diff --git a/SOURCES/python-jinja2-fix-CVE-2014-1402.patch b/SOURCES/python-jinja2-fix-CVE-2014-1402.patch new file mode 100644 index 0000000..c77bacc --- /dev/null +++ b/SOURCES/python-jinja2-fix-CVE-2014-1402.patch @@ -0,0 +1,64 @@ +--- jinja2/bccache.py.orig 2011-07-12 14:02:32.000000000 +0200 ++++ jinja2/bccache.py 2014-05-30 13:15:12.850410773 +0200 +@@ -20,6 +20,9 @@ + import tempfile + import cPickle as pickle + import fnmatch ++import os ++import errno ++import stat + try: + from hashlib import sha1 + except ImportError: +@@ -194,7 +197,9 @@ + two arguments: The directory where the cache items are stored and a + pattern string that is used to build the filename. + +- If no directory is specified the system temporary items folder is used. ++ If no directory is specified a default cache directory is selected. On ++ Windows the user's temp directory is used, on UNIX systems a directory ++ is created for the user in the system temp directory. + + The pattern can be used to have multiple separate caches operate on the + same directory. The default pattern is ``'__jinja2_%s.cache'``. ``%s`` +@@ -207,10 +212,39 @@ + + def __init__(self, directory=None, pattern='__jinja2_%s.cache'): + if directory is None: +- directory = tempfile.gettempdir() ++ directory = self._get_default_cache_dir() + self.directory = directory + self.pattern = pattern + ++ def _get_default_cache_dir(self): ++ tmpdir = tempfile.gettempdir() ++ ++ # On windows the temporary directory is used specific unless ++ # explicitly forced otherwise. We can just use that. ++ if os.name == 'nt': ++ return tmpdir ++ if not hasattr(os, 'getuid'): ++ raise RuntimeError('Cannot determine safe temp directory. You ' ++ 'need to explicitly provide one.') ++ ++ dirname = '_jinja2-cache-%d' % os.getuid() ++ actual_dir = os.path.join(tmpdir, dirname) ++ try: ++ os.mkdir(actual_dir, stat.S_IRWXU) # 0o700 ++ except OSError as e: ++ if e.errno != errno.EEXIST: ++ raise ++ ++ actual_dir_stat = os.lstat(actual_dir) ++ if actual_dir_stat.st_uid != os.getuid() \ ++ or not stat.S_ISDIR(actual_dir_stat.st_mode) \ ++ or stat.S_IMODE(actual_dir_stat.st_mode) != stat.S_IRWXU: ++ raise RuntimeError('Temporary directory \'%s\' has an incorrect ' ++ 'owner, permissions, or type.' % actual_dir) ++ ++ ++ return actual_dir ++ + def _get_cache_filename(self, bucket): + return path.join(self.directory, self.pattern % bucket.key) + diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index 115da66..0163373 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -7,7 +7,7 @@ Name: %{?scl_prefix}python-jinja2 Version: 2.6 -Release: 11%{?dist} +Release: 12%{?dist} Summary: General purpose template engine Group: Development/Languages License: BSD @@ -18,6 +18,11 @@ Patch0: jinja2-add-source-filesize-to-header.patch # https://github.com/mitsuhiko/jinja2/commit/21a2010bf2768bc658e09666c2135063ce004efc Patch1: jinja2-fix-unicode-error.patch Patch2: jinja2-fix-doc-build-for-python3.patch +# This patch consists of two upstream patches merged and rebased for 2.2.1 +# (the first upstream patch introduced CVE-2014-0012 and the second fixed it) +# https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7 +# https://github.com/mitsuhiko/jinja2/pull/296/files +Patch3: %{pkg_name}-fix-CVE-2014-1402.patch BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{?scl_prefix}python-devel @@ -44,6 +49,7 @@ environments. %patch0 -p1 %patch1 -p1 %patch2 -p0 +%patch3 -p0 # cleanup find . -name '*.pyo' -o -name '*.pyc' -delete @@ -94,13 +100,17 @@ rm -rf %{buildroot} %exclude %{python3_sitelib}/jinja2/_debugsupport.c %changelog +* Fri May 30 2014 Bohuslav Kabrda - 2.6-12 +- Fix CVE-2014-1402 +Resolves: rhbz#1102893 + * Mon Nov 18 2013 Robert Kuska - 2.6-11 - Build with docs * Thu May 09 2013 Bohuslav Kabrda - 2.6-10 - Remove the extraneous dependency on babel. -* Thu May 09 2013 Bohuslav Kabrda - 2.6-9 +* Tue May 07 2013 Bohuslav Kabrda - 2.6-9 - Rebuild to generate bytecode properly after fixing rhbz#956289 * Wed Jan 23 2013 Bohuslav Kabrda - 2.6-8