summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Legler <a3li@gentoo.org>2009-08-17 10:17:42 +0000
committerAlex Legler <a3li@gentoo.org>2009-08-17 10:17:42 +0000
commit177cc98104fad9692ac78f5a1ad97e05592cba17 (patch)
tree37d2e270259d89282fc2783a5782affb9fa3ba62 /net-zope/zodb
parentFix USE=postgres handling, add USE=sqlite support, use latest autotools, and ... (diff)
downloadgentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.tar.gz
gentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.tar.bz2
gentoo-2-177cc98104fad9692ac78f5a1ad97e05592cba17.zip
Non-maintainer commit: Version bump for security bug 278824.
(Portage version: 2.2_rc33/cvs/Linux x86_64)
Diffstat (limited to 'net-zope/zodb')
-rw-r--r--net-zope/zodb/ChangeLog10
-rw-r--r--net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch117
-rw-r--r--net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch117
-rw-r--r--net-zope/zodb/zodb-3.3.1-r1.ebuild32
-rw-r--r--net-zope/zodb/zodb-3.6.0-r1.ebuild26
5 files changed, 301 insertions, 1 deletions
diff --git a/net-zope/zodb/ChangeLog b/net-zope/zodb/ChangeLog
index 077f13281f6b..c99f08ab03ed 100644
--- a/net-zope/zodb/ChangeLog
+++ b/net-zope/zodb/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for net-zope/zodb
# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/ChangeLog,v 1.28 2009/06/01 09:15:43 ssuominen Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/ChangeLog,v 1.29 2009/08/17 10:17:42 a3li Exp $
+
+*zodb-3.6.0-r1 (17 Aug 2009)
+*zodb-3.3.1-r1 (17 Aug 2009)
+
+ 17 Aug 2009; Alex Legler <a3li@gentoo.org> +zodb-3.3.1-r1.ebuild,
+ +files/zodb-3.3.1-CVE-2009-0668+0669.patch, +zodb-3.6.0-r1.ebuild,
+ +files/zodb-3.6.0-CVE-2009-0668+0669.patch:
+ Non-mainatiner commit: Version bump for security bug 278824.
01 Jun 2009; Samuli Suominen <ssuominen@gentoo.org> zodb-3.3.1.ebuild,
zodb-3.6.0.ebuild:
diff --git a/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch b/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch
new file mode 100644
index 000000000000..d9cff752cd1f
--- /dev/null
+++ b/net-zope/zodb/files/zodb-3.3.1-CVE-2009-0668+0669.patch
@@ -0,0 +1,117 @@
+=== StorageServer.py
+==================================================================
+Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py
+===================================================================
+--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py
++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/StorageServer.py
+@@ -98,7 +98,7 @@ class ZEOStorage:
+ for func in self.extensions:
+ self._extensions[func.func_name] = None
+
+- def finish_auth(self, authenticated):
++ def _finish_auth(self, authenticated):
+ if not self.auth_realm:
+ return 1
+ self.authenticated = authenticated
+@@ -350,6 +350,7 @@ class ZEOStorage:
+
+ def new_oids(self, n=100):
+ """Return a sequence of n new oids, where n defaults to 100"""
++ n = min(n, 100)
+ if self.read_only:
+ raise ReadOnlyError()
+ if n <= 0:
+Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py
+===================================================================
+--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py
++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/auth/auth_digest.py
+@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage):
+ check = hexdigest("%s:%s" % (h_up, challenge))
+ if check == response:
+ self.connection.setSessionKey(session_key(h_up, self._key_nonce))
+- return self.finish_auth(check == response)
++ return self._finish_auth(check == response)
+
+ extensions = [auth_get_challenge, auth_response]
+
+Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py
+===================================================================
+--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py
++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/tests/auth_plaintext.py
+@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage):
+ self.connection.setSessionKey(session_key(username,
+ self.database.realm,
+ password))
+- return self.finish_auth(dbpw == password_dig)
++ return self._finish_auth(dbpw == password_dig)
+
+ class PlaintextClient(Client):
+ extensions = ["auth"]
+Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py
+===================================================================
+--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py
++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/connection.py
+@@ -22,7 +22,7 @@ import logging
+ import ThreadedAsync
+ from ZEO.zrpc import smac
+ from ZEO.zrpc.error import ZRPCError, DisconnectedError
+-from ZEO.zrpc.marshal import Marshaller
++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
+ from ZEO.zrpc.trigger import trigger
+ from ZEO.zrpc.log import short_repr, log
+ from ZODB.loglevels import BLATHER, TRACE
+@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection
+ def __init__(self, sock, addr, obj, mgr):
+ self.mgr = mgr
+ self.__super_init(sock, addr, obj, 'S')
++ self.marshal = ServerMarshaller()
+ self.obj.notifyConnected(self)
+
+ def handshake(self):
+Index: ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py
+===================================================================
+--- ZODB3-3.3.1.orig/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py
++++ ZODB3-3.3.1/Dependencies/ZEO-ZODB3-3.3.1/ZEO/zrpc/marshal.py
+@@ -53,6 +53,20 @@ class Marshaller:
+ level=logging.ERROR)
+ raise
+
++class ServerMarshaller(Marshaller):
++
++ def decode(self, msg):
++ """Decodes msg and returns its parts"""
++ unpickler = cPickle.Unpickler(StringIO(msg))
++ unpickler.find_global = server_find_global
++
++ try:
++ return unpickler.load() # msgid, flags, name, args
++ except:
++ log("can't decode message: %s" % short_repr(msg),
++ level=logging.ERROR)
++ raise
++
+ _globals = globals()
+ _silly = ('__doc__',)
+
+@@ -77,3 +91,21 @@ def find_global(module, name):
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
++
++def server_find_global(module, name):
++ """Helper for message unpickler"""
++ try:
++ m = __import__(module, _globals, _globals, _silly)
++ except ImportError, msg:
++ raise ZRPCError("import error %s: %s" % (module, msg))
++
++ try:
++ r = getattr(m, name)
++ except AttributeError:
++ raise ZRPCError("module %s has no global %s" % (module, name))
++
++ safe = getattr(r, '__no_side_effects__', 0)
++ if safe:
++ return r
++
++ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
diff --git a/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch b/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch
new file mode 100644
index 000000000000..e39248603d00
--- /dev/null
+++ b/net-zope/zodb/files/zodb-3.6.0-CVE-2009-0668+0669.patch
@@ -0,0 +1,117 @@
+=== StorageServer.py
+==================================================================
+Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py
+===================================================================
+--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py
++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/StorageServer.py
+@@ -98,7 +98,7 @@ class ZEOStorage:
+ for func in self.extensions:
+ self._extensions[func.func_name] = None
+
+- def finish_auth(self, authenticated):
++ def _finish_auth(self, authenticated):
+ if not self.auth_realm:
+ return 1
+ self.authenticated = authenticated
+@@ -350,6 +350,7 @@ class ZEOStorage:
+
+ def new_oids(self, n=100):
+ """Return a sequence of n new oids, where n defaults to 100"""
++ n = min(n, 100)
+ if self.read_only:
+ raise ReadOnlyError()
+ if n <= 0:
+Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py
+===================================================================
+--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py
++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/auth/auth_digest.py
+@@ -121,7 +121,7 @@ class StorageClass(ZEOStorage):
+ check = hexdigest("%s:%s" % (h_up, challenge))
+ if check == response:
+ self.connection.setSessionKey(session_key(h_up, self._key_nonce))
+- return self.finish_auth(check == response)
++ return self._finish_auth(check == response)
+
+ extensions = [auth_get_challenge, auth_response]
+
+Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py
+===================================================================
+--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py
++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/tests/auth_plaintext.py
+@@ -41,7 +41,7 @@ class StorageClass(ZEOStorage):
