fix CVE-2014-1624

pyxdg-0.25-CVE-2014-1624.patch

@@ -0,0 +1,48 @@
+diff -up pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 pyxdg-0.25/xdg/BaseDirectory.py
+--- pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624	2014-12-04 11:49:53.681654931 -0500
++++ pyxdg-0.25/xdg/BaseDirectory.py	2014-12-04 11:52:45.831522703 -0500
+@@ -25,7 +25,7 @@ Typical usage:
+ Note: see the rox.Options module for a higher-level API for managing options.
+ """
+ 
+-import os
++import os, stat
+ 
+ _home = os.path.expanduser('~')
+ xdg_data_home = os.environ.get('XDG_DATA_HOME') or \
+@@ -131,15 +131,29 @@ def get_runtime_dir(strict=True):
+         
+         import getpass
+         fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()
++        create = False
+         try:
+-            os.mkdir(fallback, 0o700)
++            # This must be a real directory, not a symlink, so attackers can't
++            # point it elsewhere. So we use lstat to check it.
++            st = os.lstat(fallback)
+         except OSError as e:
+             import errno
+-            if e.errno == errno.EEXIST:
+-                # Already exists - set 700 permissions again.
+-                import stat
+-                os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
+-            else: # pragma: no cover
++            if e.errno == errno.ENOENT:
++                create = True
++            else:
+                 raise
++        else:
++            # The fallback must be a directory
++            if not stat.S_ISDIR(st.st_mode):
++                os.unlink(fallback)
++                create = True
++            # Must be owned by the user and not accessible by anyone else
++            elif (st.st_uid != os.getuid()) \
++              or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):
++                os.rmdir(fallback)
++                create = True
++
++        if create:
++            os.mkdir(fallback, 0o700)
+         
+         return fallback

pyxdg.spec

@@ -6,7 +6,7 @@
 
 Name:           pyxdg
 Version:        0.25
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Python library to access freedesktop.org standards
 Group:          Development/Libraries
 License:        LGPLv2
@@ -14,6 +14,8 @@ URL:            http://freedesktop.org/Software/pyxdg
 Source0:        http://people.freedesktop.org/~takluyver/%{name}-%{version}.tar.gz
 # https://bugs.freedesktop.org/show_bug.cgi?id=61817
 Patch0:		pyxdg-0.25-find-first-mimetype-match.patch
+# https://bugs.freedesktop.org/show_bug.cgi?id=73878
+Patch1:		pyxdg-0.25-CVE-2014-1624.patch
 BuildArch:      noarch
 # These are needed for the nose tests.
 BuildRequires:	python-nose, hicolor-icon-theme
@@ -38,6 +40,7 @@ package contains a Python 3 version of PyXDG.
 %prep
 %setup -q
 %patch0 -p1 -b .pngfix
+%patch1 -p1 -b .CVE-2014-1624
 
 %if 0%{?with_python3}
 rm -rf %{py3dir}
@@ -93,6 +96,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif #with_python3
 
 %changelog
+* Thu Dec  4 2014 Tom Callaway <spot@fedoraproject.org> - 0.25-5
+- fix CVE-2014-1624
+
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.25-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild