diff --git a/SOURCES/pyxdg-0.25-CVE-2014-1624.patch b/SOURCES/pyxdg-0.25-CVE-2014-1624.patch new file mode 100644 index 0000000..614af5f --- /dev/null +++ b/SOURCES/pyxdg-0.25-CVE-2014-1624.patch @@ -0,0 +1,48 @@ +diff -up pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 pyxdg-0.25/xdg/BaseDirectory.py +--- pyxdg-0.25/xdg/BaseDirectory.py.CVE-2014-1624 2014-12-04 11:49:53.681654931 -0500 ++++ pyxdg-0.25/xdg/BaseDirectory.py 2014-12-04 11:52:45.831522703 -0500 +@@ -25,7 +25,7 @@ Typical usage: + Note: see the rox.Options module for a higher-level API for managing options. + """ + +-import os ++import os, stat + + _home = os.path.expanduser('~') + xdg_data_home = os.environ.get('XDG_DATA_HOME') or \ +@@ -131,15 +131,29 @@ def get_runtime_dir(strict=True): + + import getpass + fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser() ++ create = False + try: +- os.mkdir(fallback, 0o700) ++ # This must be a real directory, not a symlink, so attackers can't ++ # point it elsewhere. So we use lstat to check it. ++ st = os.lstat(fallback) + except OSError as e: + import errno +- if e.errno == errno.EEXIST: +- # Already exists - set 700 permissions again. +- import stat +- os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR) +- else: # pragma: no cover ++ if e.errno == errno.ENOENT: ++ create = True ++ else: + raise ++ else: ++ # The fallback must be a directory ++ if not stat.S_ISDIR(st.st_mode): ++ os.unlink(fallback) ++ create = True ++ # Must be owned by the user and not accessible by anyone else ++ elif (st.st_uid != os.getuid()) \ ++ or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)): ++ os.rmdir(fallback) ++ create = True ++ ++ if create: ++ os.mkdir(fallback, 0o700) + + return fallback diff --git a/SOURCES/pyxdg-0.25-find-first-mimetype-match.patch b/SOURCES/pyxdg-0.25-find-first-mimetype-match.patch new file mode 100644 index 0000000..b46f5ec --- /dev/null +++ b/SOURCES/pyxdg-0.25-find-first-mimetype-match.patch @@ -0,0 +1,13 @@ +diff -up pyxdg-0.25/xdg/Mime.py.BAD pyxdg-0.25/xdg/Mime.py +--- pyxdg-0.25/xdg/Mime.py.BAD 2013-03-05 10:19:10.750845664 -0500 ++++ pyxdg-0.25/xdg/Mime.py 2013-03-05 10:19:14.771845520 -0500 +@@ -360,7 +360,8 @@ def _cache_database(): + if pattern.startswith('*.'): + rest = pattern[2:] + if not ('*' in rest or '[' in rest or '?' in rest): +- exts[rest] = mtype ++ if rest not in exts: ++ exts[rest] = mtype + continue + if '*' in pattern or '[' in pattern or '?' in pattern: + globs.append((pattern, mtype)) diff --git a/SPECS/pyxdg.spec b/SPECS/pyxdg.spec new file mode 100644 index 0000000..fe9543a --- /dev/null +++ b/SPECS/pyxdg.spec @@ -0,0 +1,209 @@ +%global with_python3 1 + +Name: pyxdg +Version: 0.25 +Release: 6%{?dist} +Summary: Python library to access freedesktop.org standards +Group: Development/Libraries +License: LGPLv2 +URL: http://freedesktop.org/Software/pyxdg +Source0: http://people.freedesktop.org/~takluyver/%{name}-%{version}.tar.gz +# https://bugs.freedesktop.org/show_bug.cgi?id=61817 +Patch0: pyxdg-0.25-find-first-mimetype-match.patch +# https://bugs.freedesktop.org/show_bug.cgi?id=73878 +Patch1: pyxdg-0.25-CVE-2014-1624.patch +BuildArch: noarch + +%description +PyXDG is a python library to access freedesktop.org standards + +%package -n python2-pyxdg +Summary: Python2 library to access freedesktop.org standards +Group: Development/Libraries +BuildRequires: python2-devel +# These are needed for the nose tests. +BuildRequires: python-nose, hicolor-icon-theme +%{?python_provide:%python_provide python2-pyxdg} +Provides: pyxdg = %{version}-%{release} +Obsoletes: pyxdg < 0.25-10 + +%description -n python2-pyxdg +PyXDG is a python library to access freedesktop.org standards. This +package contains a Python 2 version of PyXDG. + +%if 0%{?with_python3} +%package -n python%{python3_pkgversion}-pyxdg +Summary: Python3 library to access freedesktop.org standards +Group: Development/Libraries +BuildRequires: python%{python3_pkgversion}-devel +# These are needed for the nose tests. +BuildRequires: python%{python3_pkgversion}-nose +%{?python_provide:%python_provide