pyrox.dev
bazaar: fix buid
+149
pkgs/applications/version-management/bazaar/CVE-2017-14176.patch
+149
pkgs/applications/version-management/bazaar/CVE-2017-14176.patch
···
···
1
+
diff --git a/bzrlib/tests/test_ssh_transport.py b/bzrlib/tests/test_ssh_transport.py
2
+
index 9e37c3b..fe9f219 100644
3
+
--- a/bzrlib/tests/test_ssh_transport.py
4
+
+++ b/bzrlib/tests/test_ssh_transport.py
5
+
@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
6
+
SSHCorpSubprocessVendor,
7
+
LSHSubprocessVendor,
8
+
SSHVendorManager,
9
+
+ StrangeHostname,
10
+
)
11
+
12
+
13
+
@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):
14
+
15
+
class SubprocessVendorsTests(TestCase):
16
+
17
+
+ def test_openssh_command_tricked(self):
18
+
+ vendor = OpenSSHSubprocessVendor()
19
+
+ self.assertEqual(
20
+
+ vendor._get_vendor_specific_argv(
21
+
+ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
22
+
+ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
23
+
+ "-oClearAllForwardings=yes",
24
+
+ "-oNoHostAuthenticationForLocalhost=yes",
25
+
+ "-p", "100",
26
+
+ "-l", "user",
27
+
+ "--",
28
+
+ "-oProxyCommand=blah", "bzr"])
29
+
+
30
+
def test_openssh_command_arguments(self):
31
+
vendor = OpenSSHSubprocessVendor()
32
+
self.assertEqual(
33
+
@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
34
+
"-oNoHostAuthenticationForLocalhost=yes",
35
+
"-p", "100",
36
+
"-l", "user",
37
+
+ "--",
38
+
"host", "bzr"]
39
+
)
40
+
41
+
@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
42
+
"-oNoHostAuthenticationForLocalhost=yes",
43
+
"-p", "100",
44
+
"-l", "user",
45
+
- "-s", "host", "sftp"]
46
+
+ "-s", "--", "host", "sftp"]
47
+
)
48
+
49
+
+ def test_openssh_command_tricked(self):
50
+
+ vendor = SSHCorpSubprocessVendor()
51
+
+ self.assertRaises(
52
+
+ StrangeHostname,
53
+
+ vendor._get_vendor_specific_argv,
54
+
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
55
+
+
56
+
def test_sshcorp_command_arguments(self):
57
+
vendor = SSHCorpSubprocessVendor()
58
+
self.assertEqual(
59
+
@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
60
+
"-s", "sftp", "host"]
61
+
)
62
+
63
+
+ def test_lsh_command_tricked(self):
64
+
+ vendor = LSHSubprocessVendor()
65
+
+ self.assertRaises(
66
+
+ StrangeHostname,
67
+
+ vendor._get_vendor_specific_argv,
68
+
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
69
+
+
70
+
def test_lsh_command_arguments(self):
71
+
vendor = LSHSubprocessVendor()
72
+
self.assertEqual(
73
+
@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
74
+
"--subsystem", "sftp", "host"]
75
+
)
76
+
77
+
+ def test_plink_command_tricked(self):
78
+
+ vendor = PLinkSubprocessVendor()
79
+
+ self.assertRaises(
80
+
+ StrangeHostname,
81
+
+ vendor._get_vendor_specific_argv,
82
+
+ "user", "-oProxyCommand=host", 100, command=["bzr"])
83
+
+
84
+
def test_plink_command_arguments(self):
85
+
vendor = PLinkSubprocessVendor()
86
+
self.assertEqual(
87
+
diff --git a/bzrlib/transport/ssh.py b/bzrlib/transport/ssh.py
88
+
index eecaa26..6f22341 100644
89
+
--- a/bzrlib/transport/ssh.py
90
+
+++ b/bzrlib/transport/ssh.py
91
+
@@ -46,6 +46,10 @@ else:
92
+
from paramiko.sftp_client import SFTPClient
93
+
94
+
95
+
+class StrangeHostname(errors.BzrError):
96
+
+ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
97
+
+
98
+
+
99
+
SYSTEM_HOSTKEYS = {}
100
+
BZR_HOSTKEYS = {}
101
+
102
+
@@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor):
103
+
# tests, but beware of using PIPE which may hang due to not being read.
104
+
_stderr_target = None
105
+
106
+
+ @staticmethod
107
+
+ def _check_hostname(arg):
108
+
+ if arg.startswith('-'):
109
+
+ raise StrangeHostname(hostname=arg)
110
+
+
111
+
def _connect(self, argv):
112
+
# Attempt to make a socketpair to use as stdin/stdout for the SSH
113
+
# subprocess. We prefer sockets to pipes because they support
114
+
@@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(SubprocessVendor):
115
+
if username is not None:
116
+
args.extend(['-l', username])
117
+
if subsystem is not None:
118
+
- args.extend(['-s', host, subsystem])
119
+
+ args.extend(['-s', '--', host, subsystem])
120
+
else:
121
+
- args.extend([host] + command)
122
+
+ args.extend(['--', host] + command)
123
+
return args
124
+
125
+
register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
126
+
@@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(SubprocessVendor):
127
+
128
+
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
129
+
command=None):
130
+
+ self._check_hostname(host)
131
+
args = [self.executable_path, '-x']
132
+
if port is not None:
133
+
args.extend(['-p', str(port)])
134
+
@@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVendor):
135
+
136
+
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
137
+
command=None):
138
+
+ self._check_hostname(host)
139
+
args = [self.executable_path]
140
+
if port is not None:
141
+
args.extend(['-p', str(port)])
142
+
@@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVendor):
143
+
144
+
def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
145
+
command=None):
146
+
+ self._check_hostname(host)
147
+
args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
148
+
if port is not None:
149
+
args.extend(['-P', str(port)])
+1
-6
pkgs/applications/version-management/bazaar/default.nix
+1
-6
pkgs/applications/version-management/bazaar/default.nix
···
1
{ stdenv, fetchurl, python2Packages
2
-
, fetchpatch
3
, withSFTP ? true
4
}:
5
···
21
patches = [
22
# Bazaar can't find the certificates alone
23
./add_certificates.patch
24
-
(fetchpatch {
25
-
url = "https://bazaar.launchpad.net/~brz/brz/trunk/revision/6754";
26
-
sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73";
27
-
name = "CVE-2017-14176.patch";
28
-
})
29
];
30
postPatch = ''
31
substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \