[python-eyed3/f20] Fixed CVE-2014-1934, patch from Travis Shirk.
pjp
pjp at fedoraproject.org
Wed Nov 19 06:47:13 UTC 2014
commit 42f89e46fcf2f86a1b096c6695bde3b998475f63
Author: P J P <pjp at fedoraproject.org>
Date: Wed Nov 19 12:17:05 2014 +0530
Fixed CVE-2014-1934, patch from Travis Shirk.
0001-Fix-sym-link-attack.patch | 45 ++++++++++++++++++++++++++++++++++++++++
python-eyed3.spec | 12 ++++++++-
2 files changed, 55 insertions(+), 2 deletions(-)
---
diff --git a/0001-Fix-sym-link-attack.patch b/0001-Fix-sym-link-attack.patch
new file mode 100644
index 0000000..e98a1ea
--- /dev/null
+++ b/0001-Fix-sym-link-attack.patch
@@ -0,0 +1,45 @@
+--- a/src/eyed3/id3/tag.py
++++ a/src/eyed3/id3/tag.py
+@@ -946,8 +946,8 @@ class Tag(core.Tag):
+ "padding" % (len(tag_data), len(padding)))
+ if rewrite_required:
+ # Open tmp file
+- tmp_name = tempfile.mktemp()
+- with open(tmp_name, "wb") as tmp_file:
++ with tempfile.NamedTemporaryFile("wb", delete=False) \
++ as tmp_file:
+ tmp_file.write(tag_data + padding)
+
+ # Copy audio data in chunks
+@@ -961,9 +961,11 @@ class Tag(core.Tag):
+ tag_file.seek(seek_point)
+ chunkCopy(tag_file, tmp_file)
+
++ tmp_file.flush()
++
+ # Move tmp to orig.
+- shutil.copyfile(tmp_name, self.file_info.name)
+- os.unlink(tmp_name)
++ shutil.copyfile(tmp_file.name, self.file_info.name)
++ os.unlink(tmp_file.name)
+
+ else:
+ with open(self.file_info.name, "r+b") as tag_file:
+@@ -1118,13 +1120,13 @@ class Tag(core.Tag):
+ tag_file.seek(tag.file_info.tag_size)
+
+ # Open tmp file
+- tmp_name = tempfile.mktemp()
+- with open(tmp_name, "wb") as tmp_file:
++ with tempfile.NamedTemporaryFile("wb", delete=False) \
++ as tmp_file:
+ chunkCopy(tag_file, tmp_file)
+
+ # Move tmp to orig
+- shutil.copyfile(tmp_name, filename)
+- os.unlink(tmp_name)
++ shutil.copyfile(tmp_file.name, filename)
++ os.unlink(tmp_file.name)
+
+ retval |= True
+
diff --git a/python-eyed3.spec b/python-eyed3.spec
index dca7641..3246490 100644
--- a/python-eyed3.spec
+++ b/python-eyed3.spec
@@ -1,6 +1,6 @@
Name: python-eyed3
Version: 0.7.4
-Release: 2%{?dist}
+Release: 4%{?dist}
Summary: Python audio data toolkit (ID3 and MP3)
License: GPLv2+
URL: http://eyed3.nicfit.net/
@@ -11,6 +11,8 @@ BuildRequires: python-nose
BuildRequires: python-setuptools
Requires: python-magic
+Patch1: 0001-Fix-sym-link-attack.patch
+
%description
A Python module and program for processing ID3 tags. Information about
mp3 files(i.e bit rate, sample frequency, play time, etc.) is also
@@ -18,7 +20,7 @@ provided. The formats supported are ID3 v1.0/v1.1 and v2.3/v2.4.
%prep
%setup -qn eyeD3-%{version}
-
+%patch1 -p1
%build
%{__python2} setup.py build
@@ -35,6 +37,12 @@ provided. The formats supported are ID3 v1.0/v1.1 and v2.3/v2.4.
%{python2_sitelib}/eyeD3-%{version}-py%{python2_version}.egg-info/
%changelog
+* Wed Nov 19 2014 Mr Niranjan <mrniranjan at fedoraproject.org> - 0.7.4-4
+- Fixed CVE-2014-1934, patch from Travis Shirk.
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.7.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
* Fri Jan 10 2014 Christopher Meng <rpm at cicku.me> - 0.7.4-2
- Dependencies cleanup.
More information about the scm-commits
mailing list