[PATCH 0/2] Misc Fixes

[PATCH 0/2] Misc Fixes

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

The following changes since commit 35f20c5aacc9b23affe0380e8451ccc41cbc1799:

  eglibc: Tighten LICENSE Fields (2011-07-19 17:34:21 +0100)

are available in the git repository at:
  git://git.pokylinux.org/poky-contrib nitin/misc
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=nitin/misc

Nitin A Kamble (2):
  python: fix security vulnerability
  glib-2.0: fix a compilation issue due to dtrace

 meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb      |    1 -
 meta/recipes-core/glib-2.0/glib.inc                |    2 +-
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 5 files changed, 188 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch

-- 
1.7.6

[PATCH 1/2] python: fix security vulnerability

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

This Fixes bug: [Yocto #1254]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015

Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
  now collapsed within the url properly before looking in cgi_directories.

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
---
 meta/recipes-devtools/python/python.inc            |    2 +-
 .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
 meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
 3 files changed, 187 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch

diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 25a458e..a6cc917 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
 LICENSE = "PSF"
 SECTION = "devel/python"
 # bump this on every change in contrib/python/generate-manifest-2.6.py
-INC_PR = "nk2"
+INC_PR = "r2"
 
 DEFAULT_PREFERENCE = "-26"
 
diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
new file mode 100644
index 0000000..0d2274a
--- /dev/null
+++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
@@ -0,0 +1,184 @@
+UpstreamStatus: Backport
+http://svn.python.org/view?view=revision&revision=71303
+
+Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
+  now collapsed within the url properly before looking in cgi_directories.
+Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 
+2011/07/19
+
+Index: Python-2.6.6/Lib/CGIHTTPServer.py
+===================================================================
+--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
++++ Python-2.6.6/Lib/CGIHTTPServer.py
+@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
+ 
+     def is_cgi(self):
+-        """Test whether self.path corresponds to a CGI script,
+-        and return a boolean.
++        """Test whether self.path corresponds to a CGI script.
+ 
+-        This function sets self.cgi_info to a tuple (dir, rest)
+-        when it returns True, where dir is the directory part before
+-        the CGI script name.  Note that rest begins with a
+-        slash if it is not empty.
+-
+-        The default implementation tests whether the path
+-        begins with one of the strings in the list
+-        self.cgi_directories (and the next character is a '/'
+-        or the end of the string).
++        Returns True and updates the cgi_info attribute to the tuple
++        (dir, rest) if self.path requires running a CGI script.
++        Returns False otherwise.
++
++        The default implementation tests whether the normalized url
++        path begins with one of the strings in self.cgi_directories
++        (and the next character is a '/' or the end of the string).
+         """
+-
+-        path = self.path
+-
+-        for x in self.cgi_directories:
+-            i = len(x)
+-            if path[:i] == x and (not path[i:] or path[i] == '/'):
+-                self.cgi_info = path[:i], path[i+1:]
+-                return True
++        splitpath = _url_collapse_path_split(self.path)
++        if splitpath[0] in self.cgi_directories:
++            self.cgi_info = splitpath
++            return True
+         return False
+ 
+     cgi_directories = ['/cgi-bin', '/htbin']
+@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
+                 self.log_message("CGI script exited OK")
+ 
+ 
++# TODO(gregory.p.smith): Move this into an appropriate library.
++def _url_collapse_path_split(path):
++    """
++    Given a URL path, remove extra '/'s and '.' path elements and collapse
++    any '..' references.
++
++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
++
++    Returns: A tuple of (head, tail) where tail is everything after the final /
++    and head is everything before it.  Head will always start with a '/' and,
++    if it contains anything else, never have a trailing '/'.
++
++    Raises: IndexError if too many '..' occur within the path.
++    """
