File CVE-2018-1000802-shutil_use_subprocess_no_spawn... of Package python-base

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch of Package python-base (Revision 2f56c5e03c0cd8c55ab22b211a5e0392)

Currently displaying revision 2f56c5e03c0cd8c55ab22b211a5e0392 , Show latest

From add531a1e55b0a739b0f42582f1c9747e5649ace Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Tue, 28 Aug 2018 22:12:56 -0700
Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use
 subprocess rather than distutils.spawn.

---
 Lib/shutil.py                                    | 16 ++++++++++------
 .../2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst     |  3 +++
 2 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst

--- a/Lib/shutil.py
+++ b/Lib/shutil.py
@@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, c
 
     return archive_name
 
-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
     # XXX see if we want to keep an external call here
     if verbose:
         zipoptions = "-r"
     else:
         zipoptions = "-rq"
-    from distutils.errors import DistutilsExecError
-    from distutils.spawn import spawn
+    cmd = ["zip", zipoptions, zip_filename, base_dir]
+    if logger is not None:
+        logger.info(' '.join(cmd))
+    if dry_run:
+        return
+    import subprocess
     try:
-        spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
-    except DistutilsExecError:
+        subprocess.check_call(cmd)
+    except subprocess.CalledProcessError:
         # XXX really should distinguish between "couldn't find
         # external 'zip' command" and "zip failed".
         raise ExecError, \
@@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, v
         zipfile = None
 
     if zipfile is None:
-        _call_external_zip(base_dir, zip_filename, verbose, dry_run)
+        _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
     else:
         if logger is not None:
             logger.info("creating '%s' and adding '%s' to it",
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
@@ -0,0 +1,3 @@
+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
+closes a possible shell injection vector.

Places

File CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch of Package python-base (Revision 2f56c5e03c0cd8c55ab22b211a5e0392)

Places