ports/77080: Update port: lang/python23 Security update PSF-2005-001
Marcus Grando
marcus at corp.grupos.com.br
Thu Feb 3 22:30:22 UTC 2005
>Number: 77080
>Category: ports
>Synopsis: Update port: lang/python23 Security update PSF-2005-001
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 03 22:30:22 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Marcus Grando
>Release: FreeBSD 4.11-STABLE i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root at corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386
>Description:
Update port: lang/python23 Security update PSF-2005-001
+ Add patch from python.org
Please see:
http://www.python.org/security/PSF-2005-001/
Please update vuxml
>How-To-Repeat:
>Fix:
--- python23.patch begins here ---
diff -ruN python23.old/Makefile python23/Makefile
--- python23.old/Makefile Sun Jan 30 01:06:43 2005
+++ python23/Makefile Thu Feb 3 20:06:02 2005
@@ -7,7 +7,7 @@
PORTNAME= python
PORTVERSION= 2.3.4
-PORTREVISION?= 3
+PORTREVISION?= 4
CATEGORIES= lang python ipv6
MASTER_SITES= ${PYTHON_MASTER_SITES}
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
diff -ruN python23.old/files/patch-Lib::SimpleXMLRPCServer.py python23/files/patch-Lib::SimpleXMLRPCServer.py
--- python23.old/files/patch-Lib::SimpleXMLRPCServer.py Wed Dec 31 21:00:00 1969
+++ python23/files/patch-Lib::SimpleXMLRPCServer.py Thu Feb 3 20:05:08 2005
@@ -0,0 +1,80 @@
+--- Lib/SimpleXMLRPCServer.py.orig Sun Jun 29 01:19:37 2003
++++ Lib/SimpleXMLRPCServer.py Thu Feb 3 20:04:33 2005
+@@ -107,14 +107,22 @@
+ import types
+ import os
+
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+ """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+
+ Resolves a dotted attribute name to an object. Raises
+ an AttributeError if any attribute in the chain starts with a '_'.
++
++ If the optional allow_dotted_names argument is false, dots are not
++ supported and this function operates similar to getattr(obj, attr).
+ """
+
+- for i in attr.split('.'):
++ if allow_dotted_names:
++ attrs = attr.split('.')
++ else:
++ attrs = [attr]
++
++ for i in attrs:
+ if i.startswith('_'):
+ raise AttributeError(
+ 'attempt to access private attribute "%s"' % i
+@@ -156,7 +164,7 @@
+ self.funcs = {}
+ self.instance = None
+
+- def register_instance(self, instance):
++ def register_instance(self, instance, allow_dotted_names=False):
+ """Registers an instance to respond to XML-RPC requests.
+
+ Only one instance can be installed at a time.
+@@ -174,9 +182,23 @@
+
+ If a registered function matches a XML-RPC request, then it
+ will be called instead of the registered instance.
++
++ If the optional allow_dotted_names argument is true and the
++ instance does not have a _dispatch method, method names
++ containing dots are supported and resolved, as long as none of
++ the name segments start with an '_'.
++
++ *** SECURITY WARNING: ***
++
++ Enabling the allow_dotted_names options allows intruders
++ to access your module's global variables and may allow
++ intruders to execute arbitrary code on your machine. Only
++ use this option on a secure, closed network.
++
+ """
+
+ self.instance = instance
++ self.allow_dotted_names = allow_dotted_names
+
+ def register_function(self, function, name = None):
+ """Registers a function to respond to XML-RPC requests.
+@@ -295,7 +317,8 @@
+ try:
+ method = resolve_dotted_attribute(
+ self.instance,
+- method_name
++ method_name,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
+@@ -374,7 +397,8 @@
+ try:
+ func = resolve_dotted_attribute(
+ self.instance,
+- method
++ method,
++ self.allow_dotted_names
+ )
+ except AttributeError:
+ pass
--- python23.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list