++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
++    # path semantics rather than local operating system semantics.
++    path_parts = []
++    for part in path.split('/'):
++        if part == '.':
++            path_parts.append('')
++        else:
++            path_parts.append(part)
++    # Filter out blank non trailing parts before consuming the '..'.
++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
++    if path_parts:
++        tail_part = path_parts.pop()
++    else:
++        tail_part = ''
++    head_parts = []
++    for part in path_parts:
++        if part == '..':
++            head_parts.pop()
++        else:
++            head_parts.append(part)
++    if tail_part and tail_part == '..':
++        head_parts.pop()
++        tail_part = ''
++    return ('/' + '/'.join(head_parts), tail_part)
++
++
+ nobody = None
+ 
+ def nobody_uid():
+Index: Python-2.6.6/Lib/test/test_httpservers.py
+===================================================================
+--- Python-2.6.6.orig/Lib/test/test_httpservers.py
++++ Python-2.6.6/Lib/test/test_httpservers.py
+@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
+ from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+ from SimpleHTTPServer import SimpleHTTPRequestHandler
+ from CGIHTTPServer import CGIHTTPRequestHandler
++import CGIHTTPServer
+ 
+ import os
+ import sys
+@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
+         finally:
+             BaseTestCase.tearDown(self)
+ 
++    def test_url_collapse_path_split(self):
++        test_vectors = {
++            '': ('/', ''),
++            '..': IndexError,
++            '/.//..': IndexError,
++            '/': ('/', ''),
++            '//': ('/', ''),
++            '/\\': ('/', '\\'),
++            '/.//': ('/', ''),
++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
++            'a': ('/', 'a'),
++            '/a': ('/', 'a'),
++            '//a': ('/', 'a'),
++            './a': ('/', 'a'),
++            './C:/': ('/C:', ''),
++            '/a/b': ('/a', 'b'),
++            '/a/b/': ('/a/b', ''),
++            '/a/b/c/..': ('/a/b', ''),
++            '/a/b/c/../d': ('/a/b', 'd'),
++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
++            '../a/b/c/../d/e/.././././..//f': IndexError,
++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
++            '/a/b/c/../d/e/../../../../../f': IndexError,
++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
++        }
++        for path, expected in test_vectors.iteritems():
++            if isinstance(expected, type) and issubclass(expected, Exception):
++                self.assertRaises(expected,
++                                  CGIHTTPServer._url_collapse_path_split, path)
++            else:
++                actual = CGIHTTPServer._url_collapse_path_split(path)
++                self.assertEquals(expected, actual,
++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
++                                  path, actual, expected))
++
+     def test_headers_and_content(self):
+         res = self.request('/cgi-bin/file1.py')
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
+         self.assertEquals(('Hello World\n', 'text/html', 200), \
+              (res.read(), res.getheader('Content-type'), res.status))
+ 
++    def test_no_leading_slash(self):
++        # http://bugs.python.org/issue2254
++        res = self.request('cgi-bin/file1.py')
++        self.assertEquals(('Hello World\n', 'text/html', 200),
++             (res.read(), res.getheader('Content-type'), res.status))
++
+ 
+ def test_main(verbose=None):
+     cwd = os.getcwd()
+Index: Python-2.6.6/Misc/NEWS
+===================================================================
+--- Python-2.6.6.orig/Misc/NEWS
++++ Python-2.6.6/Misc/NEWS
+@@ -137,6 +137,9 @@ C-API
+ Library
+ -------
+ 
++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
++  now collapsed within the url properly before looking in cgi_directories.
++
+ - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
+   the interpreter executable.  This fixes a failure of test_httpservers
+   on OS X.
diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
index 800ba04..d5e7d22 100644
--- a/meta/recipes-devtools/python/python_2.6.6.bb
+++ b/meta/recipes-devtools/python/python_2.6.6.bb
@@ -1,7 +1,7 @@
 require python.inc
 DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
 DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
-PR = "${INC_PR}.8"
+PR = "${INC_PR}.9"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
 
 DISTRO_SRC_URI ?= "file://sitecustomize.py"
@@ -18,6 +18,7 @@ SRC_URI = "\
   file://99-ignore-optimization-flag.patch \
   ${DISTRO_SRC_URI} \
   file://multilib.patch \
+  file://security_issue_2254_fix.patch \
 "
 
 SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
-- 
1.7.6

[PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[nitin.a.kamble]

From: Nitin A Kamble <nitin.a.kamble@intel.com>

Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
---
 meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb |    1 -
 meta/recipes-core/glib-2.0/glib.inc           |    2 +-
 2 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
index a2e609f..7d095c1 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
@@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
 SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
 
 BBCLASSEXTEND = "native"
-
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index e25db3d..9768284 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -25,7 +25,7 @@ inherit autotools pkgconfig gettext
 
 S = "${WORKDIR}/glib-${PV}"
 
-EXTRA_OECONF = "--disable-debug --enable-included-printf=no"
+EXTRA_OECONF = "--disable-debug --enable-included-printf=no --enable-dtrace=no"
 EXTRA_OECONF_virtclass-native = ""
 EXTRA_OECONF_linuxstdbase = "--enable-included-printf=no"
 
-- 
1.7.6

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Koen Kooi]

Op 21 jul. 2011, om 11:29 heeft nitin.a.kamble@intel.com het volgende geschreven:

> From: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> ---
> meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb |    1 -
> meta/recipes-core/glib-2.0/glib.inc           |    2 +-
> 2 files changed, 1 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> index a2e609f..7d095c1 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> @@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
> SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
> 
> BBCLASSEXTEND = "native"
> -


Missing PR bump

> diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
> index e25db3d..9768284 100644
> --- a/meta/recipes-core/glib-2.0/glib.inc
> +++ b/meta/recipes-core/glib-2.0/glib.inc
> @@ -25,7 +25,7 @@ inherit autotools pkgconfig gettext
> 
> S = "${WORKDIR}/glib-${PV}"
> 
> -EXTRA_OECONF = "--disable-debug --enable-included-printf=no"
> +EXTRA_OECONF = "--disable-debug --enable-included-printf=no --enable-dtrace=no"
> EXTRA_OECONF_virtclass-native = ""
> EXTRA_OECONF_linuxstdbase = "--enable-included-printf=no"
> 
> -- 
> 1.7.6
> 
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Phil Blundell]

On Thu, 2011-07-21 at 02:29 -0700, nitin.a.kamble@intel.com wrote:
> From: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>

Could you add some text to the commit message explaining what the
compilation issue was and under what circumstances it occurred?  It
might also be good to know why bumping PR isn't necessary.

Also:

> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> index a2e609f..7d095c1 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> @@ -19,4 +19,3 @@ SRC_URI[md5sum] = "789e7520f71c6a4bf08bc683ec764d24"
>  SRC_URI[sha256sum] = "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
>  
>  BBCLASSEXTEND = "native"
> -

... I guess this part of the patch can be omitted.

p.

Re: [PATCH 2/2] glib-2.0: fix a compilation issue due to dtrace

[Kamble, Nitin A]

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> Phil Blundell
> Sent: Thursday, July 21, 2011 9:00 AM
> To: Patches and discussions about the oe-core layer
> Subject: Re: [OE-core] [PATCH 2/2] glib-2.0: fix a compilation issue
> due to dtrace
> 
> On Thu, 2011-07-21 at 02:29 -0700, nitin.a.kamble@intel.com wrote:
> > From: Nitin A Kamble <nitin.a.kamble@intel.com>
> >
> > Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> 
> Could you add some text to the commit message explaining what the
> compilation issue was and under what circumstances it occurred?  It
> might also be good to know why bumping PR isn't necessary.
> 
Phil,
  I felt the PR bump was not necessary, as it was fixing the compilation issue. I will add more information to the commit and resend it.

> Also:
> 
> > diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > index a2e609f..7d095c1 100644
> > --- a/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.28.8.bb
> > @@ -19,4 +19,3 @@ SRC_URI[md5sum] =
> "789e7520f71c6a4bf08bc683ec764d24"
> >  SRC_URI[sha256sum] =
> "222f3055d6c413417b50901008c654865e5a311c73f0ae918b0a9978d1f9466f"
> >
> >  BBCLASSEXTEND = "native"
> > -
> 
> ... I guess this part of the patch can be omitted.

