diff options
author | Alex Legler <a3li@gentoo.org> | 2009-08-17 10:17:42 +0000 |
---|---|---|
committer | Alex Legler <a3li@gentoo.org> | 2009-08-17 10:17:42 +0000 |
commit | 177cc98104fad9692ac78f5a1ad97e05592cba17 (patch) | |
tree | 37d2e270259d89282fc2783a5782affb9fa3ba62 /net-zope/zodb | |
parent | Fix USE=postgres handling, add USE=sqlite support, use latest autotools, and ... (diff) | |
download | gentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.tar.gz gentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.tar.bz2 gentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.zip |
Non-maintainer commit: Version bump for security bug 278824.
(Portage version: 2.2_rc33/cvs/Linux x86_64)
Diffstat (limited to 'net-zope/zodb')
-rw-r--r-- | net-zope/zodb/ChangeLog | 10 | ||||
-rw-r--r-- | net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch | 117 | ||||
-rw-r--r-- | net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch | 117 | ||||
-rw-r--r-- | net-zope/zodb/zodb-3.3.1-r1.ebuild | 32 | ||||
-rw-r--r-- | net-zope/zodb/zodb-3.6.0-r1.ebuild | 26 |
5 files changed, 301 insertions, 1 deletions
diff --git a/net-zope/zodb/ChangeLog b/net-zope/zodb/ChangeLog index 077f13281f6b..c99f08ab03ed 100644 --- a/net-zope/zodb/ChangeLog +++ b/net-zope/zodb/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-zope/zodb # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/ChangeLog,v 1.28 2009/06/01 09:15:43 ssuominen Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/ChangeLog,v 1.29 2009/08/17 10:17:42 a3li Exp $ + +*zodb-3.6.0-r1 (17 Aug 2009) +*zodb-3.3.1-r1 (17 Aug 2009) + + 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zodb-3.3.1-r1.ebuild, + +files/zodb-3.3.1-CVE-2009-0668+0669.patch, +zodb-3.6.0-r1.ebuild, + +files/zodb-3.6.0-CVE-2009-0668+0669.patch: + Non-mainatiner commit: Version bump for security bug 278824. 01 Jun 2009; Samuli Suominen <ssuominen@gentoo.org> zodb-3.3.1.ebuild, zodb-3.6.0.ebuild: diff --git a/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch b/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch new file mode 100644 index 000000000000..d9cff752cd1f --- /dev/null +++ b/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch @@ -0,0 +1,117 @@ +=== StorageServer.py +================================================================== +Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py +=================================================================== +--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py ++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py +@@ -98,7 +98,7 @@ class ZEOStorage: + for func in self.extensions: + self._extensions[func.func_name] = None + +- def finish_auth(self, authenticated): ++ def _finish_auth(self, authenticated): + if not self.auth_realm: + return 1 + self.authenticated = authenticated +@@ -350,6 +350,7 @@ class ZEOStorage: + + def new_oids(self, n=100): + """Return a sequence of n new oids, where n defaults to 100""" ++ n = min(n, 100) + if self.read_only: + raise ReadOnlyError() + if n <= 0: +Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py +=================================================================== +--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py ++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py +@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage): + check = hexdigest("%s:%s" % (h_up, challenge)) + if check == response: + self.connection.setSessionKey(session_key(h_up, self._key_nonce)) +- return self.finish_auth(check == response) ++ return self._finish_auth(check == response) + + extensions = [auth_get_challenge, auth_response] + +Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py +=================================================================== +--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py ++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py +@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage): + self.connection.setSessionKey(session_key(username, + self.database.realm, + password)) +- return self.finish_auth(dbpw == password_dig) ++ return self._finish_auth(dbpw == password_dig) + + class PlaintextClient(Client): + extensions = ["auth"] +Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py +=================================================================== +--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py ++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py +@@ -22,7 +22,7 @@ import logging + import ThreadedAsync + from ZEO.zrpc import smac + from ZEO.zrpc.error import ZRPCError, DisconnectedError +-from ZEO.zrpc.marshal import Marshaller ++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller + from ZEO.zrpc.trigger import trigger + from ZEO.zrpc.log import short_repr, log + from ZODB.loglevels import BLATHER, TRACE +@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection + def __init__(self, sock, addr, obj, mgr): + self.mgr = mgr + self.__super_init(sock, addr, obj, 'S') ++ self.marshal = ServerMarshaller() + self.obj.notifyConnected(self) + + def handshake(self): +Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py +=================================================================== +--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py ++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py +@@ -53,6 +53,20 @@ class Marshaller: + level=logging.ERROR) + raise + ++class ServerMarshaller(Marshaller): ++ ++ def decode(self, msg): ++ """Decodes msg and returns its parts""" ++ unpickler = cPickle.Unpickler(StringIO(msg)) ++ unpickler.find_global = server_find_global ++ ++ try: ++ return unpickler.load() # msgid, flags, name, args ++ except: ++ log("can't decode message: %s" % short_repr(msg), ++ level=logging.ERROR) ++ raise ++ + _globals = globals() + _silly = ('__doc__',) + +@@ -77,3 +91,21 @@ def find_global(module, name): + return r + + raise ZRPCError("Unsafe global: %s.%s" % (module, name)) ++ ++def server_find_global(module, name): ++ """Helper for message unpickler""" ++ try: ++ m = __import__(module, _globals, _globals, _silly) ++ except ImportError, msg: ++ raise ZRPCError("import error %s: %s" % (module, msg)) ++ ++ try: ++ r = getattr(m, name) ++ except AttributeError: ++ raise ZRPCError("module %s has no global %s" % (module, name)) ++ ++ safe = getattr(r, '__no_side_effects__', 0) ++ if safe: ++ return r ++ ++ raise ZRPCError("Unsafe global: %s.%s" % (module, name)) diff --git a/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch b/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch new file mode 100644 index 000000000000..e39248603d00 --- /dev/null +++ b/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch @@ -0,0 +1,117 @@ +=== StorageServer.py +================================================================== +Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py +=================================================================== +--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py ++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py +@@ -98,7 +98,7 @@ class ZEOStorage: + for func in self.extensions: + self._extensions[func.func_name] = None + +- def finish_auth(self, authenticated): ++ def _finish_auth(self, authenticated): + if not self.auth_realm: + return 1 + self.authenticated = authenticated +@@ -350,6 +350,7 @@ class ZEOStorage: + + def new_oids(self, n=100): + """Return a sequence of n new oids, where n defaults to 100""" ++ n = min(n, 100) + if self.read_only: + raise ReadOnlyError() + if n <= 0: +Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py +=================================================================== +--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py ++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py +@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage): + check = hexdigest("%s:%s" % (h_up, challenge)) + if check == response: + self.connection.setSessionKey(session_key(h_up, self._key_nonce)) +- return self.finish_auth(check == response) ++ return self._finish_auth(check == response) + + extensions = [auth_get_challenge, auth_response] + +Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py +=================================================================== +--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py ++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py +@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage): + self.connection.setSessionKey(session_key(username, + self.database.realm, + password)) +- return self.finish_auth(dbpw == password_dig) ++ return self._finish_auth(dbpw == password_dig) + + class PlaintextClient(Client): + extensions = ["auth"] +Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py +=================================================================== +--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py ++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py +@@ -22,7 +22,7 @@ import logging + import ThreadedAsync + from ZEO.zrpc import smac + from ZEO.zrpc.error import ZRPCError, DisconnectedError +-from ZEO.zrpc.marshal import Marshaller ++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller + from ZEO.zrpc.trigger import trigger + from ZEO.zrpc.log import short_repr, log + from ZODB.loglevels import BLATHER, TRACE +@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection + def __init__(self, sock, addr, obj, mgr): + self.mgr = mgr + self.__super_init(sock, addr, obj, 'S') ++ self.marshal = ServerMarshaller() + self.obj.notifyConnected(self) + + def handshake(self): +Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py +=================================================================== +--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py ++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py +@@ -53,6 +53,20 @@ class Marshaller: + level=logging.ERROR) + raise + ++class ServerMarshaller(Marshaller): ++ ++ def decode(self, msg): ++ """Decodes msg and returns its parts""" ++ unpickler = cPickle.Unpickler(StringIO(msg)) ++ unpickler.find_global = server_find_global ++ ++ try: ++ return unpickler.load() # msgid, flags, name, args ++ except: ++ log("can't decode message: %s" % short_repr(msg), ++ level=logging.ERROR) ++ raise ++ + _globals = globals() + _silly = ('__doc__',) + +@@ -77,3 +91,21 @@ def find_global(module, name): + return r + + raise ZRPCError("Unsafe global: %s.%s" % (module, name)) ++ ++def server_find_global(module, name): ++ """Helper for message unpickler""" ++ try: ++ m = __import__(module, _globals, _globals, _silly) ++ except ImportError, msg: ++ raise ZRPCError("import error %s: %s" % (module, msg)) ++ ++ try: ++ r = getattr(m, name) ++ except AttributeError: ++ raise ZRPCError("module %s has no global %s" % (module, name)) ++ ++ safe = getattr(r, '__no_side_effects__', 0) ++ if safe: ++ return r ++ ++ raise ZRPCError("Unsafe global: %s.%s" % (module, name)) diff --git a/net-zope/zodb/zodb-3.3.1-r1.ebuild b/net-zope/zodb/zodb-3.3.1-r1.ebuild new file mode 100644 index 000000000000..a666014239a2 --- /dev/null +++ b/net-zope/zodb/zodb-3.3.1-r1.ebuild @@ -0,0 +1,32 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/zodb-3.3.1-r1.ebuild,v 1.1 2009/08/17 10:17:42 a3li Exp $ +EAPI=2 + +inherit distutils + +MY_P=ZODB +DESCRIPTION="Zope Object DataBase" +HOMEPAGE="http://zope.org/Products/ZODB3.3" +SRC_URI="http://zope.org/Products/${MY_P}3.3/${MY_P}%20${PV}/${MY_P}3-${PV}.tgz" + +LICENSE="ZPL" +SLOT="3.3" +KEYWORDS="~amd64 ~x86" +IUSE="" + +RDEPEND=">=dev-lang/python-2.4" +DEPEND="${RDEPEND} + !net-zope/zopeinterface" + +S=${WORKDIR}/${MY_P}3-${PV} + +src_prepare() { + epatch "${FILESDIR}"/${PF}_umaskbug.patch \ + "${FILESDIR}"/${P}-CVE-2009-0668+0669.patch +} + +src_install() { + distutils_src_install + dohtml -a html -r Doc ExtensionClass +} diff --git a/net-zope/zodb/zodb-3.6.0-r1.ebuild b/net-zope/zodb/zodb-3.6.0-r1.ebuild new file mode 100644 index 000000000000..46754427eacf --- /dev/null +++ b/net-zope/zodb/zodb-3.6.0-r1.ebuild @@ -0,0 +1,26 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/zodb-3.6.0-r1.ebuild,v 1.1 2009/08/17 10:17:42 a3li Exp $ +EAPI=2 + +inherit distutils + +MY_P="ZODB" +DESCRIPTION="Zope Object DataBase" +HOMEPAGE="http://zope.org/Products/ZODB3.6" +SRC_URI="http://zope.org/Products/${MY_P}3.6/${MY_P}%20${PV}/${MY_P}3-${PV}.tgz" + +LICENSE="ZPL" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~x86" +IUSE="" + +RDEPEND=">=dev-lang/python-2.4" +DEPEND="${RDEPEND} + !net-zope/zopeinterface" + +S=${WORKDIR}/${MY_P}3-${PV} + +src_prepare() { + epatch "${FILESDIR}"/${P}-CVE-2009-0668+0669.patch +} |