diff --git a/SOURCES/python-jinja2-fix-CVE-2014-1402.patch b/SOURCES/python-jinja2-fix-CVE-2014-1402.patch new file mode 100644 index 0000000..c77bacc --- /dev/null +++ b/SOURCES/python-jinja2-fix-CVE-2014-1402.patch @@ -0,0 +1,64 @@ +--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200 ++++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200 +@@ -20,6 +20,9 @@ + import tempfile + import cPickle as pickle + import fnmatch ++import os ++import errno ++import stat + try: + from hashlib import sha1 + except ImportError: +@@ -194,7 +197,9 @@ + two arguments: The directory where the cache items are stored and a + pattern string that is used to build the filename. + +- If no directory is specified the system temporary items folder is used. ++ If no directory is specified a default cache directory is selected. On ++ Windows the user's temp directory is used, on UNIX systems a directory ++ is created for the user in the system temp directory. + + The pattern can be used to have multiple separate caches operate on the + same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s`` +@@ -207,10 +212,39 @@ + + def __init__(self, directory=None, pattern='__jinja2_%s.cache'): + if directory is None: +- directory = tempfile.gettempdir() ++ directory = self._get_default_cache_dir() + self.directory = directory + self.pattern = pattern + ++ def _get_default_cache_dir(self): ++ tmpdir = tempfile.gettempdir() ++ ++ # On windows the temporary directory is used specific unless ++ # explicitly forced otherwise. We can just use that. ++ if os.name == 'nt': ++ return tmpdir ++ if not hasattr(os, 'getuid'): ++ raise RuntimeError('Cannot determine safe temp directory. You ' ++ 'need to explicitly provide one.') ++ ++ dirname = '_jinja2-cache-%d' % os.getuid() ++ actual_dir = os.path.join(tmpdir, dirname) ++ try: ++ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700 ++ except OSError as e: ++ if e.errno != errno.EEXIST: ++ raise ++ ++ actual_dir_stat = os.lstat(actual_dir) ++ if actual_dir_stat.st_uid != os.getuid() \ ++ or not stat.S_ISDIR(actual_dir_stat.st_mode) \ ++ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU: ++ raise RuntimeError('Temporary directory \'%s\' has an incorrect ' ++ 'owner, permissions, or type.' % actual_dir) ++ ++ ++ return actual_dir ++ + def _get_cache_filename(self, bucket): + return path.join(self.directory, self.pattern % bucket.key) + diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index b584a37..1dafc03 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -7,12 +7,17 @@ Name: %{?scl_prefix}python-jinja2 Version: 2.6 -Release: 10%{?dist} +Release: 11%{?dist} Summary: General purpose template engine Group: Development/Languages License: BSD URL: http://jinja.pocoo.org/ Source0: http://pypi.python.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz +# This patch consists of two upstream patches merged and rebased for 2.2.1 +# (the first upstream patch introduced CVE-2014-0012 and the second fixed it) +# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 +# https://github.com/mitsuhiko/jinja2/pull/296/files +Patch0: %{pkg_name}-fix-CVE-2014-1402.patch BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{?scl_prefix}python-devel @@ -41,6 +46,8 @@ environments. # cleanup find . -name '*.pyo' -o -name '*.pyc' -delete +%patch0 -p0 + # fix EOL sed -i 's|\r$||g' LICENSE @@ -92,6 +99,10 @@ make test %exclude %{python_sitelib}/jinja2/_debugsupport.c %changelog +* Fri May 30 2014 Bohuslav Kabrda - 2.6-11 +- Fix CVE-2014-1402 +Resolves: rhbz#1102891 + * Thu Oct 24 2013 Robert Kuska - 2.6-10 - Rebuild with doc subpackage