+ self.connection.setSessionKey(session_key(username,
+ self.database.realm,
+ password))
+- return self.finish_auth(dbpw == password_dig)
++ return self._finish_auth(dbpw == password_dig)
+
+ class PlaintextClient(Client):
+ extensions = ["auth"]
+Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py
+===================================================================
+--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py
++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/connection.py
+@@ -22,7 +22,7 @@ import logging
+ import ThreadedAsync
+ from ZEO.zrpc import smac
+ from ZEO.zrpc.error import ZRPCError, DisconnectedError
+-from ZEO.zrpc.marshal import Marshaller
++from ZEO.zrpc.marshal import Marshaller, ServerMarshaller
+ from ZEO.zrpc.trigger import trigger
+ from ZEO.zrpc.log import short_repr, log
+ from ZODB.loglevels import BLATHER, TRACE
+@@ -716,6 +716,7 @@ class ManagedServerConnection(Connection
+ def __init__(self, sock, addr, obj, mgr):
+ self.mgr = mgr
+ self.__super_init(sock, addr, obj, 'S')
++ self.marshal = ServerMarshaller()
+ self.obj.notifyConnected(self)
+
+ def handshake(self):
+Index: ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py
+===================================================================
+--- ZODB3-3.6.0.orig/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py
++++ ZODB3-3.6.0/Dependencies/ZEO-ZODB3-3.6.0/ZEO/zrpc/marshal.py
+@@ -53,6 +53,20 @@ class Marshaller:
+ level=logging.ERROR)
+ raise
+
++class ServerMarshaller(Marshaller):
++
++ def decode(self, msg):
++ """Decodes msg and returns its parts"""
++ unpickler = cPickle.Unpickler(StringIO(msg))
++ unpickler.find_global = server_find_global
++
++ try:
++ return unpickler.load() # msgid, flags, name, args
++ except:
++ log("can't decode message: %s" % short_repr(msg),
++ level=logging.ERROR)
++ raise
++
+ _globals = globals()
+ _silly = ('__doc__',)
+
+@@ -77,3 +91,21 @@ def find_global(module, name):
+ return r
+
+ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
++
++def server_find_global(module, name):
++ """Helper for message unpickler"""
++ try:
++ m = __import__(module, _globals, _globals, _silly)
++ except ImportError, msg:
++ raise ZRPCError("import error %s: %s" % (module, msg))
++
++ try:
++ r = getattr(m, name)
++ except AttributeError:
++ raise ZRPCError("module %s has no global %s" % (module, name))
++
++ safe = getattr(r, '__no_side_effects__', 0)
++ if safe:
++ return r
++
++ raise ZRPCError("Unsafe global: %s.%s" % (module, name))
diff --git a/net-zope/zodb/zodb-3.3.1-r1.ebuild b/net-zope/zodb/zodb-3.3.1-r1.ebuild
new file mode 100644
index 000000000000..a666014239a2
--- /dev/null
+++ b/net-zope/zodb/zodb-3.3.1-r1.ebuild
@@ -0,0 +1,32 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/zodb-3.3.1-r1.ebuild,v 1.1 2009/08/17 10:17:42 a3li Exp $
+EAPI=2
+
+inherit distutils
+
+MY_P=ZODB
+DESCRIPTION="Zope Object DataBase"
+HOMEPAGE="http://zope.org/Products/ZODB3.3"
+SRC_URI="http://zope.org/Products/${MY_P}3.3/${MY_P}%20${PV}/${MY_P}3-${PV}.tgz"
+
+LICENSE="ZPL"
+SLOT="3.3"
+KEYWORDS="~amd64 ~x86"
+IUSE=""
+
+RDEPEND=">=dev-lang/python-2.4"
+DEPEND="${RDEPEND}
+ !net-zope/zopeinterface"
+
+S=${WORKDIR}/${MY_P}3-${PV}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PF}_umaskbug.patch \
+ "${FILESDIR}"/${P}-CVE-2009-0668+0669.patch
+}
+
+src_install() {
+ distutils_src_install
+ dohtml -a html -r Doc ExtensionClass
+}
diff --git a/net-zope/zodb/zodb-3.6.0-r1.ebuild b/net-zope/zodb/zodb-3.6.0-r1.ebuild
new file mode 100644
index 000000000000..46754427eacf
--- /dev/null
+++ b/net-zope/zodb/zodb-3.6.0-r1.ebuild
@@ -0,0 +1,26 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-zope/zodb/zodb-3.6.0-r1.ebuild,v 1.1 2009/08/17 10:17:42 a3li Exp $
+EAPI=2
+
+inherit distutils
+
+MY_P="ZODB"
+DESCRIPTION="Zope Object DataBase"
+HOMEPAGE="http://zope.org/Products/ZODB3.6"
+SRC_URI="http://zope.org/Products/${MY_P}3.6/${MY_P}%20${PV}/${MY_P}3-${PV}.tgz"
+
+LICENSE="ZPL"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE=""
+
+RDEPEND=">=dev-lang/python-2.4"
+DEPEND="${RDEPEND}
+ !net-zope/zopeinterface"
+
+S=${WORKDIR}/${MY_P}3-${PV}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-CVE-2009-0668+0669.patch
+}