of this module. -%endif # with_python3 %package -n python2-pymongo Summary: Python driver for MongoDB -Group: Development/Languages -Requires: python-backports-ssl_match_hostname -Requires: python2-bson = %{version}-%{release} +Requires: python2-bson = %{version}-%{release} Provides: pymongo = %{version}-%{release} Obsoletes: pymongo <= 2.1.1-4 %{?python_provide:%python_provide python2-pymongo} @@ -102,10 +80,8 @@ The Python driver for MongoDB. This package contains the python2 version of this module. -%if 0%{?with_python3} %package -n python3-pymongo Summary: Python driver for MongoDB -Group: Development/Languages Requires: python3-bson = %{version}-%{release} %{?python_provide:%python_provide python3-pymongo} @@ -113,12 +89,10 @@ Requires: python3-bson = %{version}-%{release} %description -n python3-pymongo The Python driver for MongoDB. This package contains the python3 version of this module. -%endif # with_python3 %package -n python2-pymongo-gridfs Summary: Python GridFS driver for MongoDB -Group: Development/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} Provides: pymongo-gridfs = %{version}-%{release} Obsoletes: pymongo-gridfs <= 2.1.1-4 @@ -129,10 +103,8 @@ Obsoletes: pymongo-gridfs <= 2.1.1-4 GridFS is a storage specification for large objects in MongoDB. -%if 0%{?with_python3} %package -n python3-pymongo-gridfs Summary: Python GridFS driver for MongoDB -Group: Development/Libraries Requires: python3-pymongo%{?_isa} = %{version}-%{release} %{?python_provide:%python_provide python3-pymongo-gridfs} @@ -140,30 +112,23 @@ Requires: python3-pymongo%{?_isa} = %{version}-%{release} %description -n python3-pymongo-gridfs GridFS is a storage specification for large objects in MongoDB. This package contains the python3 version of this module. -%endif # with_python3 %prep %setup -q -n mongo-python-driver-%{version} %patch01 -p1 -b .test %patch02 -p1 -b .ssl -# remove bundled ssl.mast_hostname code -rm pymongo/ssl_match_hostname.py -%if 0%{?with_python3} rm -rf %{py3dir} cp -a . %{py3dir} -%endif # with_python3 %build CFLAGS="%{optflags}" %{__python2} setup.py build -%if 0%{?with_python3} pushd %{py3dir} CFLAGS="%{optflags}" %{__python3} setup.py build popd -%endif # with_python3 pushd doc make html @@ -177,18 +142,12 @@ rm -rf %{buildroot} chmod 755 %{buildroot}%{python2_sitearch}/bson/*.so chmod 755 %{buildroot}%{python2_sitearch}/pymongo/*.so -%if 0%{?with_python3} pushd %{py3dir} %{__python3} setup.py install --skip-build --root $RPM_BUILD_ROOT # Fix permissions chmod 755 %{buildroot}%{python3_sitearch}/bson/*.so chmod 755 %{buildroot}%{python3_sitearch}/pymongo/*.so popd -%endif # with_python3 - - -%clean -rm -rf %{buildroot} %files doc @@ -197,59 +156,44 @@ rm -rf %{buildroot} %files -n python2-bson -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python2_sitearch}/bson -%if 0%{?with_python3} %files -n python3-bson -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python3_sitearch}/bson -%endif # with_python3 %files -n python2-pymongo -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python2_sitearch}/pymongo %{python2_sitearch}/pymongo-%{version}-*.egg-info -%if 0%{?with_python3} %files -n python3-pymongo -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python3_sitearch}/pymongo %{python3_sitearch}/pymongo-%{version}-*.egg-info -%endif # with_python3 %files -n python2-pymongo-gridfs -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python2_sitearch}/gridfs -%if 0%{?with_python3} %files -n python3-pymongo-gridfs -%defattr(-,root,root,-) %license LICENSE %doc README.rst %{python3_sitearch}/gridfs -%endif # with_python3 %check -%if 0%{?rhel} && 0%{?rhel} <= 6 -# do not run test under EL6 -%else # Exclude tests that require an active MongoDB connection exclude='(^test_auth_from_uri$' exclude+='|^test_auto_auth_login$' @@ -331,10 +275,16 @@ exclude+=')' pushd test nosetests --exclude="$exclude" popd -%endif %changelog +* Wed Feb 03 2016 Randy Barlow - 3.2.1-1 +- Remove use of needless defattr macros (#1303426). +- Update to 3.2.1 (#1304137). +- Remove lots of if statements as this spec file will only be used on Rawhide. +- Remove dependency on python-backports-ssl_match_hostname as it is not needed in Fedora. +- Rework the patch for CVE-2013-7440 and CVE-2013-2099 so that it exclusively uses code from Python. + * Tue Jan 19 2016 Randy Barlow - 3.2-1 - Update to 3.2. - Rename the python- subpackages with a python2- prefix.