[python-oauth2/f21] fix CVE-2013-4346 and CVE-2013-4347 (thanks to Philippe Makowski)
Tom Callaway
spot at fedoraproject.org
Fri Sep 12 18:43:35 UTC 2014
commit 268305bd32bdd0cf9d7f8bbc173f6b658da7161b
Author: Tom Callaway <spot at fedoraproject.org>
Date: Fri Sep 12 14:43:25 2014 -0400
fix CVE-2013-4346 and CVE-2013-4347 (thanks to Philippe Makowski)
python-oauth2-CVE-2013-4346.patch | 61 +++++++++++++++++++++++++++++++++++++
python-oauth2-CVE-2013-4347.patch | 27 ++++++++++++++++
python-oauth2.spec | 10 +++++-
3 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/python-oauth2-CVE-2013-4346.patch b/python-oauth2-CVE-2013-4346.patch
new file mode 100644
index 0000000..79f97fe
--- /dev/null
+++ b/python-oauth2-CVE-2013-4346.patch
@@ -0,0 +1,61 @@
+diff -up oauth2-1.5.211/oauth2/__init__.py.CVE-2013-4346 oauth2-1.5.211/oauth2/__init__.py
+--- oauth2-1.5.211/oauth2/__init__.py.CVE-2013-4346 2014-09-12 14:29:33.442410347 -0400
++++ oauth2-1.5.211/oauth2/__init__.py 2014-09-12 14:29:37.475344940 -0400
+@@ -697,10 +697,18 @@ class Server(object):
+ timestamp_threshold = 300 # In seconds, five minutes.
+ version = OAUTH_VERSION
+ signature_methods = None
++ data_store = None
+
+- def __init__(self, signature_methods=None):
++ def __init__(self, signature_methods=None, data_store=None):
++ self.data_store = data_store
+ self.signature_methods = signature_methods or {}
+
++ def set_data_store(self, data_store):
++ self.data_store = data_store
++
++ def get_data_store(self):
++ return self.data_store
++
+ def add_signature_method(self, signature_method):
+ self.signature_methods[signature_method.name] = signature_method
+ return self.signature_methods
+@@ -754,6 +762,7 @@ class Server(object):
+ def _check_signature(self, request, consumer, token):
+ timestamp, nonce = request._get_timestamp_nonce()
+ self._check_timestamp(timestamp)
++ self._check_nonce(consumer, token, nonce)
+ signature_method = self._get_signature_method(request)
+
+ try:
+@@ -780,6 +789,29 @@ class Server(object):
+ 'greater difference than threshold %d' % (timestamp, now,
+ self.timestamp_threshold))
+
++ def _check_nonce(self, consumer, token, nonce):
++ """Verify that the nonce is uniqueish."""
++ if self.data_store is not None:
++ nonce = self.data_store.lookup_nonce(consumer, token, nonce)
++ if nonce:
++ raise Error('Nonce already used: %s' % str(nonce))
++
++class DataStore(object):
++
++ """A database abstraction used to lookup nonce.
++
++To use your backend store with the `oauth` module, implement a subclass of
++this class that performs its methods using your database or storage
++system. Then, when using `oauth.Server`, supply it with an instance of
++your custom `DataStore` class to have objects stored in natively in your
++own data store.
++
++"""
++
++ def lookup_nonce(self, consumer, token, nonce):
++ """-> OAuthToken."""
++ raise NotImplementedError
++
+
+ class SignatureMethod(object):
+ """A way of signing requests.
diff --git a/python-oauth2-CVE-2013-4347.patch b/python-oauth2-CVE-2013-4347.patch
new file mode 100644
index 0000000..fe4f99c
--- /dev/null
+++ b/python-oauth2-CVE-2013-4347.patch
@@ -0,0 +1,27 @@
+diff -up oauth2-1.5.211/oauth2/__init__.py.CVE-2013-4347 oauth2-1.5.211/oauth2/__init__.py
+--- oauth2-1.5.211/oauth2/__init__.py.CVE-2013-4347 2014-09-12 14:34:21.762620879 -0400
++++ oauth2-1.5.211/oauth2/__init__.py 2014-09-12 14:35:26.695711288 -0400
+@@ -164,12 +164,12 @@ def generate_timestamp():
+
+ def generate_nonce(length=8):
+ """Generate pseudorandom number."""
+- return ''.join([str(random.randint(0, 9)) for i in range(length)])
++ return ''.join([str(random.SystemRandom().randint(0, 9)) for i in range(length)])
+
+
+ def generate_verifier(length=8):
+ """Generate pseudorandom number."""
+- return ''.join([str(random.randint(0, 9)) for i in range(length)])
++ return ''.join([str(random.SystemRandom().randint(0, 9)) for i in range(length)])
+
+
+ class Consumer(object):
+@@ -509,7 +509,7 @@ class Request(dict):
+ @classmethod
+ def make_nonce(cls):
+ """Generate pseudorandom number."""
+- return str(random.randint(0, 100000000))
++ return str(random.SystemRandom().randint(0, 100000000))
+
+ @classmethod
+ def from_request(cls, http_method, http_url, headers=None, parameters=None,
diff --git a/python-oauth2.spec b/python-oauth2.spec
index d2a002e..62fee15 100644
--- a/python-oauth2.spec
+++ b/python-oauth2.spec
@@ -1,13 +1,17 @@
Name: python-oauth2
Summary: Python support for improved oauth
Version: 1.5.211
-Release: 6%{?dist}
+Release: 7%{?dist}
License: MIT
Group: System Environment/Libraries
Source0: http://pypi.python.org/packages/source/o/oauth2/oauth2-%{version}.tar.gz
# https://github.com/simplegeo/python-oauth2/pull/108
# https://bugzilla.redhat.com/show_bug.cgi?id=784426
Patch0: python-oauth2-multiple-GET-fix.patch
+# https://github.com/pmakowski/python-oauth2/commit/7002422bb39bc137713933bc2e55251853830fcc
+Patch1: python-oauth2-CVE-2013-4346.patch
+# https://github.com/pmakowski/python-oauth2/commit/d7f5cb079c9517703778bac08c7ed5591ad4487d
+Patch2: python-oauth2-CVE-2013-4347.patch
URL: http://pypi.python.org/pypi/oauth2/
BuildArch: noarch
BuildRequires: python-devel, python-setuptools, python-simplejson
@@ -36,6 +40,7 @@ number of notable differences exist between this code and its forefathers:
%prep
%setup -q -n oauth2-%{version}
%patch0 -p1 -b .multiple-GET-fix
+%patch1 -p1 -b .CVE-2013-4346
%build
%{__python} setup.py build
@@ -57,6 +62,9 @@ rm -rf %{buildroot}%{python_sitelib}/tests/
%{python_sitelib}/oauth2-%{version}-*.egg-info/
%changelog
+* Fri Sep 12 2014 Tom Callaway <spot at fedoraproject.org> - 1.5.211-7
+- Fix CVE-2013-4346 and CVE-2013-4347 (thanks to Philippe Makowski)
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.211-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list