[fish] Fix the fixes

amluto amluto at fedoraproject.org
Tue Aug 12 01:26:28 UTC 2014 

commit 3386c6f6b57e37d0bbc9e6b833525327c1172127
Author: Andy Lutomirski <luto at amacapital.net>
Date:   Mon Aug 11 18:26:23 2014 -0700

    Fix the fixes

 fish-webconfig-CVE-2014-2914-followup-4.patch |   28 +++++++++++++++++++++++++
 fish.spec                                     |    7 ++++++
 2 files changed, 35 insertions(+), 0 deletions(-)
---
diff --git a/fish-webconfig-CVE-2014-2914-followup-4.patch b/fish-webconfig-CVE-2014-2914-followup-4.patch
new file mode 100644
index 0000000..c0a2603
--- /dev/null
+++ b/fish-webconfig-CVE-2014-2914-followup-4.patch
@@ -0,0 +1,28 @@
+commit a7f1e81e6ac23fe4b6fd86023681e2975703078d
+Author: Andy Lutomirski <luto at amacapital.net>
+Date:   Mon Aug 11 18:18:21 2014 -0700
+
+    webconfig: Convert authkey to hex correctly
+
+diff --git a/share/tools/web_config/webconfig.py b/share/tools/web_config/webconfig.py
+index 5c7d2b9..43d2ced 100755
+--- a/share/tools/web_config/webconfig.py
++++ b/share/tools/web_config/webconfig.py
+@@ -17,7 +17,7 @@ else:
+     from urllib.parse import parse_qs
+ import webbrowser
+ import subprocess
+-import re, socket, os, sys, cgi, select, time, glob, random, string
++import re, socket, os, sys, cgi, select, time, glob, random, string, binascii
+ try:
+     import json
+ except ImportError:
+@@ -654,7 +654,7 @@ where = os.path.dirname(sys.argv[0])
+ os.chdir(where)
+ 
+ # Generate a 16-byte random key as a hexadecimal string
+-authkey = hex(os.urandom(16))[2:]
++authkey = binascii.b2a_hex(os.urandom(16))
+ 
+ # Try to find a suitable port
+ PORT = 8000
diff --git a/fish.spec b/fish.spec
index 8a96b26..e5760f2 100644
--- a/fish.spec
+++ b/fish.spec
@@ -18,6 +18,7 @@ Patch7:                 fish-upstream-CVE-2014-2906.patch
 Patch8:                 fish-webconfig-CVE-2014-2914-followup-1.patch
 Patch9:                 fish-webconfig-CVE-2014-2914-followup-2.patch
 Patch10:                fish-webconfig-CVE-2014-2914-followup-3.patch
+Patch11:                fish-webconfig-CVE-2014-2914-followup-4.patch
 
 BuildRequires:          ncurses-devel gettext groff doxygen
 
@@ -39,6 +40,12 @@ nothing to learn or configure.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 
 # This is unused.  If we fiddle with Python versions, its presence will
 # be confusing.

More information about the scm-commits mailing list