diff --git a/.python-jinja2.metadata b/.python-jinja2.metadata index e9dd467..7b5ebf1 100644 --- a/.python-jinja2.metadata +++ b/.python-jinja2.metadata @@ -1 +1 @@ -f122aeb324b2009bbcee341d0f001a047ac4bbe5 SOURCES/Jinja2-2.6.tar.gz +1ce4c8bc722444ec3e77ef9db76faebbd17a40d8 SOURCES/Jinja2-2.7.2.tar.gz diff --git a/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch b/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch new file mode 100644 index 0000000..e95d938 --- /dev/null +++ b/SOURCES/python-jinja2-align-jinjaext-with-compatibility-cleanups.patch @@ -0,0 +1,25 @@ +From 99d0f3165ace0befd9eafd661be6e0c23d5f9ba5 Mon Sep 17 00:00:00 2001 +From: Gabi Davar +Date: Fri, 16 Aug 2013 16:18:35 +0300 +Subject: [PATCH] align jinjaext with the rest of the computability cleanups + +--- + docs/jinjaext.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/jinjaext.py b/docs/jinjaext.py +index 8395a55..3c217f8 100644 +--- a/docs/jinjaext.py ++++ b/docs/jinjaext.py +@@ -23,7 +23,7 @@ + from pygments.token import Keyword, Name, Comment, String, Error, \ + Number, Operator, Generic + from jinja2 import Environment, FileSystemLoader +-from jinja2.utils import next ++from jinja2._compat import next + + + def parse_rst(state, content_offset, doc): +-- +1.8.1.6 + diff --git a/SOURCES/python-jinja2-fix-CVE-2014-0012.patch b/SOURCES/python-jinja2-fix-CVE-2014-0012.patch new file mode 100644 index 0000000..7ba16db --- /dev/null +++ b/SOURCES/python-jinja2-fix-CVE-2014-0012.patch @@ -0,0 +1,27 @@ +diff --git a/jinja2/bccache.py b/jinja2/bccache.py +index 09ff845..c31a905 100644 +--- a/jinja2/bccache.py ++++ b/jinja2/bccache.py +@@ -16,6 +16,7 @@ + """ + from os import path, listdir + import os ++import stat + import sys + import errno + import marshal +@@ -230,6 +231,14 @@ class FileSystemBytecodeCache(BytecodeCache): + if e.errno != errno.EEXIST: + raise + ++ if os.lstat(actual_dir).st_uid != os.getuid(): ++ raise RuntimeError('Someone else owns temp directory with your ' ++ 'uid. You need to explicitly provide another.') ++ ++ if stat.S_IMODE(os.lstat(actual_dir).st_mode) != 448: ++ raise RuntimeError('Bad permission flags on temp directory, ' ++ 'shoud be 0700. You need to fix this.') ++ + return actual_dir + + def _get_cache_filename(self, bucket): diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index d842836..341de12 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -8,28 +8,31 @@ # and python-sphinx: %global with_docs 1 -Name: python-jinja2 -Version: 2.6 -Release: 6%{?dist} -Summary: General purpose template engine -Group: Development/Languages -License: BSD -URL: http://jinja.pocoo.org/ -Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildArch: noarch -BuildRequires: python-devel -BuildRequires: python-setuptools -BuildRequires: python-markupsafe +Name: python-jinja2 +Version: 2.7.2 +Release: 2%{?dist} +Summary: General purpose template engine +Group: Development/Languages +License: BSD +URL: http://jinja.pocoo.org/ +Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz +Patch1: %{name}-align-jinjaext-with-compatibility-cleanups.patch +# Patch for CVE-2014-0012, see https://bugzilla.redhat.com/show_bug.cgi?id=1051421 +# for discussion (not yet sent upstream) +Patch2: python-jinja2-fix-CVE-2014-0012.patch +BuildArch: noarch +BuildRequires: python-devel +BuildRequires: python-setuptools +BuildRequires: python-markupsafe %if 0%{?with_docs} -BuildRequires: python-sphinx +BuildRequires: python-sphinx %endif # with_docs -Requires: python-babel >= 0.8 -Requires: python-markupsafe +Requires: python-babel >= 0.8 +Requires: python-markupsafe %if 0%{?with_python3} -BuildRequires: python3-devel -BuildRequires: python3-setuptools -BuildRequires: python3-markupsafe +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-markupsafe %endif # with_python3 @@ -47,11 +50,11 @@ environments. %if 0%{?with_python3} %package -n python3-jinja2 -Summary: General purpose template engine -Group: Development/Languages -Requires: python3-markupsafe +Summary: General purpose template engine +Group: Development/Languages +Requires: python3-markupsafe # babel isn't py3k ready yet, and is only a weak dependency -#Requires: python3-babel >= 0.8 +#Requires: python3-babel >= 0.8 %description -n python3-jinja2 @@ -69,6 +72,8 @@ environments. %prep %setup -q -n Jinja2-%{version} +%patch1 -p1 +%patch2 -p1 # cleanup find . -name '*.pyo' -o -name '*.pyc' -delete @@ -87,7 +92,7 @@ cp -a . %{py3dir} # for now, we build docs using Python 2.x and use that for both # packages. %if 0%{?with_docs} -make -C docs html +make -C docs html PYTHONPATH=$(pwd) %endif # with_docs %if 0%{?with_python3} @@ -98,9 +103,8 @@ popd %install -rm -rf %{buildroot} %{__python} setup.py install -O1 --skip-build \ - --root %{buildroot} + --root %{buildroot} # remove hidden file rm -rf docs/_build/html/.buildinfo @@ -108,15 +112,11 @@ rm -rf docs/_build/html/.buildinfo %if 0%{?with_python3} pushd %{py3dir} %{__python3} setup.py install -O1 --skip-build \ - --root %{buildroot} + --root %{buildroot} popd %endif # with_python3 -%clean -rm -rf %{buildroot} - - %check make test @@ -129,7 +129,6 @@ popd %files -%defattr(-,root,root,-) %doc AUTHORS CHANGES LICENSE %if 0%{?with_docs} %doc docs/_build/html @@ -142,7 +141,6 @@ popd %if 0%{?with_python3} %files -n python3-jinja2 -%defattr(-,root,root,-) %doc AUTHORS CHANGES LICENSE %if 0%{?with_docs} %doc docs/_build/html @@ -155,6 +153,24 @@ popd %changelog +* Tue Jan 28 2014 Bohuslav Kabrda - 2.7.2-2 +- Fix CVE-2014-0012. +Resolves: rhbz#1051427 + +* Wed Jan 15 2014 Bohuslav Kabrda - 2.7.2-1 +- Reverted flawed patch for #1051427 (this reintroduces #1052102). +- Spec cleanup (removed rhel < 7 specific stuff). +- Update to 2.7.2. +Resolves: rhbz#1052777 + +* Tue Jan 14 2014 Tomas Radej - 2.6-8 +- Using secure tmp dir +- Replaced tabs with spaces +Resolves: rhbz#1051427 + +* Fri Dec 27 2013 Daniel Mach - 2.6-7 +- Mass rebuild 2013-12-27 + * Thu Feb 14 2013 Fedora Release Engineering - 2.6-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild @@ -214,7 +230,7 @@ dependency with python-sphinx; disable docs for now * Tue Jul 13 2010 Thomas Moschny - 2.5-1 - Update to upstream version 2.5. -- Create python3 subpackage. +- Create python3 subpackage. - Minor specfile fixes. - Add examples directory. - Thanks to Gareth Armstrong for additional hints.