Noted down.

Thanks,
Nitin

> 
> p.
> 
> 
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core

Re: [PATCH 1/2] python: fix security vulnerability

[Khem Raj]

On Thu, Jul 21, 2011 at 2:29 AM,  <nitin.a.kamble@intel.com> wrote:
> From: Nitin A Kamble <nitin.a.kamble@intel.com>
>
> This Fixes bug: [Yocto #1254]
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1015
>
> Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
>  now collapsed within the url properly before looking in cgi_directories.
>
> Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
> ---
>  meta/recipes-devtools/python/python.inc            |    2 +-
>  .../python/python/security_issue_2254_fix.patch    |  184 ++++++++++++++++++++
>  meta/recipes-devtools/python/python_2.6.6.bb       |    3 +-
>  3 files changed, 187 insertions(+), 2 deletions(-)
>  create mode 100644 meta/recipes-devtools/python/python/security_issue_2254_fix.patch
>
> diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
> index 25a458e..a6cc917 100644
> --- a/meta/recipes-devtools/python/python.inc
> +++ b/meta/recipes-devtools/python/python.inc
> @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
>  LICENSE = "PSF"
>  SECTION = "devel/python"
>  # bump this on every change in contrib/python/generate-manifest-2.6.py
> -INC_PR = "nk2"
> +INC_PR = "r2"
>
>  DEFAULT_PREFERENCE = "-26"
>
> diff --git a/meta/recipes-devtools/python/python/security_issue_2254_fix.patch b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> new file mode 100644
> index 0000000..0d2274a
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/security_issue_2254_fix.patch
> @@ -0,0 +1,184 @@
> +UpstreamStatus: Backport

This should be Upstream-Status I guess to match other patches that
said there are few more anomalies

meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-2.6.patch:
"Upstream Status"
meta/recipes-devtools/btrfs-tools/btrfs-tools/fix_use_of_gcc.patch:UpstreamStatus:
Pending
meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-4.7.patch:UpstreamStatus:
pending


