From a55ebe2e3a7b438b4eec06c594440d3a0fb06a25 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sat, 6 Oct 2018 18:50:47 +0200
Subject: gnu: python2: Add upstream security fixes.

This addresses CVE-2018-{1060,1061,14647,1000802}.

* gnu/packages/patches/python2-CVE-2018-1000802.patch,
gnu/packages/patches/python2-CVE-2018-1060.patch,
gnu/packages/patches/python2-CVE-2018-1061.patch,
gnu/packages/patches/python2-CVE-2018-14647.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/python.scm (python-2/fixed): New variable.
(python-2.7)[replacement]: New field.
(python2-minimal): Use PACKAGE/INHERIT.
---
 gnu/packages/patches/python2-CVE-2018-1060.patch | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 gnu/packages/patches/python2-CVE-2018-1060.patch

(limited to 'gnu/packages/patches/python2-CVE-2018-1060.patch')

diff --git a/gnu/packages/patches/python2-CVE-2018-1060.patch b/gnu/packages/patches/python2-CVE-2018-1060.patch
new file mode 100644
index 0000000000..5eb7ccfbc9
--- /dev/null
+++ b/gnu/packages/patches/python2-CVE-2018-1060.patch
@@ -0,0 +1,20 @@
+Fix CVE-2018-1060:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f72d2ca..a238510b38fc 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ def rpop(self, user):
+         return self._shortcmd('RPOP %s' % user)
+ 
+ 
+-    timestamp = re.compile(r'\+OK.*(<[^>]+>)')
++    timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+ 
+     def apop(self, user, secret):
+         """Authorisation
+
-- 
cgit v1.2.3