gnu: python2: Add upstream security fixes.

This addresses CVE-2018-{1060,1061,14647,1000802}. * gnu/packages/patches/python2-CVE-2018-1000802.patch, gnu/packages/patches/python2-CVE-2018-1060.patch, gnu/packages/patches/python2-CVE-2018-1061.patch, gnu/packages/patches/python2-CVE-2018-14647.patch: New files. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/python.scm (python-2/fixed): New variable. (python-2.7)[replacement]: New field. (python2-minimal): Use PACKAGE/INHERIT.
2025-10-02 02:15:12 +00:00 · 2018-10-06 18:50:47 +02:00 · 2018-10-06 18:50:47 +02:00 · a55ebe2e3a
commit a55ebe2e3a
parent 90aeaee861
6 changed files with 166 additions and 1 deletions
--- a/gnu/packages/patches/python2-CVE-2018-1060.patch
+++ b/gnu/packages/patches/python2-CVE-2018-1060.patch
@ -0,0 +1,20 @@
+Fix CVE-2018-1060:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
+
+Taken from upstream commit (sans test and NEWS):
+https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f72d2ca..a238510b38fc 100644
+--- a/Lib/poplib.py
+++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ def rpop(self, user):
+         return self._shortcmd('RPOP %s' % user)
+ 
+ 
+-    timestamp = re.compile(r'\+OK.*(<[^>]+>)')
+    timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+ 
+     def apop(self, user, secret):
+         """Authorisation
+