diff --git a/fish-upstream-CVE-2014-2914.patch b/fish-upstream-CVE-2014-2914.patch new file mode 100644 index 0000000..248bb38 --- /dev/null +++ b/fish-upstream-CVE-2014-2914.patch @@ -0,0 +1,47 @@ +From 10642a34f17ae45bd93be3ae6021ee920d3da0c2 Mon Sep 17 00:00:00 2001 +Message-Id: <10642a34f17ae45bd93be3ae6021ee920d3da0c2.1398707555.git.luto@amacapital.net> +In-Reply-To: <3c5d5b344ee945b99e4bb16a44af6f293601813d.1398707555.git.luto@amacapital.net> +References: <3c5d5b344ee945b99e4bb16a44af6f293601813d.1398707555.git.luto@amacapital.net> +From: Anders Bergh +Date: Tue, 4 Mar 2014 09:59:26 +0100 +Subject: [PATCH 2/4] fish_config: Listen on both IPv6 and IPv4. + +A subclass of TCPServer was created to deny any non-local connections and to +listen using an IPv6 socket. +--- + share/tools/web_config/webconfig.py | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/share/tools/web_config/webconfig.py b/share/tools/web_config/webconfig.py +index f735a02..1b9250b 100755 +--- a/share/tools/web_config/webconfig.py ++++ b/share/tools/web_config/webconfig.py +@@ -250,6 +250,16 @@ class FishVar: + if self.exported: flags.append('exported') + return [self.name, self.value, ', '.join(flags)] + ++class FishConfigTCPServer(SocketServer.TCPServer): ++ """TCPServer that only accepts connections from localhost (IPv4/IPv6).""" ++ WHITELIST = set(['::1', '::ffff:127.0.0.1', '127.0.0.1']) ++ ++ address_family = socket.AF_INET6 ++ ++ def verify_request(self, request, client_address): ++ return client_address[0] in FishConfigTCPServer.WHITELIST ++ ++ + class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): + + def write_to_wfile(self, txt): +@@ -613,7 +623,7 @@ PORT = 8000 + while PORT <= 9000: + try: + Handler = FishConfigHTTPRequestHandler +- httpd = SocketServer.TCPServer(("", PORT), Handler) ++ httpd = FishConfigTCPServer(("::", PORT), Handler) + # Success + break + except socket.error: +-- +1.9.0 + diff --git a/fish.spec b/fish.spec index aaa6bec..30ca356 100644 --- a/fish.spec +++ b/fish.spec @@ -1,6 +1,6 @@ Name: fish Version: 2.1.0 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A friendly interactive shell Group: System Environment/Shells @@ -10,8 +10,9 @@ Source0: http://fishshell.com/files/%{version}/fish-%{version}.ta Patch0: fish-remove-usr-local.patch Patch1: fish-add-link-cxxflags.patch Patch2: fish-use-usrbinpython.patch -Patch3: fish-upstream-CVE-2014-2905.patch -Patch4: fish-upstream-CVE-2014-2906.patch +Patch3: fish-upstream-CVE-2014-2914.patch +Patch4: fish-upstream-CVE-2014-2905.patch +Patch5: fish-upstream-CVE-2014-2906.patch BuildRequires: ncurses-devel gettext groff doxygen @@ -32,6 +33,7 @@ nothing to learn or configure. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # This is unused. If we fiddle with Python versions, its presence will # be confusing. @@ -84,6 +86,9 @@ fi %changelog +* Mon Apr 28 2014 Andy Lutomirski - 2.1.0-9 +- Fix CVE-2014-2914 + * Mon Apr 28 2014 Andy Lutomirski - 2.1.0-8 - Fix build failure