mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-25 10:03:03 +01:00
python/pywayland: Add CVE-2007-4559 patch, update README
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
parent
8dd9d66334
commit
9a27b06d2a
3 changed files with 46 additions and 1 deletions
38
python/pywayland/CVE_2007_4559.patch
Normal file
38
python/pywayland/CVE_2007_4559.patch
Normal file
|
@ -0,0 +1,38 @@
|
|||
This patch was taken from upstream pywayland 0.4.15:
|
||||
https://github.com/flacjacket/pywayland/pull/42
|
||||
--- a/doc/protocol_build.py 2022-07-24 11:03:10.000000000 -0700
|
||||
+++ b/doc/protocol_build.py 2022-12-20 20:00:48.659884422 -0800
|
||||
@@ -14,6 +14,24 @@
|
||||
)
|
||||
)
|
||||
|
||||
+def _is_within_directory(directory, target):
|
||||
+ """Helper to check for CVE-2007-4559"""
|
||||
+ abs_directory = os.path.abspath(directory)
|
||||
+ abs_target = os.path.abspath(target)
|
||||
+
|
||||
+ prefix = os.path.commonprefix([abs_directory, abs_target])
|
||||
+
|
||||
+ return prefix == abs_directory
|
||||
+
|
||||
+
|
||||
+def _safe_extractall(tar, path=".", members=None, *, numeric_owner=False):
|
||||
+ """Helper to check for CVE-2007-4559"""
|
||||
+ for member in tar.getmembers():
|
||||
+ member_path = os.path.join(path, member.name)
|
||||
+ if not is_within_directory(path, member_path):
|
||||
+ raise Exception("Attempted Path Traversal in Tar File")
|
||||
+
|
||||
+ tar.extractall(path, members, numeric_owner=numeric_owner)
|
||||
|
||||
def protocols_build(output_dir):
|
||||
from pywayland.scanner import Protocol
|
||||
@@ -26,7 +44,7 @@
|
||||
protocol_dest = "wayland-protocols-{}".format(protocols_version)
|
||||
urllib.request.urlretrieve(protocols_source, protocol_dest + ".tar.xz")
|
||||
with tarfile.open(protocol_dest + ".tar.xz") as f:
|
||||
- f.extractall()
|
||||
+ _safe_extractall(f)
|
||||
|
||||
# walk the directory and generate all the protocols
|
||||
protocol_files = [wayland_file] + sorted(
|
|
@ -1,3 +1,6 @@
|
|||
PyWayland provides a wrapper to the libwayland library using the CFFI
|
||||
library to provide access to the Wayland library calls and written in
|
||||
pure Python.
|
||||
|
||||
pywayland 0.4.14 is the last possible version for Slackware 15.0.
|
||||
Newer versions of pywayland require a newer python-setuptools.
|
||||
|
|
|
@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
|
|||
|
||||
PRGNAM=pywayland
|
||||
VERSION=${VERSION:-0.4.14}
|
||||
BUILD=${BUILD:-1}
|
||||
BUILD=${BUILD:-2}
|
||||
TAG=${TAG:-_SBo}
|
||||
PKGTYPE=${PKGTYPE:-tgz}
|
||||
|
||||
|
@ -79,6 +79,10 @@ find -L . \
|
|||
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
||||
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
||||
|
||||
# Backport patch from pywayland 0.4.15 for directory traversal vulnerability
|
||||
# The patch is relevant for building docs
|
||||
patch -p1 < $CWD/CVE_2007_4559.patch
|
||||
|
||||
python3 setup.py install --root=$PKG
|
||||
|
||||
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
|
||||
|
|
Loading…
Reference in a new issue