From 8c31196d00e344da82cf4facf4f6f5d2826c692a Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Thu, 11 Jan 2018 17:29:34 -0600 Subject: dev-python/pysaml2: fix bug 644016 CVE-2017-1000433 Package-Manager: Portage-2.3.14, Repoman-2.3.6 --- .../files/pysaml-4.0.2_CVE-2017-1000433.patch | 14 ++++++++ dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild | 39 ++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch create mode 100644 dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild (limited to 'dev-python/pysaml2') diff --git a/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch new file mode 100644 index 000000000000..e745263d236d --- /dev/null +++ b/dev-python/pysaml2/files/pysaml-4.0.2_CVE-2017-1000433.patch @@ -0,0 +1,14 @@ +diff -Naur pysaml2/src/saml2/authn.py pysaml2.new/src/saml2/authn.py +--- 1/src/saml2/authn.py 2018-01-11 17:23:27.198775074 -0600 ++++ 2/src/saml2/authn.py 2018-01-11 17:22:57.909567278 -0600 +@@ -147,7 +147,8 @@ + return resp + + def _verify(self, pwd, user): +- assert is_equal(pwd, self.passwd[user]) ++ if not is_equal(pwd, self.passwd[user]): ++ raise ValueError("Wrong password") + + def verify(self, request, **kwargs): + """ + diff --git a/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild new file mode 100644 index 000000000000..34cc46c5c0d8 --- /dev/null +++ b/dev-python/pysaml2/pysaml2-4.0.2-r2.ebuild @@ -0,0 +1,39 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +PYTHON_COMPAT=( python2_7 python3_4 python3_5 ) + +inherit distutils-r1 + +DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI environment" +HOMEPAGE="https://github.com/rohe/pysaml2" +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="" + +PATCHES=( + "${FILESDIR}/xxe-4.0.2.patch" + "${FILESDIR}/pysaml-4.0.2_CVE-2017-1000433.patch" +) + +DEPEND=" + dev-python/setuptools[${PYTHON_USEDEP}] +" +RDEPEND=" + dev-python/decorator[${PYTHON_USEDEP}] + >=dev-python/requests-1.0.0[${PYTHON_USEDEP}] + dev-python/future[${PYTHON_USEDEP}] + dev-python/paste[${PYTHON_USEDEP}] + dev-python/zope-interface[${PYTHON_USEDEP}] + dev-python/repoze-who[${PYTHON_USEDEP}] + >=dev-python/pycrypto-2.5[${PYTHON_USEDEP}] + dev-python/pytz[${PYTHON_USEDEP}] + dev-python/pyopenssl[${PYTHON_USEDEP}] + dev-python/python-dateutil[${PYTHON_USEDEP}] + dev-python/six[${PYTHON_USEDEP}] + dev-python/defusedxml[${PYTHON_USEDEP}] +" -- cgit v1.2.3-65-gdbad