python%{python3_pkgversion}-pyxdg} + +%description -n python%{python3_pkgversion}-pyxdg +PyXDG is a python library to access freedesktop.org standards. This +package contains a Python 3 version of PyXDG. +%endif # with_python3 + +%prep +%setup -q +%patch0 -p1 -b .pngfix +%patch1 -p1 -b .CVE-2014-1624 + +%build +%py2_build + +%if 0%{?with_python3} +%py3_build +%endif # with_python3 + +%install +%if 0%{?with_python3} +%py3_install +%endif # with_python3 + +%py2_install + +%check +nosetests-%{python2_version} + +%if 0%{?with_python3} +nosetests-%{python3_version} +%endif # with_python3 + +%files -n python2-pyxdg +%license COPYING +%doc AUTHORS ChangeLog README TODO +%{python_sitelib}/xdg +%{python_sitelib}/pyxdg-*.egg-info + +%if 0%{?with_python3} +%files -n python%{python3_pkgversion}-pyxdg +%license COPYING +%doc AUTHORS ChangeLog README TODO +%{python3_sitelib}/xdg +%{python3_sitelib}/pyxdg-*.egg-info +%endif #with_python3 + +%changelog +* Mon Nov 21 2016 Orion Poplawski - 0.25-10 +- Ship python2-pyxdg +- Enable python 3 builds for EPEL +- Use %%license +- Modernize spec + +* Tue Jul 19 2016 Fedora Release Engineering - 0.25-9 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Feb 04 2016 Fedora Release Engineering - 0.25-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 0.25-7 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Thu Jun 18 2015 Fedora Release Engineering - 0.25-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Dec 4 2014 Tom Callaway - 0.25-5 +- fix CVE-2014-1624 + +* Sun Jun 08 2014 Fedora Release Engineering - 0.25-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 27 2014 Kalev Lember - 0.25-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Sun Aug 04 2013 Fedora Release Engineering - 0.25-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 28 2013 Tom Callaway - 0.25-1 +- update to 0.25 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.24-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Nov 7 2012 Tomas Bzatek - 0.24-1 +- update to 0.24 + +* Fri Oct 26 2012 Tom Callaway - 0.23-2 +- gracefully handle kde-config fails + +* Mon Oct 8 2012 Tom Callaway - 0.23-1 +- update to 0.23 +- enable python3 + +* Sat Jul 21 2012 Fedora Release Engineering - 0.19-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 0.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 0.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jul 22 2010 David Malcolm - 0.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed Apr 28 2010 Tom "spot" Callaway - 0.19-1 +- update to 0.19 + +* Wed Aug 19 2009 Tom "spot" Callaway - 0.17-1 +- update to 0.17 + +* Sun Jul 26 2009 Fedora Release Engineering - 0.16-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 26 2009 Fedora Release Engineering - 0.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 0.16-2 +- Rebuild for Python 2.6 + +* Thu Oct 30 2008 Tom "spot" Callaway - 0.16-1 +- update to 0.16 +- fix indent bug in DesktopEntry.py (bz 469229) + +* Sat Apr 5 2008 Tom "spot" Callaway - 0.15-6 +- add egg-info (fixes FTBFS bz 440813) + +* Wed Jan 3 2007 Patrice Dumas - 0.15-5 +- remove requires for python-abi (automatic now) and python directory +- remove package name from summary +- change tabs to spaces + +* Thu Dec 21 2006 Patrice Dumas - 0.15-4 +- rebuild for python 2.5 + +* Sat Sep 23 2006 Tom "spot" Callaway - 0.15-3 +- rebuild for fc6 + +* Wed Feb 15 2006 John Mahowald - 0.15.2 +- Rebuild for Fedora Extras 5 + +* Fri Oct 14 2005 John Mahowald - 0.15-1 +- Rebuilt for 0.15 + +* Sun Jul 03 2005 Sindre Pedersen Bjordal - 0.14-2 +- Added %%{?dist} tag to release +- BuildArch: noarch +- Removed unneccesary CLFAGS + +* Sun Jun 05 2005 Sindre Pedersen Bjordal - 0.14-1 +- Rebuilt for 0.14 + +* Wed Jun 01 2005 Sindre Pedersen Bjordal - 0.13-1 +- Rebuilt for 0.13 + +* Tue May 31 2005 Sindre Pedersen Bjordal - 0.12-1 +- Rebuilt for 0.12 + +* Sat May 28 2005 Sindre Pedersen Bjordal - 0.11-1 +- Rebuilt for 0.11 + +* Mon May 23 2005 Sindre Pedersen Bjordal - 0.10-1 +- Adapt to Fedora Extras template, based on spec from NewRPMs + +* Tue Dec 14 2004 Che +- initial rpm release + +