> +http://svn.python.org/view?view=revision&revision=71303
> +
> +Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> +  now collapsed within the url properly before looking in cgi_directories.
> +Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
> +2011/07/19
> +
> +Index: Python-2.6.6/Lib/CGIHTTPServer.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/CGIHTTPServer.py
> ++++ Python-2.6.6/Lib/CGIHTTPServer.py
> +@@ -70,27 +70,20 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +             return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
> +
> +     def is_cgi(self):
> +-        """Test whether self.path corresponds to a CGI script,
> +-        and return a boolean.
> ++        """Test whether self.path corresponds to a CGI script.
> +
> +-        This function sets self.cgi_info to a tuple (dir, rest)
> +-        when it returns True, where dir is the directory part before
> +-        the CGI script name.  Note that rest begins with a
> +-        slash if it is not empty.
> +-
> +-        The default implementation tests whether the path
> +-        begins with one of the strings in the list
> +-        self.cgi_directories (and the next character is a '/'
> +-        or the end of the string).
> ++        Returns True and updates the cgi_info attribute to the tuple
> ++        (dir, rest) if self.path requires running a CGI script.
> ++        Returns False otherwise.
> ++
> ++        The default implementation tests whether the normalized url
> ++        path begins with one of the strings in self.cgi_directories
> ++        (and the next character is a '/' or the end of the string).
> +         """
> +-
> +-        path = self.path
> +-
> +-        for x in self.cgi_directories:
> +-            i = len(x)
> +-            if path[:i] == x and (not path[i:] or path[i] == '/'):
> +-                self.cgi_info = path[:i], path[i+1:]
> +-                return True
> ++        splitpath = _url_collapse_path_split(self.path)
> ++        if splitpath[0] in self.cgi_directories:
> ++            self.cgi_info = splitpath
> ++            return True
> +         return False
> +
> +     cgi_directories = ['/cgi-bin', '/htbin']
> +@@ -299,6 +292,46 @@ class CGIHTTPRequestHandler(SimpleHTTPSe
> +                 self.log_message("CGI script exited OK")
> +
> +
> ++# TODO(gregory.p.smith): Move this into an appropriate library.
> ++def _url_collapse_path_split(path):
> ++    """
> ++    Given a URL path, remove extra '/'s and '.' path elements and collapse
> ++    any '..' references.
> ++
> ++    Implements something akin to RFC-2396 5.2 step 6 to parse relative paths.
> ++
> ++    Returns: A tuple of (head, tail) where tail is everything after the final /
> ++    and head is everything before it.  Head will always start with a '/' and,
> ++    if it contains anything else, never have a trailing '/'.
> ++
> ++    Raises: IndexError if too many '..' occur within the path.
> ++    """
> ++    # Similar to os.path.split(os.path.normpath(path)) but specific to URL
> ++    # path semantics rather than local operating system semantics.
> ++    path_parts = []
> ++    for part in path.split('/'):
> ++        if part == '.':
> ++            path_parts.append('')
> ++        else:
> ++            path_parts.append(part)
> ++    # Filter out blank non trailing parts before consuming the '..'.
> ++    path_parts = [part for part in path_parts[:-1] if part] + path_parts[-1:]
> ++    if path_parts:
> ++        tail_part = path_parts.pop()
> ++    else:
> ++        tail_part = ''
> ++    head_parts = []
> ++    for part in path_parts:
> ++        if part == '..':
> ++            head_parts.pop()
> ++        else:
> ++            head_parts.append(part)
> ++    if tail_part and tail_part == '..':
> ++        head_parts.pop()
> ++        tail_part = ''
> ++    return ('/' + '/'.join(head_parts), tail_part)
> ++
> ++
> + nobody = None
> +
> + def nobody_uid():
> +Index: Python-2.6.6/Lib/test/test_httpservers.py
> +===================================================================
> +--- Python-2.6.6.orig/Lib/test/test_httpservers.py
> ++++ Python-2.6.6/Lib/test/test_httpservers.py
> +@@ -7,6 +7,7 @@ Josip Dzolonga, and Michael Otteneder fo
> + from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
> + from SimpleHTTPServer import SimpleHTTPRequestHandler
> + from CGIHTTPServer import CGIHTTPRequestHandler
> ++import CGIHTTPServer
> +
> + import os
> + import sys
> +@@ -324,6 +325,45 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         finally:
> +             BaseTestCase.tearDown(self)
> +
> ++    def test_url_collapse_path_split(self):
