X-Original-To: alpine-aports@mail.alpinelinux.org
Delivered-To: alpine-aports@mail.alpinelinux.org
Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1])
	by mail.alpinelinux.org (Postfix) with ESMTP id 5CD4EDCA334
	for <alpine-aports@mail.alpinelinux.org>; Sun, 29 Nov 2015 09:23:53 +0000 (UTC)
Received: from mail-lf0-f44.google.com (mail-lf0-f44.google.com [209.85.215.44])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id C0133DC146B
	for <alpine-aports@lists.alpinelinux.org>; Sun, 29 Nov 2015 09:23:52 +0000 (UTC)
Received: by lfdl133 with SMTP id l133so165298824lfd.2
        for <alpine-aports@lists.alpinelinux.org>; Sun, 29 Nov 2015 01:23:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kampka-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :content-type;
        bh=YOrae4raxnexzDOxEBr5O8VjIWqzkiUtoAWACIqliuw=;
        b=qKTzsH2P7ylY5eBcDGB0Bj+Zt3l8Yo1snwWOVoQOanwWmYwWxTx/dTrhBBWGtPCvBZ
         Ap5axBBFUYatkPRICzH31Ck2+/OtjBrw7bh2QVcnFhGekqPnov/1K10UUdGAyDMSRH11
         czV4vRphkZ7dMIhQQYbF5y4jwinyETuBIVRZSLsg2YgW2TbLw51hUQIVelIioEPNItgU
         ehaXmyGF8jqog1dgeTZcK+Ud++QjY4MeWhI3+gHdHu8gmgbOQ8zO58VTroHqMJ5Uy9Y0
         g8EKX04R/ILOF0WJV3W4CPC5C4q9jaspBy6j+hCuyJBKpD5axnD+ttw+3zQRuAIF94LQ
         YKIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:content-type;
        bh=YOrae4raxnexzDOxEBr5O8VjIWqzkiUtoAWACIqliuw=;
        b=NrPjeo0CVMJ1xK6IlUI0e2Wo+EnMWZ4Z5UcDdRao9ucHofqHmeP/6UVORNkSrNaVU9
         49iPa4YeQGeKOUmyQLNOmDv6egxBhEHvW+FpyyXoC9v8Fcda0cyPUkm5vVBUrdgo+zED
         Ae7asqavxoGFY4ANIYRp2NHbkVVN/gqqK4hKYKw1RStuJ552WZEJBGSnySr0q+YqT1Bc
         4F32TMjbhNaaFHQsnVsDJeV8Ka3CvSU1Qxj9QeM8iVN4SnLRKmwUVB2FtphZkmf8+P3r
         fUMC7GC25nuFlNVEregrQumBN21aWw8hsqSSj3MHc5NhURW4e1p3cueyaM3YSwXR9uXL
         WDBw==
X-Gm-Message-State: ALoCoQkDdGISTfXMTQQPFVahVO0QBYzOFaB0qPxJvMj4bDkh4lPY0o7q+Snh2unDHaXqVkCnhDTU
X-Received: by 10.112.157.36 with SMTP id wj4mr22298653lbb.100.1448789030581;
 Sun, 29 Nov 2015 01:23:50 -0800 (PST)
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
References: <1448788940-22886-1-git-send-email-christian@kampka.net>
In-Reply-To: <1448788940-22886-1-git-send-email-christian@kampka.net>
From: Christian Kampka <christian@kampka.net>
Date: Sun, 29 Nov 2015 09:23:41 +0000
Message-ID: <CADq4isQxGeWqTpjn94YzDBPr9=NhPcAsPquQVhaJW-vzEL8MCw@mail.gmail.com>
Subject: [alpine-aports] Re: [PATCH] main/django: security fix CVE-2015-8213
To: alpine-aports@lists.alpinelinux.org
Content-Type: multipart/alternative; boundary=001a11c2abc285cdff0525aa7b8f
X-Virus-Scanned: ClamAV using ClamSMTP

--001a11c2abc285cdff0525aa7b8f
Content-Type: text/plain; charset=UTF-8

FYI, this is a patch against 3.2-stable.

