commit d1d4ec90aef38220606b96dec40d5cd8ad5eb960 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

bazaar: fix buid

Izorkin 7 years ago d1d4ec90 c83eff90

+150 -6

2 changed files

expand all

unified split

pkgs

applications

version-management

bazaar

CVE-2017-14176.patch

default.nix

+149

pkgs/applications/version-management/bazaar/CVE-2017-14176.patch

··· 1 + diff --git a/bzrlib/tests/test_ssh_transport.py b/bzrlib/tests/test_ssh_transport.py 2 + index 9e37c3b..fe9f219 100644 3 + --- a/bzrlib/tests/test_ssh_transport.py 4 + +++ b/bzrlib/tests/test_ssh_transport.py 5 + @@ -22,6 +22,7 @@ from bzrlib.transport.ssh import ( 6 + SSHCorpSubprocessVendor, 7 + LSHSubprocessVendor, 8 + SSHVendorManager, 9 + + StrangeHostname, 10 + ) 11 + 12 + 13 + @@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase): 14 + 15 + class SubprocessVendorsTests(TestCase): 16 + 17 + + def test_openssh_command_tricked(self): 18 + + vendor = OpenSSHSubprocessVendor() 19 + + self.assertEqual( 20 + + vendor._get_vendor_specific_argv( 21 + + "user", "-oProxyCommand=blah", 100, command=["bzr"]), 22 + + ["ssh", "-oForwardX11=no", "-oForwardAgent=no", 23 + + "-oClearAllForwardings=yes", 24 + + "-oNoHostAuthenticationForLocalhost=yes", 25 + + "-p", "100", 26 + + "-l", "user", 27 + + "--", 28 + + "-oProxyCommand=blah", "bzr"]) 29 + + 30 + def test_openssh_command_arguments(self): 31 + vendor = OpenSSHSubprocessVendor() 32 + self.assertEqual( 33 + @@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase): 34 + "-oNoHostAuthenticationForLocalhost=yes", 35 + "-p", "100", 36 + "-l", "user", 37 + + "--", 38 + "host", "bzr"] 39 + ) 40 + 41 + @@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase): 42 + "-oNoHostAuthenticationForLocalhost=yes", 43 + "-p", "100", 44 + "-l", "user", 45 + - "-s", "host", "sftp"] 46 + + "-s", "--", "host", "sftp"] 47 + ) 48 + 49 + + def test_openssh_command_tricked(self): 50 + + vendor = SSHCorpSubprocessVendor() 51 + + self.assertRaises( 52 + + StrangeHostname, 53 + + vendor._get_vendor_specific_argv, 54 + + "user", "-oProxyCommand=host", 100, command=["bzr"]) 55 + + 56 + def test_sshcorp_command_arguments(self): 57 + vendor = SSHCorpSubprocessVendor() 58 + self.assertEqual( 59 + @@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase): 60 + "-s", "sftp", "host"] 61 + ) 62 + 63 + + def test_lsh_command_tricked(self): 64 + + vendor = LSHSubprocessVendor() 65 + + self.assertRaises( 66 + + StrangeHostname, 67 + + vendor._get_vendor_specific_argv, 68 + + "user", "-oProxyCommand=host", 100, command=["bzr"]) 69 + + 70 + def test_lsh_command_arguments(self): 71 + vendor = LSHSubprocessVendor() 72 + self.assertEqual( 73 + @@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase): 74 + "--subsystem", "sftp", "host"] 75 + ) 76 + 77 + + def test_plink_command_tricked(self): 78 + + vendor = PLinkSubprocessVendor() 79 + + self.assertRaises( 80 + + StrangeHostname, 81 + + vendor._get_vendor_specific_argv, 82 + + "user", "-oProxyCommand=host", 100, command=["bzr"]) 83 + + 84 + def test_plink_command_arguments(self): 85 + vendor = PLinkSubprocessVendor() 86 + self.assertEqual( 87 + diff --git a/bzrlib/transport/ssh.py b/bzrlib/transport/ssh.py 88 + index eecaa26..6f22341 100644 89 + --- a/bzrlib/transport/ssh.py 90 + +++ b/bzrlib/transport/ssh.py 91 + @@ -46,6 +46,10 @@ else: 92 + from paramiko.sftp_client import SFTPClient 93 + 94 + 95 + +class StrangeHostname(errors.BzrError): 96 + + _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" 97 + + 98 + + 99 + SYSTEM_HOSTKEYS = {} 100 + BZR_HOSTKEYS = {} 101 + 102 + @@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor): 103 + # tests, but beware of using PIPE which may hang due to not being read. 104 + _stderr_target = None 105 + 106 + + @staticmethod 107 + + def _check_hostname(arg): 108 + + if arg.startswith('-'): 109 + + raise StrangeHostname(hostname=arg) 110 + + 111 + def _connect(self, argv): 112 + # Attempt to make a socketpair to use as stdin/stdout for the SSH 113 + # subprocess. We prefer sockets to pipes because they support 114 + @@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(SubprocessVendor): 115 + if username is not None: 116 + args.extend(['-l', username]) 117 + if subsystem is not None: 118 + - args.extend(['-s', host, subsystem]) 119 + + args.extend(['-s', '--', host, subsystem]) 120 + else: 121 + - args.extend([host] + command) 122 + + args.extend(['--', host] + command) 123 + return args 124 + 125 + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) 126 + @@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(SubprocessVendor): 127 + 128 + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, 129 + command=None): 130 + + self._check_hostname(host) 131 + args = [self.executable_path, '-x'] 132 + if port is not None: 133 + args.extend(['-p', str(port)]) 134 + @@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVendor): 135 + 136 + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, 137 + command=None): 138 + + self._check_hostname(host) 139 + args = [self.executable_path] 140 + if port is not None: 141 + args.extend(['-p', str(port)]) 142 + @@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVendor): 143 + 144 + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, 145 + command=None): 146 + + self._check_hostname(host) 147 + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] 148 + if port is not None: 149 + args.extend(['-P', str(port)])

+1 -6

pkgs/applications/version-management/bazaar/default.nix

··· 1 1 { stdenv, fetchurl, python2Packages 2 - , fetchpatch 3 2 , withSFTP ? true 4 3 }: 5 4 ··· 21 20 patches = [ 22 21 # Bazaar can't find the certificates alone 23 22 ./add_certificates.patch 24 - (fetchpatch { 25 - url = "https://bazaar.launchpad.net/~brz/brz/trunk/revision/6754"; 26 - sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73"; 27 - name = "CVE-2017-14176.patch"; 28 - }) 23 + ./CVE-2017-14176.patch 29 24 ]; 30 25 postPatch = '' 31 26 substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \