[python] 2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)
dmalcolm
dmalcolm at fedoraproject.org
Wed Feb 20 20:26:10 UTC 2013
commit 41aa0d34f7037b69d9a615cfb8d36a3ebccecf4b
Author: David Malcolm <dmalcolm at redhat.com>
Date: Wed Feb 20 15:25:17 2013 -0500
2.7.3-23: use SHA-256 rather than MD5 in multiprocessing.connection (patch 169; rhbz#879695)
* Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-23
- use SHA-256 rather than implicitly using MD5 within the challenge handling
in multiprocessing.connection (patch 169; rhbz#879695)
...-implicit-usage-of-md5-in-multiprocessing.patch | 41 ++++++++++++++++++++
python.spec | 15 +++++++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
new file mode 100644
index 0000000..debf92f
--- /dev/null
+++ b/00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
@@ -0,0 +1,41 @@
+diff --git a/Lib/multiprocessing/connection.py b/Lib/multiprocessing/connection.py
+--- a/Lib/multiprocessing/connection.py
++++ b/Lib/multiprocessing/connection.py
+@@ -41,6 +41,10 @@
+ # A very generous timeout when it comes to local connections...
+ CONNECTION_TIMEOUT = 20.
+
++# The hmac module implicitly defaults to using MD5.
++# Support using a stronger algorithm for the challenge/response code:
++HMAC_DIGEST_NAME='sha256'
++
+ _mmap_counter = itertools.count()
+
+ default_family = 'AF_INET'
+@@ -700,12 +704,16 @@
+ WELCOME = b'#WELCOME#'
+ FAILURE = b'#FAILURE#'
+
++def get_digestmod_for_hmac():
++ import hashlib
++ return getattr(hashlib, HMAC_DIGEST_NAME)
++
+ def deliver_challenge(connection, authkey):
+ import hmac
+ assert isinstance(authkey, bytes)
+ message = os.urandom(MESSAGE_LENGTH)
+ connection.send_bytes(CHALLENGE + message)
+- digest = hmac.new(authkey, message).digest()
++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+ response = connection.recv_bytes(256) # reject large message
+ if response == digest:
+ connection.send_bytes(WELCOME)
+@@ -719,7 +727,7 @@
+ message = connection.recv_bytes(256) # reject large message
+ assert message[:len(CHALLENGE)] == CHALLENGE, 'message = %r' % message
+ message = message[len(CHALLENGE):]
+- digest = hmac.new(authkey, message).digest()
++ digest = hmac.new(authkey, message, get_digestmod_for_hmac()).digest()
+ connection.send_bytes(digest)
+ response = connection.recv_bytes(256) # reject large message
+ if response != WELCOME:
diff --git a/python.spec b/python.spec
index 309c258..2873931 100644
--- a/python.spec
+++ b/python.spec
@@ -106,7 +106,7 @@ Summary: An interpreted, interactive, object-oriented programming language
Name: %{python}
# Remember to also rebase python-docs when changing this:
Version: 2.7.3
-Release: 22%{?dist}
+Release: 23%{?dist}
License: Python
Group: Development/Languages
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
@@ -763,6 +763,14 @@ Patch167: 00167-disable-stack-navigation-tests-when-optimized-in-test_gdb.patch
# (rhbz#849994)
Patch168: 00168-distutils-cflags.patch
+# 00169 #
+# Use SHA-256 rather than implicitly using MD5 within the challenge handling
+# in multiprocessing.connection
+#
+# Sent upstream as http://bugs.python.org/issue17258
+# (rhbz#879695)
+Patch169: 00169-avoid-implicit-usage-of-md5-in-multiprocessing.patch
+
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
@@ -1098,6 +1106,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
%patch166 -p1
%patch167 -p1
%patch168 -p1
+%patch169 -p1
# This shouldn't be necesarry, but is right now (2.2a3)
@@ -1928,6 +1937,10 @@ rm -fr %{buildroot}
# ======================================================
%changelog
+* Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-23
+- use SHA-256 rather than implicitly using MD5 within the challenge handling
+in multiprocessing.connection (patch 169; rhbz#879695)
+
* Wed Feb 20 2013 David Malcolm <dmalcolm at redhat.com> - 2.7.3-22
- fix a problem with distutils.sysconfig when CFLAGS is defined in the
environment (patch 168; rhbz#849994)
More information about the scm-commits
mailing list