Christian Kampka <christian@kampka.net> schrieb am So., 29. Nov. 2015 um
10:22 Uhr:

> Fixed a settings leak possibility in the date template filter.
> ---
>  main/py-django/APKBUILD            | 24 ++++++++++++---
>  main/py-django/CVE-2015-8213.patch | 63
> ++++++++++++++++++++++++++++++++++++++
>  2 files changed, 82 insertions(+), 5 deletions(-)
>  create mode 100644 main/py-django/CVE-2015-8213.patch
>
> diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
> index 222b1c8..b348f8f 100644
> --- a/main/py-django/APKBUILD
> +++ b/main/py-django/APKBUILD
> @@ -3,7 +3,7 @@
>  pkgname=py-django
>  _pkgname=Django
>  pkgver=1.8.3
> -pkgrel=0
> +pkgrel=1
>  pkgdesc="A high-level Python Web framework"
>  url="http://djangoproject.com/"
>  arch="noarch"
> @@ -13,7 +13,18 @@ depends_dev=""
>  makedepends="python-dev py-setuptools"
>  install=""
>  subpackages=""
> -source="
> http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
> "
> +source="
> http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
> +       CVE-2015-8213.patch
> +"
> +
> +prepare() {
> +       cd "$srcdir"/Django-$pkgver
> +       for i in $source; do
> +       case $i in
> +               *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
> +               esac
> +       done
> +}
>
>  _builddir="$srcdir"/$_pkgname-$pkgver
>  build() {
> @@ -26,6 +37,9 @@ package() {
>         python setup.py install --root "$pkgdir" || return 1
>  }
>
> -md5sums="31760322115c3ae51fbd8ac85c9ac428  Django-1.8.3.tar.gz"
> -sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba
> Django-1.8.3.tar.gz"
> -sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e
> Django-1.8.3.tar.gz"
> +md5sums="31760322115c3ae51fbd8ac85c9ac428  Django-1.8.3.tar.gz
> +782f8609cee5028ce7b16e7fc397a319  CVE-2015-8213.patch"
> +sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba
> Django-1.8.3.tar.gz
> +02b1a2642dc252b06672af0becffbf6a6184f434132c5394cedf54730b0208c9
> CVE-2015-8213.patch"
> +sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e
> Django-1.8.3.tar.gz
> +b5f32137c382c2c8240fe6a8d4f06a8ab37012bb5e0b82d6bb0df7ae9dd9f595c0e9bd15f23d360978f395b86eade859617279dfb91f5c303c8ccdd3accfeb06
> CVE-2015-8213.patch"
> diff --git a/main/py-django/CVE-2015-8213.patch
> b/main/py-django/CVE-2015-8213.patch
> new file mode 100644
> index 0000000..392e198
> --- /dev/null
> +++ b/main/py-django/CVE-2015-8213.patch
> @@ -0,0 +1,63 @@
> +From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
> +From: Florian Apolloner <florian@apolloner.eu>
> +Date: Wed, 11 Nov 2015 20:10:55 +0100
> +Subject: [PATCH] Fixed a settings leak possibility in the date template
> + filter.
> +
> +This is a security fix.
> +---
> + django/utils/formats.py  | 20 ++++++++++++++++++++
> + tests/i18n/tests.py      |  3 +++
> + 4 files changed, 51 insertions(+), 2 deletions(-)
> +
> +diff --git a/django/utils/formats.py b/django/utils/formats.py
> +index d2bdda4..8334682 100644
> +--- a/django/utils/formats.py
> ++++ b/django/utils/formats.py
> +@@ -30,6 +30,24 @@
> + }
> +
> +
> ++FORMAT_SETTINGS = frozenset([
> ++    'DECIMAL_SEPARATOR',
> ++    'THOUSAND_SEPARATOR',
> ++    'NUMBER_GROUPING',
> ++    'FIRST_DAY_OF_WEEK',
> ++    'MONTH_DAY_FORMAT',
> ++    'TIME_FORMAT',
> ++    'DATE_FORMAT',
> ++    'DATETIME_FORMAT',
> ++    'SHORT_DATE_FORMAT',
> ++    'SHORT_DATETIME_FORMAT',
> ++    'YEAR_MONTH_FORMAT',
> ++    'DATE_INPUT_FORMATS',
> ++    'TIME_INPUT_FORMATS',
> ++    'DATETIME_INPUT_FORMATS',
> ++])
> ++
> ++
> + def reset_format_cache():
> +     """Clear any cached formats.
> +
> +@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
> +     be localized (or not), overriding the value of settings.USE_L10N.
> +     """
> +     format_type = force_str(format_type)
> ++    if format_type not in FORMAT_SETTINGS:
> ++        return format_type
> +     if use_l10n or (use_l10n is None and settings.USE_L10N):
> +         if lang is None:
> +             lang = get_language()
> +diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
> +index 1de7b11..fd332c5 100644
> +--- a/tests/i18n/tests.py
> ++++ b/tests/i18n/tests.py
> +@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
> +                 '<input id="id_cents_paid" name="cents_paid"
> type="hidden" value="59,47" />'
> +             )
> +
> ++    def test_format_arbitrary_settings(self):
> ++        self.assertEqual(get_format('DEBUG'), 'DEBUG')
> ++
> +
> + class MiscTests(SimpleTestCase):
> --
> 2.6.2
>
>

--001a11c2abc285cdff0525aa7b8f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">FYI, this is a patch against 3.2-stable.</div><br><div cla=
ss=3D"gmail_quote"><div dir=3D"ltr">Christian Kampka &lt;<a href=3D"mailto:=
christian@kampka.net">christian@kampka.net</a>&gt; schrieb am So., 29. Nov.=
 2015 um 10:22=C2=A0Uhr:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Fixed a =
settings leak possibility in the date template filter.<br>
---<br>
=C2=A0main/py-django/APKBUILD=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 | 24=
 ++++++++++++---<br>
=C2=A0main/py-django/CVE-2015-8213.patch | 63 +++++++++++++++++++++++++++++=
+++++++++<br>
=C2=A02 files changed, 82 insertions(+), 5 deletions(-)<br>
=C2=A0create mode 100644 main/py-django/CVE-2015-8213.patch<br>
<br>
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD<br>
index 222b1c8..b348f8f 100644<br>
--- a/main/py-django/APKBUILD<br>
+++ b/main/py-django/APKBUILD<br>
@@ -3,7 +3,7 @@<br>
=C2=A0pkgname=3Dpy-django<br>
=C2=A0_pkgname=3DDjango<br>
=C2=A0pkgver=3D1.8.3<br>
-pkgrel=3D0<br>
+pkgrel=3D1<br>
=C2=A0pkgdesc=3D&quot;A high-level Python Web framework&quot;<br>
=C2=A0url=3D&quot;<a href=3D"http://djangoproject.com/" rel=3D"noreferrer" =
target=3D"_blank">http://djangoproject.com/</a>&quot;<br>
=C2=A0arch=3D&quot;noarch&quot;<br>
@@ -13,7 +13,18 @@ depends_dev=3D&quot;&quot;<br>
=C2=A0makedepends=3D&quot;python-dev py-setuptools&quot;<br>
=C2=A0install=3D&quot;&quot;<br>
=C2=A0subpackages=3D&quot;&quot;<br>
-source=3D&quot;<a href=3D"http://pypi.python.org/packages/source/$%7B_pkgn=
ame:0:1%7D/$_pkgname/$_pkgname-$pkgver.tar.gz" rel=3D"noreferrer" target=3D=
"_blank">http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$=
_pkgname-$pkgver.tar.gz</a>&quot;<br>
+source=3D&quot;<a href=3D"http://pypi.python.org/packages/source/$%7B_pkgn=
ame:0:1%7D/$_pkgname/$_pkgname-$pkgver.tar.gz" rel=3D"noreferrer" target=3D=
"_blank">http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$=
_pkgname-$pkgver.tar.gz</a><br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0CVE-2015-8213.patch<br>
+&quot;<br>
+<br>
+prepare() {<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0cd &quot;$srcdir&quot;/Django-$pkgver<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0for i in $source; do<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0case $i in<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*.patch) msg $i; pa=
tch -p1 -i &quot;$srcdir&quot;/$i || return 1;;<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0esac<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0done<br>
+}<br>
<br>
=C2=A0_builddir=3D&quot;$srcdir&quot;/$_pkgname-$pkgver<br>
=C2=A0build() {<br>
@@ -26,6 +37,9 @@ package() {<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 python setup.py install --root &quot;$pkgdir&qu=
ot; || return 1<br>
=C2=A0}<br>
<br>
-md5sums=3D&quot;31760322115c3ae51fbd8ac85c9ac428=C2=A0 Django-1.8.3.tar.gz=
&quot;<br>
-sha256sums=3D&quot;2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290d=
af2305bba=C2=A0 Django-1.8.3.tar.gz&quot;<br>
-sha512sums=3D&quot;17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a=
42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e=
=C2=A0 Django-1.8.3.tar.gz&quot;<br>
+md5sums=3D&quot;31760322115c3ae51fbd8ac85c9ac428=C2=A0 Django-1.8.3.tar.gz=
<br>
+782f8609cee5028ce7b16e7fc397a319=C2=A0 CVE-2015-8213.patch&quot;<br>
+sha256sums=3D&quot;2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290d=
af2305bba=C2=A0 Django-1.8.3.tar.gz<br>
+02b1a2642dc252b06672af0becffbf6a6184f434132c5394cedf54730b0208c9=C2=A0 CVE=
-2015-8213.patch&quot;<br>
+sha512sums=3D&quot;17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a=
42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e=
=C2=A0 Django-1.8.3.tar.gz<br>
+b5f32137c382c2c8240fe6a8d4f06a8ab37012bb5e0b82d6bb0df7ae9dd9f595c0e9bd15f2=
3d360978f395b86eade859617279dfb91f5c303c8ccdd3accfeb06=C2=A0 CVE-2015-8213.=
patch&quot;<br>
diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8=
213.patch<br>
new file mode 100644<br>
index 0000000..392e198<br>
--- /dev/null<br>
+++ b/main/py-django/CVE-2015-8213.patch<br>
@@ -0,0 +1,63 @@<br>
+From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001<br>
+From: Florian Apolloner &lt;<a href=3D"mailto:florian@apolloner.eu" target=
=3D"_blank">florian@apolloner.eu</a>&gt;<br>
+Date: Wed, 11 Nov 2015 20:10:55 +0100<br>
+Subject: [PATCH] Fixed a settings leak possibility in the date template<br=
>
+ filter.<br>
+<br>
+This is a security fix.<br>
+---<br>
+ django/utils/formats.py=C2=A0 | 20 ++++++++++++++++++++<br>
+ tests/i18n/tests.py=C2=A0 =C2=A0 =C2=A0 |=C2=A0 3 +++<br>
+ 4 files changed, 51 insertions(+), 2 deletions(-)<br>
+<br>
+diff --git a/django/utils/formats.py b/django/utils/formats.py<br>
+index d2bdda4..8334682 100644<br>
+--- a/django/utils/formats.py<br>
++++ b/django/utils/formats.py<br>
+@@ -30,6 +30,24 @@<br>
+ }<br>
+<br>
+<br>
++FORMAT_SETTINGS =3D frozenset([<br>
++=C2=A0 =C2=A0 &#39;DECIMAL_SEPARATOR&#39;,<br>
++=C2=A0 =C2=A0 &#39;THOUSAND_SEPARATOR&#39;,<br>
++=C2=A0 =C2=A0 &#39;NUMBER_GROUPING&#39;,<br>
++=C2=A0 =C2=A0 &#39;FIRST_DAY_OF_WEEK&#39;,<br>
++=C2=A0 =C2=A0 &#39;MONTH_DAY_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;TIME_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;DATE_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;DATETIME_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;SHORT_DATE_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;SHORT_DATETIME_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;YEAR_MONTH_FORMAT&#39;,<br>
++=C2=A0 =C2=A0 &#39;DATE_INPUT_FORMATS&#39;,<br>
++=C2=A0 =C2=A0 &#39;TIME_INPUT_FORMATS&#39;,<br>
++=C2=A0 =C2=A0 &#39;DATETIME_INPUT_FORMATS&#39;,<br>
++])<br>
++<br>
++<br>
+ def reset_format_cache():<br>
+=C2=A0 =C2=A0 =C2=A0&quot;&quot;&quot;Clear any cached formats.<br>
+<br>
+@@ -92,6 +110,8 @@ def get_format(format_type, lang=3DNone, use_l10n=3DNon=
e):<br>
+=C2=A0 =C2=A0 =C2=A0be localized (or not), overriding the value of setting=
s.USE_L10N.<br>
+=C2=A0 =C2=A0 =C2=A0&quot;&quot;&quot;<br>
+=C2=A0 =C2=A0 =C2=A0format_type =3D force_str(format_type)<br>
++=C2=A0 =C2=A0 if format_type not in FORMAT_SETTINGS:<br>
++=C2=A0 =C2=A0 =C2=A0 =C2=A0 return format_type<br>
+=C2=A0 =C2=A0 =C2=A0if use_l10n or (use_l10n is None and settings.USE_L10N=
):<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if lang is None:<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0lang =3D get_language()<br=
>
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py<br>
+index 1de7b11..fd332c5 100644<br>
+--- a/tests/i18n/tests.py<br>
++++ b/tests/i18n/tests.py<br>
+@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):<br=
>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&#39;&lt;inp=
ut id=3D&quot;id_cents_paid&quot; name=3D&quot;cents_paid&quot; type=3D&quo=
t;hidden&quot; value=3D&quot;59,47&quot; /&gt;&#39;<br>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0)<br>
+<br>
++=C2=A0 =C2=A0 def test_format_arbitrary_settings(self):<br>
++=C2=A0 =C2=A0 =C2=A0 =C2=A0 self.assertEqual(get_format(&#39;DEBUG&#39;),=
 &#39;DEBUG&#39;)<br>
++<br>
+<br>
+ class MiscTests(SimpleTestCase):<br>
--<br>
2.6.2<br>
<br>
</blockquote></div>

--001a11c2abc285cdff0525aa7b8f--


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---