<pre style='margin:0'>
Rainer Müller (raimue) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/46eb18b78bd08e8bdb9b65563f92e8081d31b14e">https://github.com/macports/macports-ports/commit/46eb18b78bd08e8bdb9b65563f92e8081d31b14e</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 46eb18b bzr: Apply patch for CVE-2017-14176
</span>46eb18b is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 46eb18b78bd08e8bdb9b65563f92e8081d31b14e
</span>Author: Rainer Müller <raimue@macports.org>
AuthorDate: Tue Apr 10 22:02:37 2018 +0200
<span style='display:block; white-space:pre;color:#404040;'> bzr: Apply patch for CVE-2017-14176
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Closes: https://trac.macports.org/ticket/55439
</span>---
devel/bzr/Portfile | 5 +-
devel/bzr/files/patch-CVE-2017-14176.diff | 160 ++++++++++++++++++++++++++++++
2 files changed, 163 insertions(+), 2 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/bzr/Portfile b/devel/bzr/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index d0fd2d6..04a7ef1 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/devel/bzr/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/bzr/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,7 +3,7 @@ PortGroup python 1.0
</span>
name bzr
version 2.6.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 2
</span> set branch [join [lrange [split ${version} .] 0 1] .]
categories devel python
platforms darwin
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -29,7 +29,8 @@ checksums md5 28c86653d0df10d202c6b842deb0ea35\
</span> python.default_version 27
patchfiles patch-setup.py.diff \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- patch-lazy-regex.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-lazy-regex.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-CVE-2017-14176.diff
</span>
depends_lib-append port:py${python.version}-paramiko \
port:py${python.version}-crypto \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/devel/bzr/files/patch-CVE-2017-14176.diff b/devel/bzr/files/patch-CVE-2017-14176.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..60e5550
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/devel/bzr/files/patch-CVE-2017-14176.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,160 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Upstream: https://bugs.launchpad.net/brz/+bug/1710979
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Upstream: https://sources.debian.org/patches/bzr/2.7.0+bzr6619-7+deb9u1/27_CVE-2017-14176/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug: https://bugs.launchpad.net/brz/+bug/1710979
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/874429
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Forwarded: no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Author: Jelmer Vernooij <jelmer@jelmer.uk>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Last-Update: 2017-11-26
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+=== modified file 'bzrlib/tests/test_ssh_transport.py'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -22,6 +22,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSHCorpSubprocessVendor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LSHSubprocessVendor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSHVendorManager,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ StrangeHostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -161,6 +162,19 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ class SubprocessVendorsTests(TestCase):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ def test_openssh_command_tricked(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor = OpenSSHSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self.assertEqual(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor._get_vendor_specific_argv(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-oClearAllForwardings=yes",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-oNoHostAuthenticationForLocalhost=yes",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-p", "100",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-l", "user",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "--",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-oProxyCommand=blah", "bzr"])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def test_openssh_command_arguments(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ vendor = OpenSSHSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ self.assertEqual(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -171,6 +185,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-oNoHostAuthenticationForLocalhost=yes",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-p", "100",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-l", "user",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "--",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "host", "bzr"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -184,9 +199,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-oNoHostAuthenticationForLocalhost=yes",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-p", "100",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-l", "user",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "-s", "host", "sftp"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "-s", "--", "host", "sftp"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ def test_openssh_command_tricked(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor = SSHCorpSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self.assertRaises(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ StrangeHostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor._get_vendor_specific_argv,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "user", "-oProxyCommand=host", 100, command=["bzr"])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def test_sshcorp_command_arguments(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ vendor = SSHCorpSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ self.assertEqual(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -209,6 +231,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "-s", "sftp", "host"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ def test_lsh_command_tricked(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor = LSHSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self.assertRaises(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ StrangeHostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor._get_vendor_specific_argv,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "user", "-oProxyCommand=host", 100, command=["bzr"])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def test_lsh_command_arguments(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ vendor = LSHSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ self.assertEqual(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -231,6 +260,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "--subsystem", "sftp", "host"]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ def test_plink_command_tricked(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor = PLinkSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self.assertRaises(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ StrangeHostname,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ vendor._get_vendor_specific_argv,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "user", "-oProxyCommand=host", 100, command=["bzr"])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def test_plink_command_arguments(self):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ vendor = PLinkSubprocessVendor()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ self.assertEqual(
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+=== modified file 'bzrlib/transport/ssh.py'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -46,6 +46,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ from paramiko.sftp_client import SFTPClient
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++class StrangeHostname(errors.BzrError):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SYSTEM_HOSTKEYS = {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BZR_HOSTKEYS = {}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -360,6 +364,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # tests, but beware of using PIPE which may hang due to not being read.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ _stderr_target = None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ @staticmethod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ def _check_hostname(arg):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if arg.startswith('-'):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ raise StrangeHostname(hostname=arg)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def _connect(self, argv):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Attempt to make a socketpair to use as stdin/stdout for the SSH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # subprocess. We prefer sockets to pipes because they support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -424,9 +433,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if username is not None:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args.extend(['-l', username])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if subsystem is not None:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- args.extend(['-s', host, subsystem])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ args.extend(['-s', '--', host, subsystem])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- args.extend([host] + command)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ args.extend(['--', host] + command)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return args
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -439,6 +448,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ command=None):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self._check_hostname(host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = [self.executable_path, '-x']
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if port is not None:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args.extend(['-p', str(port)])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -460,6 +470,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ command=None):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self._check_hostname(host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = [self.executable_path]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if port is not None:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args.extend(['-p', str(port)])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -481,6 +492,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ command=None):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ self._check_hostname(host)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if port is not None:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ args.extend(['-P', str(port)])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span></pre><pre style='margin:0'>
</pre>