rpms/pyxdg
6
0
Fork 0
Code Issues Pull Requests Releases Activity

fix CVE-2014-1624

Browse Source
This commit is contained in:
Tom Callaway 2014-12-04 11:59:23 -05:00
parent ae1393f146
commit e4b99cbbb2
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
pyxdg-0.25-CVE-2014-1624.patch Normal file
View File

@ -0,0 +1,48 @@
diff -up pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 pyxdg-0.25/xdg/BaseDirectory.py
--- pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 2014-12-04 11:49:53.681654931 -0500
+++ pyxdg-0.25/xdg/BaseDirectory.py 2014-12-04 11:52:45.831522703 -0500
@@ -25,7 +25,7 @@ Typical usage:
Note: see the rox.Options module for a higher-level API for managing options.
"""
-import os
+import os, stat
_home = os.path.expanduser('~')
xdg_data_home = os.environ.get('XDG_DATA_HOME') or \
@@ -131,15 +131,29 @@ def get_runtime_dir(strict=True):
import getpass
fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()
+ create = False
try:
- os.mkdir(fallback, 0o700)
+ # This must be a real directory, not a symlink, so attackers can't
+ # point it elsewhere. So we use lstat to check it.
+ st = os.lstat(fallback)
except OSError as e:
import errno
- if e.errno == errno.EEXIST:
- # Already exists - set 700 permissions again.
- import stat
- os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
- else: # pragma: no cover
+ if e.errno == errno.ENOENT:
+ create = True
+ else:
raise
+ else:
+ # The fallback must be a directory
+ if not stat.S_ISDIR(st.st_mode):
+ os.unlink(fallback)
+ create = True
+ # Must be owned by the user and not accessible by anyone else
+ elif (st.st_uid != os.getuid()) \
+ or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):
+ os.rmdir(fallback)
+ create = True
+
+ if create:
+ os.mkdir(fallback, 0o700)
return fallback

8
pyxdg.spec
View File

@ -6,7 +6,7 @@
Name: pyxdg Name: pyxdg
Version: 0.25 Version: 0.25
Release: 4%{?dist} Release: 5%{?dist}
Summary: Python library to access freedesktop.org standards Summary: Python library to access freedesktop.org standards
Group: Development/Libraries Group: Development/Libraries
License: LGPLv2 License: LGPLv2
@ -14,6 +14,8 @@ URL: http://freedesktop.org/Software/pyxdg
Source0: http://people.freedesktop.org/~takluyver/%{name}-%{version}.tar.gz Source0: http://people.freedesktop.org/~takluyver/%{name}-%{version}.tar.gz
# https://bugs.freedesktop.org/show_bug.cgi?id=61817 # https://bugs.freedesktop.org/show_bug.cgi?id=61817
Patch0: pyxdg-0.25-find-first-mimetype-match.patch Patch0: pyxdg-0.25-find-first-mimetype-match.patch
# https://bugs.freedesktop.org/show_bug.cgi?id=73878
Patch1: pyxdg-0.25-CVE-2014-1624.patch
BuildArch: noarch BuildArch: noarch
# These are needed for the nose tests. # These are needed for the nose tests.
BuildRequires: python-nose, hicolor-icon-theme BuildRequires: python-nose, hicolor-icon-theme
@ -38,6 +40,7 @@ package contains a Python 3 version of PyXDG.
%prep %prep
%setup -q %setup -q
%patch0 -p1 -b .pngfix %patch0 -p1 -b .pngfix
%patch1 -p1 -b .CVE-2014-1624
%if 0%{?with_python3} %if 0%{?with_python3}
rm -rf %{py3dir} rm -rf %{py3dir}
@ -93,6 +96,9 @@ rm -rf $RPM_BUILD_ROOT
%endif #with_python3 %endif #with_python3
%changelog %changelog
* Thu Dec 4 2014 Tom Callaway <spot@fedoraproject.org> - 0.25-5
- fix CVE-2014-1624
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.25-4 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.25-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild