From 6dfb7597b10ede49dbce5159555db3f7f8ef69a2 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Mon, 28 Oct 2013 12:11:47 -0700 Subject: [PATCH] Update to newer upstream release that has our patch to the unittests - Fix for http://bugs.python.org/issue17997#msg194950 which affects us since setuptools copies that code. Changed to use python-backports-ssl_match_hostname so that future issues can be fixed in that package. --- .gitignore | 1 + ...ror-so-the-code-throws-the-correct-e.patch | 24 ++++ python-setuptools.spec | 32 +++-- setuptools-ssl-match_hostname-wildcard.patch | 110 ++++++++++++++++++ sources | 2 +- 5 files changed, 161 insertions(+), 8 deletions(-) create mode 100644 0001-Import-socket.error-so-the-code-throws-the-correct-e.patch create mode 100644 setuptools-ssl-match_hostname-wildcard.patch diff --git a/.gitignore b/.gitignore index 1bfd522..1ed4d70 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ distribute-0.6.14.tar.gz /setuptools-0.9.5.tar.gz /setuptools-0.9.6.tar.gz /setuptools-1.1.6.tar.gz +/setuptools-1.1.7.tar.gz diff --git a/0001-Import-socket.error-so-the-code-throws-the-correct-e.patch b/0001-Import-socket.error-so-the-code-throws-the-correct-e.patch new file mode 100644 index 0000000..a59acd0 --- /dev/null +++ b/0001-Import-socket.error-so-the-code-throws-the-correct-e.patch @@ -0,0 +1,24 @@ +From 78a4d637f1db446d06f68929d76e76acd7121628 Mon Sep 17 00:00:00 2001 +From: Toshio Kuratomi +Date: Mon, 28 Oct 2013 10:54:34 -0700 +Subject: [PATCH] Import socket.error so the code throws the correct exception + +--- + setuptools/ssl_support.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/setuptools/ssl_support.py b/setuptools/ssl_support.py +index 2aec655..479b0d2 100644 +--- a/setuptools/ssl_support.py ++++ b/setuptools/ssl_support.py +@@ -44,6 +44,7 @@ is_available = ssl is not None and object not in (HTTPSHandler, HTTPSConnection) + try: + from socket import create_connection + except ImportError: ++ from socket import error + _GLOBAL_DEFAULT_TIMEOUT = getattr(socket, '_GLOBAL_DEFAULT_TIMEOUT', object()) + def create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT, + source_address=None): +-- +1.8.3.1 + diff --git a/python-setuptools.spec b/python-setuptools.spec index b2bb755..da0e68b 100644 --- a/python-setuptools.spec +++ b/python-setuptools.spec @@ -7,7 +7,7 @@ %global srcname setuptools Name: python-setuptools -Version: 1.1.6 +Version: 1.1.7 Release: 1%{?dist} Summary: Easily build and distribute Python packages @@ -17,13 +17,19 @@ URL: http://pypi.python.org/pypi/%{srcname} Source0: http://pypi.python.org/packages/source/s/%{srcname}/%{srcname}-%{version}.tar.gz Source1: psfl.txt Source2: zpl.txt -# Submitted upstream -# https://bitbucket.org/tarek/distribute/issue/363/skip-test_sdist_with_utf8_encoded_filename -Patch0: distribute-skip-sdist_with_utf8_encoded_filename.patch +# https://github.com/jaraco/setuptools/pull/2 +# Fixes security issue: http://bugs.python.org/issue17997#msg194950 +Patch0: setuptools-ssl-match_hostname-wildcard.patch +# https://github.com/jaraco/setuptools/pull/3 +# Shouldn't actually affect us as it's compat for 2.5 or earlier +Patch1: 0001-Import-socket.error-so-the-code-throws-the-correct-e.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch +# Require this so that we use a system copy of the match_hostname() function +Requires: python-backports-ssl_match_hostname +BuildRequires: python-backports-ssl_match_hostname BuildRequires: python2-devel %if 0%{?with_python3} BuildRequires: python3-devel @@ -53,6 +59,10 @@ execute the software that requires pkg_resources.py. Summary: Easily build and distribute Python 3 packages Group: Applications/System +# Note: Do not need to Require python3-backports-ssl_match_hostname because it +# has been present since python3-3.2. We do not ship python3-3.0 or +# python3-3.1 anywhere + %description -n python3-setuptools Setuptools is a collection of enhancements to the Python 3 distutils that allow you to more easily build and distribute Python 3 packages, especially ones that @@ -67,6 +77,7 @@ execute the software that requires pkg_resources.py. %setup -q -n %{srcname}-%{version} %patch0 -p1 +%patch1 -p1 find -name '*.txt' -exec chmod -x \{\} \; find . -name '*.orig' -exec rm \{\} \; @@ -150,6 +161,13 @@ rm -rf %{buildroot} %endif # with_python3 %changelog +* Mon Oct 28 2013 Toshio Kuratomi - 1.1.7-1 +- Update to newer upstream release that has our patch to the unittests +- Fix for http://bugs.python.org/issue17997#msg194950 which affects us since + setuptools copies that code. Changed to use + python-backports-ssl_match_hostname so that future issues can be fixed in + that package. + * Sat Oct 26 2013 Toshio Kuratomi - 1.1.6-1 - Update to newer upstream release. Some minor incompatibilities listed but they should affect few, if any consumers. @@ -269,10 +287,10 @@ rm -rf %{buildroot} * Thu Feb 04 2010 Toshio Kuratomi - 0.6.10-3 - First build with python3 support enabled. -* Thu Jan 29 2010 Toshio Kuratomi - 0.6.10-2 +* Fri Jan 29 2010 Toshio Kuratomi - 0.6.10-2 - Really disable the python3 portion -* Thu Jan 29 2010 Toshio Kuratomi - 0.6.10-1 +* Fri Jan 29 2010 Toshio Kuratomi - 0.6.10-1 - Update the python3 portions but disable for now. - Update to 0.6.10 - Remove %%pre scriptlet as the file has a different name than the old @@ -283,7 +301,7 @@ rm -rf %{buildroot} - Don't need python3-tools since the library is now in the python3 package - Few other changes to cleanup style -* Thu Jan 22 2010 David Malcolm - 0.6.9-2 +* Fri Jan 22 2010 David Malcolm - 0.6.9-2 - add python3 subpackage * Mon Dec 14 2009 Toshio Kuratomi - 0.6.9-1 diff --git a/setuptools-ssl-match_hostname-wildcard.patch b/setuptools-ssl-match_hostname-wildcard.patch new file mode 100644 index 0000000..b20ed12 --- /dev/null +++ b/setuptools-ssl-match_hostname-wildcard.patch @@ -0,0 +1,110 @@ +diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py +--- b/setuptools/ssl_support.py ++++ b/setuptools/ssl_support.py +@@ -85,26 +85,75 @@ + try: + from ssl import CertificateError, match_hostname + except ImportError: ++ try: ++ from backports.ssl_match_hostname import CertificateError ++ from backports.ssl_match_hostname import match_hostname ++ except ImportError: ++ CertificateError = None ++ match_hostname = None ++ ++if not CertificateError: + class CertificateError(ValueError): + pass + +- def _dnsname_to_pat(dn): ++if not match_hostname: ++ def _dnsname_match(dn, hostname, max_wildcards=1): ++ """Matching according to RFC 6125, section 6.4.3 ++ ++ http://tools.ietf.org/html/rfc6125#section-6.4.3 ++ """ + pats = [] +- for frag in dn.split(r'.'): +- if frag == '*': +- # When '*' is a fragment by itself, it matches a non-empty dotless +- # fragment. +- pats.append('[^.]+') +- else: +- # Otherwise, '*' matches any dotless fragment. +- frag = re.escape(frag) +- pats.append(frag.replace(r'\*', '[^.]*')) +- return re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) ++ if not dn: ++ return False ++ ++ # Ported from python3-syntax: ++ # leftmost, *remainder = dn.split(r'.') ++ parts = dn.split(r'.') ++ leftmost = parts[0] ++ remainder = parts[1:] ++ ++ wildcards = leftmost.count('*') ++ if wildcards > max_wildcards: ++ # Issue #17980: avoid denials of service by refusing more ++ # than one wildcard per fragment. A survey of established ++ # policy among SSL implementations showed it to be a ++ # reasonable choice. ++ raise CertificateError( ++ "too many wildcards in certificate DNS name: " + repr(dn)) ++ ++ # speed up common case w/o wildcards ++ if not wildcards: ++ return dn.lower() == hostname.lower() ++ ++ # RFC 6125, section 6.4.3, subitem 1. ++ # The client SHOULD NOT attempt to match a presented identifier in which ++ # the wildcard character comprises a label other than the left-most label. ++ if leftmost == '*': ++ # When '*' is a fragment by itself, it matches a non-empty dotless ++ # fragment. ++ pats.append('[^.]+') ++ elif leftmost.startswith('xn--') or hostname.startswith('xn--'): ++ # RFC 6125, section 6.4.3, subitem 3. ++ # The client SHOULD NOT attempt to match a presented identifier ++ # where the wildcard character is embedded within an A-label or ++ # U-label of an internationalized domain name. ++ pats.append(re.escape(leftmost)) ++ else: ++ # Otherwise, '*' matches any dotless string, e.g. www* ++ pats.append(re.escape(leftmost).replace(r'\*', '[^.]*')) ++ ++ # add the remaining fragments, ignore any wildcards ++ for frag in remainder: ++ pats.append(re.escape(frag)) ++ ++ pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) ++ return pat.match(hostname) ++ + + def match_hostname(cert, hostname): + """Verify that *cert* (in decoded format as returned by +- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 rules +- are mostly followed, but IP addresses are not accepted for *hostname*. ++ SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 ++ rules are followed, but IP addresses are not accepted for *hostname*. + + CertificateError is raised on failure. On success, the function + returns nothing. +@@ -115,7 +164,7 @@ + san = cert.get('subjectAltName', ()) + for key, value in san: + if key == 'DNS': +- if _dnsname_to_pat(value).match(hostname): ++ if _dnsname_match(value, hostname): + return + dnsnames.append(value) + if not dnsnames: +@@ -126,7 +175,7 @@ + # XXX according to RFC 2818, the most specific Common Name + # must be used. + if key == 'commonName': +- if _dnsname_to_pat(value).match(hostname): ++ if _dnsname_match(value, hostname): + return + dnsnames.append(value) + if len(dnsnames) > 1: diff --git a/sources b/sources index 5d5587d..904d419 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ee82ea53def4480191061997409d2996 setuptools-1.1.6.tar.gz +1f33594d25d574a1640ffb84667c6759 setuptools-1.1.7.tar.gz