Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
python.11982
CVE-2018-1000802-shutil_use_subprocess_no_spawn...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch of Package python.11982
From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001 From: Benjamin Peterson <benjamin@python.org> Date: Tue, 28 Aug 2018 22:12:56 -0700 Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use subprocess rather than distutils.spawn. --- Lib/shutil.py | 16 ++++++++++------ .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++ 2 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst --- a/Lib/shutil.py +++ b/Lib/shutil.py @@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, c return archive_name -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): # XXX see if we want to keep an external call here if verbose: zipoptions = "-r" else: zipoptions = "-rq" - from distutils.errors import DistutilsExecError - from distutils.spawn import spawn + cmd = ["zip", zipoptions, zip_filename, base_dir] + if logger is not None: + logger.info(' '.join(cmd)) + if dry_run: + return + import subprocess try: - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) - except DistutilsExecError: + subprocess.check_call(cmd) + except subprocess.CalledProcessError: # XXX really should distinguish between "couldn't find # external 'zip' command" and "zip failed". raise ExecError, \ @@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, v zipfile = None if zipfile is None: - _call_external_zip(base_dir, zip_filename, verbose, dry_run) + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) else: if logger is not None: logger.info("creating '%s' and adding '%s' to it", --- /dev/null +++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst @@ -0,0 +1,3 @@ +When ``shutil.make_archive`` falls back to the external ``zip`` problem, it +uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This +closes a possible shell injection vector.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor