Skip site navigation (1)Skip section navigation (2) 
Date:      Thu,  3 Feb 2005 20:21:21 -0200 (BRST)
From:      Marcus Grando <marcus@corp.grupos.com.br>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        perky@FreeBSD.org
Subject:    ports/77080: Update port: lang/python23 Security update PSF-2005-001
Message-ID:  <20050203222121.1060E20A25@corp.grupos.com.br>
Resent-Message-ID: <200502032230.j13MUMca036433@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         77080
>Category:       ports
>Synopsis:       Update port: lang/python23 Security update PSF-2005-001
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 03 22:30:22 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Marcus Grando
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD corp.grupos.com.br 4.11-STABLE FreeBSD 4.11-STABLE #40: Fri Jan 28 13:42:33 BRST 2005 root@corp.grupos.com.br:/usr/obj/usr/src/sys/CORP i386


	
>Description:
Update port: lang/python23 Security update PSF-2005-001

+ Add patch from python.org

Please see:
http://www.python.org/security/PSF-2005-001/

Please update vuxml

	
>How-To-Repeat:
	
>Fix:

	

--- python23.patch begins here ---
diff -ruN python23.old/Makefile python23/Makefile
--- python23.old/Makefile	Sun Jan 30 01:06:43 2005
+++ python23/Makefile	Thu Feb  3 20:06:02 2005
@@ -7,7 +7,7 @@
 
 PORTNAME=	python
 PORTVERSION=	2.3.4
-PORTREVISION?=	3
+PORTREVISION?=	4
 CATEGORIES=	lang python ipv6
 MASTER_SITES=	${PYTHON_MASTER_SITES}
 MASTER_SITE_SUBDIR=	${PYTHON_MASTER_SITE_SUBDIR}
diff -ruN python23.old/files/patch-Lib::SimpleXMLRPCServer.py python23/files/patch-Lib::SimpleXMLRPCServer.py
--- python23.old/files/patch-Lib::SimpleXMLRPCServer.py	Wed Dec 31 21:00:00 1969
+++ python23/files/patch-Lib::SimpleXMLRPCServer.py	Thu Feb  3 20:05:08 2005
@@ -0,0 +1,80 @@
+--- Lib/SimpleXMLRPCServer.py.orig	Sun Jun 29 01:19:37 2003
++++ Lib/SimpleXMLRPCServer.py	Thu Feb  3 20:04:33 2005
+@@ -107,14 +107,22 @@
+ import types
+ import os
+ 
+-def resolve_dotted_attribute(obj, attr):
++def resolve_dotted_attribute(obj, attr, allow_dotted_names=True):
+     """resolve_dotted_attribute(a, 'b.c.d') => a.b.c.d
+ 
+     Resolves a dotted attribute name to an object.  Raises
+     an AttributeError if any attribute in the chain starts with a '_'.
++
++    If the optional allow_dotted_names argument is false, dots are not
++    supported and this function operates similar to getattr(obj, attr).
+     """
+ 
+-    for i in attr.split('.'):
++    if allow_dotted_names:
++        attrs = attr.split('.')
++    else:
++        attrs = [attr]
++
++    for i in attrs:
+         if i.startswith('_'):
+             raise AttributeError(
+                 'attempt to access private attribute "%s"' % i
+@@ -156,7 +164,7 @@
+         self.funcs = {}
+         self.instance = None
+ 
+-    def register_instance(self, instance):
++    def register_instance(self, instance, allow_dotted_names=False):
+         """Registers an instance to respond to XML-RPC requests.
+ 
+         Only one instance can be installed at a time.
+@@ -174,9 +182,23 @@
+ 
+         If a registered function matches a XML-RPC request, then it
+         will be called instead of the registered instance.
++
++        If the optional allow_dotted_names argument is true and the
++        instance does not have a _dispatch method, method names
++        containing dots are supported and resolved, as long as none of
++        the name segments start with an '_'.
++
++            *** SECURITY WARNING: ***
++
++            Enabling the allow_dotted_names options allows intruders
++            to access your module's global variables and may allow
++            intruders to execute arbitrary code on your machine.  Only
++            use this option on a secure, closed network.
++
+         """
+ 
+         self.instance = instance
++        self.allow_dotted_names = allow_dotted_names
+ 
+     def register_function(self, function, name = None):
+         """Registers a function to respond to XML-RPC requests.
+@@ -295,7 +317,8 @@
+                 try:
+                     method = resolve_dotted_attribute(
+                                 self.instance,
+-                                method_name
++                                method_name,
++                                self.allow_dotted_names
+                                 )
+                 except AttributeError:
+                     pass
+@@ -374,7 +397,8 @@
+                     try:
+                         func = resolve_dotted_attribute(
+                             self.instance,
+-                            method
++                            method,
++                            self.allow_dotted_names
+                             )
+                     except AttributeError:
+                         pass
--- python23.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203222121.1060E20A25>