Ubuntu
python-django-piston package

Merge lp:~jtaylor/ubuntu/natty/python-django-piston/fix-884910 into lp:ubuntu/natty/python-django-piston

  1. Natty (11.04)
  2. fix-884910
  3. Merge into natty
Proposed by Julian Taylor
Status: Needs review
Proposed branch: lp:~jtaylor/ubuntu/natty/python-django-piston/fix-884910
Merge into: lp:ubuntu/natty/python-django-piston
Diff against target: 80 lines (+57/-0)
4 files modified
debian/changelog (+9/-0)
debian/patches/02-fix-yaml-load.diff (+18/-0)
debian/patches/03-fix-pickle-load.diff (+28/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~jtaylor/ubuntu/natty/python-django-piston/fix-884910
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+81056@code.launchpad.net

Description of the change

security update, see linked bug

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was applied weeks ago.

review: Approve
Reply

Unmerged revisions

4. By Julian Taylor

* SECURITY UPDATE: remote code execution vulnerability. LP: #884910
   - 02-fix-yaml-load.diff: use yaml.safe_load,
   - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3
   - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2011-01-09 03:49:03 +0000
3+++ debian/changelog 2011-11-02 18:30:31 +0000
4@@ -1,3 +1,12 @@
5+python-django-piston (0.2.2-1ubuntu1.11.04.1) natty-security; urgency=low
6+
7+ * SECURITY UPDATE: remote code execution vulnerability. LP: #884910
8+ - 02-fix-yaml-load.diff: use yaml.safe_load,
9+ - 03-fix-pickle-load.diff: disable unpickling, backport from 0.2.3
10+ - https://www.djangoproject.com/weblog/2011/nov/01/piston-and-tastypie-security-releases/
11+
12+ -- Julian Taylor <jtaylor.debian@googlemail.com> Wed, 02 Nov 2011 19:18:12 +0100
13+
14 python-django-piston (0.2.2-1ubuntu1) natty; urgency=low
15
16 [ Leo Jackson ]
17
18=== added file 'debian/patches/02-fix-yaml-load.diff'
19--- debian/patches/02-fix-yaml-load.diff 1970-01-01 00:00:00 +0000
20+++ debian/patches/02-fix-yaml-load.diff 2011-11-02 18:30:31 +0000
21@@ -0,0 +1,18 @@
22+Description: Fix a security bug in the YAML emitter.
23+ See https://bitbucket.org/jespern/django-piston/changeset/91bdaec89543
24+Forwarded: not-needed
25+Author: Michael Ziegler <diese-addy@funzt-halt.net>
26+
27+Index: python-django-piston-0.2.2/piston/emitters.py
28+===================================================================
29+--- python-django-piston-0.2.2.orig/piston/emitters.py 2009-06-14 12:04:30.000000000 +0200
30++++ python-django-piston-0.2.2/piston/emitters.py 2011-11-01 19:19:34.526595345 +0100
31+@@ -385,7 +385,7 @@
32+
33+ if yaml: # Only register yaml if it was import successfully.
34+ Emitter.register('yaml', YAMLEmitter, 'application/x-yaml; charset=utf-8')
35+- Mimer.register(yaml.load, ('application/x-yaml',))
36++ Mimer.register(yaml.safe_load, ('application/x-yaml',))
37+
38+ class PickleEmitter(Emitter):
39+ """
40
41=== added file 'debian/patches/03-fix-pickle-load.diff'
42--- debian/patches/03-fix-pickle-load.diff 1970-01-01 00:00:00 +0000
43+++ debian/patches/03-fix-pickle-load.diff 2011-11-02 18:30:31 +0000
44@@ -0,0 +1,28 @@
45+Description: Fix a security bug in the pickle loader.
46+ See Bug Report #646517
47+Forwarded: not-needed
48+Author: Michael Ziegler <diese-addy@funzt-halt.net>
49+
50+Index: python-django-piston-0.2.2/piston/emitters.py
51+===================================================================
52+--- python-django-piston-0.2.2.orig/piston/emitters.py 2011-11-02 18:16:16.685560613 +0100
53++++ python-django-piston-0.2.2/piston/emitters.py 2011-11-02 18:17:07.451559769 +0100
54+@@ -395,7 +395,17 @@
55+ return pickle.dumps(self.construct())
56+
57+ Emitter.register('pickle', PickleEmitter, 'application/python-pickle')
58+-Mimer.register(pickle.loads, ('application/python-pickle',))
59++
60++"""
61++WARNING: Accepting arbitrary pickled data is a huge security concern.
62++The unpickler has been disabled by default now, and if you want to use
63++it, please be aware of what implications it will have.
64++
65++Read more: http://nadiana.com/python-pickle-insecure
66++
67++Uncomment the line below to enable it. You're doing so at your own risk.
68++"""
69++#Mimer.register(pickle.loads, ('application/python-pickle',))
70+
71+ class DjangoEmitter(Emitter):
72+ """
73
74=== modified file 'debian/patches/series'
75--- debian/patches/series 2010-02-22 08:43:21 +0000
76+++ debian/patches/series 2011-11-02 18:30:31 +0000
77@@ -1,1 +1,3 @@
78 01-fix-oauth-import.diff
79+03-fix-pickle-load.diff
80+02-fix-yaml-load.diff

Subscribers

People subscribed via source and target branches

to all changes: