Ubuntu
python-django-piston package

Merge lp:~jtaylor/ubuntu/maverick/python-django-piston/fix-884910 into lp:ubuntu/maverick/python-django-piston

  1. Maverick (10.10)
  2. fix-884910
  3. Merge into maverick
Proposed by Julian Taylor
Status: Needs review
Proposed branch: lp:~jtaylor/ubuntu/maverick/python-django-piston/fix-884910
Merge into: lp:ubuntu/maverick/python-django-piston
Diff against target: 110 lines (+67/-2)
5 files modified
debian/changelog (+16/-0)
debian/control (+3/-2)
debian/patches/02-fix-yaml-load.diff (+18/-0)
debian/patches/03-fix-pickle-load.diff (+28/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/maverick/python-django-piston/fix-884910
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+81059@code.launchpad.net

Description of the change

security update, see linked bug

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) :
review: Approve
Reply

Unmerged revisions

4. By Julian Taylor

* SECURITY UPDATE: remote code execution vulnerability. LP: #884910
   - 02-fix-yaml-load.diff: use yaml.safe_load,
   - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3
   - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/

3. By Joker Wild

debian/control: Bump Depends on python-oauth 1.0 since we don't
have 1.0.1 yet. Fixes install problem. (LP: #653480)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-02-22 08:43:21 +0000
3+++ debian/changelog 2011-11-02 18:35:29 +0000
4@@ -1,3 +1,19 @@
5+python-django-piston (0.2.2-1ubuntu0.2) maverick-security; urgency=low
6+
7+ * SECURITY UPDATE: remote code execution vulnerability. LP: #884910
8+ - 02-fix-yaml-load.diff: use yaml.safe_load,
9+ - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3
10+ - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
11+
12+ -- Julian Taylor <jtaylor.debian@googlemail.com> Wed, 02 Nov 2011 19:18:12 +0100
13+
14+python-django-piston (0.2.2-1ubuntu0.1) maverick-proposed; urgency=low
15+
16+ * debian/control: Bump Depends on python-oauth 1.0 since we don't
17+ have 1.0.1 yet. Fixes install problem. (LP: #653480)
18+
19+ -- Leo Albert Jackson Jr (Coders United) <lajjr@yahoo.com> Mon, 10 Jan 2011 00:16:35 +0100
20+
21 python-django-piston (0.2.2-1) unstable; urgency=low
22
23 * Initial release (Closes: #570919)
24
25=== modified file 'debian/control'
26--- debian/control 2010-02-22 08:43:21 +0000
27+++ debian/control 2011-11-02 18:35:29 +0000
28@@ -1,7 +1,8 @@
29 Source: python-django-piston
30 Section: python
31 Priority: optional
32-Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
33+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
34+XSBC-Original-Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
35 Uploaders: Michael Ziegler <diese-addy@funzt-halt.net>
36 Build-Depends: python (>= 2.4), debhelper (>= 7.0.50~), python-setuptools (>= 0.6.10)
37 Build-Depends-Indep: python-support
38@@ -14,7 +15,7 @@
39 Package: python-django-piston
40 Architecture: all
41 Depends: ${misc:Depends}, ${python:Depends}, python-django (>= 1.1),
42- python-oauth (>= 1.0.1), python-decorator
43+ python-oauth (>= 1.0), python-decorator
44 Suggests: python-yaml
45 Description: Django mini-framework creating RESTful APIs
46 Piston is a relatively small Django application that lets you
47
48=== added file 'debian/patches/02-fix-yaml-load.diff'
49--- debian/patches/02-fix-yaml-load.diff 1970-01-01 00:00:00 +0000
50+++ debian/patches/02-fix-yaml-load.diff 2011-11-02 18:35:29 +0000
51@@ -0,0 +1,18 @@
52+Description: Fix a security bug in the YAML emitter.
53+ See https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543
54+Forwarded: not-needed
55+Author: Michael Ziegler <diese-addy@funzt-halt.net>
56+
57+Index: python-django-piston-0.2.2/piston/emitters.py
58+===================================================================
59+--- python-django-piston-0.2.2.orig/piston/emitters.py 2009-06-14 12:04:30.000000000 +0200
60++++ python-django-piston-0.2.2/piston/emitters.py 2011-11-01 19:19:34.526595345 +0100
61+@@ -385,7 +385,7 @@
62+
63+ if yaml: # Only register yaml if it was import successfully.
64+ Emitter.register('yaml', YAMLEmitter, 'application/x-yaml; charset=utf-8')
65+- Mimer.register(yaml.load, ('application/x-yaml',))
66++ Mimer.register(yaml.safe_load, ('application/x-yaml',))
67+
68+ class PickleEmitter(Emitter):
69+ """
70
71=== added file 'debian/patches/03-fix-pickle-load.diff'
72--- debian/patches/03-fix-pickle-load.diff 1970-01-01 00:00:00 +0000
73+++ debian/patches/03-fix-pickle-load.diff 2011-11-02 18:35:29 +0000
74@@ -0,0 +1,28 @@
75+Description: Fix a security bug in the pickle loader.
76+ See Bug Report #646517
77+Forwarded: not-needed
78+Author: Michael Ziegler <diese-addy@funzt-halt.net>
79+
80+Index: python-django-piston-0.2.2/piston/emitters.py
81+===================================================================
82+--- python-django-piston-0.2.2.orig/piston/emitters.py 2011-11-02 18:16:16.685560613 +0100
83++++ python-django-piston-0.2.2/piston/emitters.py 2011-11-02 18:17:07.451559769 +0100
84+@@ -395,7 +395,17 @@
85+ return pickle.dumps(self.construct())
86+
87+ Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
88+-Mimer.register(pickle.loads, ('application/python-pickle',))
89++
90++"""
91++WARNING: Accepting arbitrary pickled data is a huge security concern.
92++The unpickler has been disabled by default now, and if you want to use
93++it, please be aware of what implications it will have.
94++
95++Read more: http://nadiana.com/python-pickle-insecure
96++
97++Uncomment the line below to enable it. You're doing so at your own risk.
98++"""
99++#Mimer.register(pickle.loads, ('application/python-pickle',))
100+
101+ class DjangoEmitter(Emitter):
102+ """
103
104=== modified file 'debian/patches/series'
105--- debian/patches/series 2010-02-22 08:43:21 +0000
106+++ debian/patches/series 2011-11-02 18:35:29 +0000
107@@ -1,1 +1,3 @@
108 01-fix-oauth-import.diff
109+03-fix-pickle-load.diff
110+02-fix-yaml-load.diff

Subscribers

People subscribed via source and target branches

to all changes: