[python] 2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)

[dmalcolm]

commit 41aa0d34f7037b69d9a615cfb8d36a3ebccecf4b
Author: David Malcolm <dmalcolm at redhat.com>
Date:   Wed Feb 20 15:25:17 2013 -0500

    2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)
    
    * Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-23
    - use SHA-256 rather than implicitly using MD5 within the challenge handling
    in multiprocessing.connection (patch 169; rhbz#879695)

 ...-implicit-usage-of-md5-in-multiprocessing.patch |   41 ++++++++++++++++++++
 python.spec                                        |   15 +++++++-
 2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
new file mode 100644
index 0000000..debf92f
--- /dev/null
+++ b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
@@ -0,0 +1,41 @@
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+--- a/Lib/multiprocessing/connection.py
++++ b/Lib/multiprocessing/connection.py
+@@ -41,6 +41,10 @@
+ # A very generous timeout when it comes to local connections...
+ CONNECTION_TIMEOUT = 20.
+ 
++# The hmac module implicitly defaults to using MD5.
++# Support using a stronger algorithm for the challenge/response code:
++HMAC_DIGEST_NAME='sha256'
++
+ _mmap_counter = itertools.count()
+ 
+ default_family = 'AF_INET'
+@@ -700,12 +704,16 @@
+ WELCOME = b'#WELCOME#'
+ FAILURE = b'#FAILURE#'
+ 
++def get_digestmod_for_hmac():
++    import hashlib
++    return getattr(hashlib, HMAC_DIGEST_NAME)
++
+ def deliver_challenge(connection, authkey):
+     import hmac
+     assert isinstance(authkey, bytes)
+     message = os.urandom(MESSAGE_LENGTH)
+     connection.send_bytes(CHALLENGE + message)
+-    digest = hmac.new(authkey, message).digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     response = connection.recv_bytes(256)        # reject large message
+     if response == digest:
+         connection.send_bytes(WELCOME)
+@@ -719,7 +727,7 @@
+     message = connection.recv_bytes(256)         # reject large message
+     assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
+     message = message[len(CHALLENGE):]
+-    digest = hmac.new(authkey, message).digest()
++    digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+     connection.send_bytes(digest)
+     response = connection.recv_bytes(256)        # reject large message
+     if response != WELCOME:
diff --git a/python.spec b/python.spec
index 309c258..2873931 100644
--- a/python.spec
+++ b/python.spec
@@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
 Name: %{python}
 # Remember to also rebase python-docs when changing this:
 Version: 2.7.3
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: Python
 Group: Development/Languages
 Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -763,6 +763,14 @@ Patch167: 00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch
 # (rhbz#849994)
 Patch168: 00168-distutils-cflags.patch
 
+# 00169 #
+# Use SHA-256 rather than implicitly using MD5 within the challenge handling
+# in multiprocessing.connection
+#
+# Sent upstream as http://bugs.python.org/issue17258
+# (rhbz#879695)
+Patch169: 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora 17 onwards,
@@ -1098,6 +1106,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
 %patch166 -p1
 %patch167 -p1
 %patch168 -p1
+%patch169 -p1
 
 
 # This shouldn't be necesarry, but is right now (2.2a3)
@@ -1928,6 +1937,10 @@ rm -fr %{buildroot}
 # ======================================================
 
 %changelog
+* Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-23
+- use SHA-256 rather than implicitly using MD5 within the challenge handling
+in multiprocessing.connection (patch 169; rhbz#879695)
+
 * Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-22
 - fix a problem with distutils.sysconfig when CFLAGS is defined in the
 environment (patch 168; rhbz#849994)