> ++        test_vectors = {
> ++            '': ('/', ''),
> ++            '..': IndexError,
> ++            '/.//..': IndexError,
> ++            '/': ('/', ''),
> ++            '//': ('/', ''),
> ++            '/\\': ('/', '\\'),
> ++            '/.//': ('/', ''),
> ++            'cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            '/cgi-bin/file1.py': ('/cgi-bin', 'file1.py'),
> ++            'a': ('/', 'a'),
> ++            '/a': ('/', 'a'),
> ++            '//a': ('/', 'a'),
> ++            './a': ('/', 'a'),
> ++            './C:/': ('/C:', ''),
> ++            '/a/b': ('/a', 'b'),
> ++            '/a/b/': ('/a/b', ''),
> ++            '/a/b/c/..': ('/a/b', ''),
> ++            '/a/b/c/../d': ('/a/b', 'd'),
> ++            '/a/b/c/../d/e/../f': ('/a/b/d', 'f'),
> ++            '/a/b/c/../d/e/../../f': ('/a/b', 'f'),
> ++            '/a/b/c/../d/e/.././././..//f': ('/a/b', 'f'),
> ++            '../a/b/c/../d/e/.././././..//f': IndexError,
> ++            '/a/b/c/../d/e/../../../f': ('/a', 'f'),
> ++            '/a/b/c/../d/e/../../../../f': ('/', 'f'),
> ++            '/a/b/c/../d/e/../../../../../f': IndexError,
> ++            '/a/b/c/../d/e/../../../../f/..': ('/', ''),
> ++        }
> ++        for path, expected in test_vectors.iteritems():
> ++            if isinstance(expected, type) and issubclass(expected, Exception):
> ++                self.assertRaises(expected,
> ++                                  CGIHTTPServer._url_collapse_path_split, path)
> ++            else:
> ++                actual = CGIHTTPServer._url_collapse_path_split(path)
> ++                self.assertEquals(expected, actual,
> ++                                  msg='path = %r\nGot:    %r\nWanted: %r' % (
> ++                                  path, actual, expected))
> ++
> +     def test_headers_and_content(self):
> +         res = self.request('/cgi-bin/file1.py')
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +@@ -348,6 +388,12 @@ class CGIHTTPServerTestCase(BaseTestCase
> +         self.assertEquals(('Hello World\n', 'text/html', 200), \
> +              (res.read(), res.getheader('Content-type'), res.status))
> +
> ++    def test_no_leading_slash(self):
> ++        # http://bugs.python.org/issue2254
> ++        res = self.request('cgi-bin/file1.py')
> ++        self.assertEquals(('Hello World\n', 'text/html', 200),
> ++             (res.read(), res.getheader('Content-type'), res.status))
> ++
> +
> + def test_main(verbose=None):
> +     cwd = os.getcwd()
> +Index: Python-2.6.6/Misc/NEWS
> +===================================================================
> +--- Python-2.6.6.orig/Misc/NEWS
> ++++ Python-2.6.6/Misc/NEWS
> +@@ -137,6 +137,9 @@ C-API
> + Library
> + -------
> +
> ++- Issue #2254: Fix CGIHTTPServer information disclosure.  Relative paths are
> ++  now collapsed within the url properly before looking in cgi_directories.
> ++
> + - Issue #8447: Make distutils.sysconfig follow symlinks in the path to
> +   the interpreter executable.  This fixes a failure of test_httpservers
> +   on OS X.
> diff --git a/meta/recipes-devtools/python/python_2.6.6.bb b/meta/recipes-devtools/python/python_2.6.6.bb
> index 800ba04..d5e7d22 100644
> --- a/meta/recipes-devtools/python/python_2.6.6.bb
> +++ b/meta/recipes-devtools/python/python_2.6.6.bb
> @@ -1,7 +1,7 @@
>  require python.inc
>  DEPENDS = "python-native db gdbm openssl readline sqlite3 zlib"
>  DEPENDS_sharprom = "python-native db readline zlib gdbm openssl"
> -PR = "${INC_PR}.8"
> +PR = "${INC_PR}.9"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=38fdd546420fab09ac6bd3d8a1c83eb6"
>
>  DISTRO_SRC_URI ?= "file://sitecustomize.py"
> @@ -18,6 +18,7 @@ SRC_URI = "\
>   file://99-ignore-optimization-flag.patch \
>   ${DISTRO_SRC_URI} \
>   file://multilib.patch \
> +  file://security_issue_2254_fix.patch \
>  "
>
>  SRC_URI[md5sum] = "cf4e6881bb84a7ce6089e4a307f71f14"
> --
> 1.7.6
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
>

Re: [PATCH 1/2] python: fix security vulnerability

[Kamble, Nitin A]

> devtools/python/python/security_issue_2254_fix.patch
> > @@ -0,0 +1,184 @@
> > +UpstreamStatus: Backport
> 
> This should be Upstream-Status I guess to match other patches that
> said there are few more anomalies
> 
> meta/recipes-devtools/dosfstools/dosfstools/dosfstools-2.10-kernel-
> 2.6.patch:
> "Upstream Status"
> meta/recipes-devtools/btrfs-tools/btrfs-
> tools/fix_use_of_gcc.patch:UpstreamStatus:
> Pending
> meta/recipes-devtools/elfutils/elfutils/fix_for_gcc-
> 4.7.patch:UpstreamStatus:
> pending
> 

Thanks Khem for catching these. I have sending fixes for these.

Nitin