add sec patch wrt Bug #498934, rm old

Package-Manager: portage-2.2.8-r1/cvs/Linux x86_64
Manifest-Sign-Key: 0xB8072B0D

6 files changed, 96 insertions, 80 deletions

diff --git a/dev-python/pyxdg/ChangeLog b/dev-python/pyxdg/ChangeLog
index 4af003b8d9ab..265b64103bb0 100644
--- a/dev-python/pyxdg/ChangeLog
+++ b/dev-python/pyxdg/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-python/pyxdg
-# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/pyxdg/ChangeLog,v 1.118 2013/10/12 18:47:08 hwoarang Exp $
+# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/dev-python/pyxdg/ChangeLog,v 1.119 2014/03/26 07:45:51 idella4 Exp $
+
+*pyxdg-0.25-r1 (26 Mar 2014)
+
+  26 Mar 2014; Ian Delaney <idella4@gentoo.org>
+  +files/sec-patch-CVE-2014-1624.patch, +pyxdg-0.25-r1.ebuild,
+  -pyxdg-0.23.ebuild, -pyxdg-0.24.ebuild:
+  add sec patch wrt Bug #498934, rm old
 
   12 Oct 2013; Markos Chandras <hwoarang@gentoo.org> pyxdg-0.25.ebuild:
   Add ~mips
diff --git a/dev-python/pyxdg/Manifest b/dev-python/pyxdg/Manifest
index 6330ecc17330..6e13207bdf1e 100644
--- a/dev-python/pyxdg/Manifest
+++ b/dev-python/pyxdg/Manifest
@@ -2,30 +2,16 @@
 Hash: SHA256
 
 AUX pyxdg-subprocess.patch 1122 SHA256 fb005869a396020a1919fb43b1fc755d0f418a2d7010fcb6c71de2cdd06a1d49 SHA512 324a43645f715c7249a94e348df7218b9821e7efb110f864d1d9e5b115d988f4b27980b41e33b468f7100985a51424192fe40adc8de7e4d11157f2194f5667a3 WHIRLPOOL 80c28b12d5f6163eb0079b9abb42fbf013302c7c830e1a3067126fd5c6966869659b9db4b2a07efdb4e152a17fc0a5640f20ae04348a888f9973f3636ad05617
-DIST pyxdg-0.23.tar.gz 45029 SHA256 5cc0573dd0b8096404796ae2655e7631d2905a033f959a1072929dc1a10a678a SHA512 8384c50c72ec0b6ae9e183385d10f709e5e439d29cc44551e9672b9c423f705d2f41cb531251b08787b1604f7c6d273be90d6216689906f06ded692d1fb41556 WHIRLPOOL 14730d8c2c8d169e82fd600fa18a8526885ba6bf739e47fab179a2ca91f922fb3ac63a49264c72d2d32873ebab2bac90a7f87b45e6890e8f2c47113d21633a83
-DIST pyxdg-0.24.tar.gz 47039 SHA256 220487bcea2d67c8da2a21bb261d647e03519a0b1a631365e45c77632c9491b6 SHA512 c5c76ac9ded8747bb984ff5249b49511a59101f5686ad3115340bcbd1db42f829b4965ee8ae9b12944fb92fa60d2c5d80822af03ce178e06d131cdf2e120fbf7 WHIRLPOOL 8d5a20610019bb53e7511d7bcb2a96de3a21effd52b5f084c3e570b909e6d3957390a5bea4718ba01d734e83d0022879e76334194a7c3e0d4ab17be6ebffe3c4
+AUX sec-patch-CVE-2014-1624.patch 1867 SHA256 1108675e64e51730ff5411f7e7dfab9fa68de66be0afaa73a46a1472d75766e8 SHA512 f0ff5255108b7a5774d376a8892f1120f5056ec92fa543af7e5aabe3792e7ecd347ac78ff5c04ab36db35bba513a412f6aa06fe718933317a903264bd184b712 WHIRLPOOL 9a4df7948bc32fa8f471f6edb7066318231666d90ff4038733ffaae7ceb303c930bc9c552f72a08b978c0b259e802d24bba6e01383a7b836989f339ee673909a
 DIST pyxdg-0.25.tar.gz 48935 SHA256 81e883e0b9517d624e8b0499eb267b82a815c0b7146d5269f364988ae031279d SHA512 86cbf3a54fb8e79043db60dcdbb3fb10013ae25a900fa3592edc8a24bf3f440c19bc04626c7906293c785fcb56eab9d87d209b723b5baa872376ba1eb86758b6 WHIRLPOOL 8e77c83f52c5836f4476645fc1d297311c1537e60a8fe364c75c842baf0530def1a483c19489af87ec78d340e630af18ed9a210cecc56f183037e34e58e0e450
-EBUILD pyxdg-0.23.ebuild 821 SHA256 4cde59f305c418ebe0edfb49fa8bbbefc8ce091dc96441ea2514fa9acb066daa SHA512 296820b07a52b570e6066da62d2df00624bb2faf3912717508302a97bfa1cc0171b600fb3ae97fc57a29c676c3a5c33afe06e5edaf9b04a98d528a4ea7763295 WHIRLPOOL 3fe165d6b0a76d1839721a0df151f5c08b6ecbd2f15d32141f7c0c99ca21e91083246d047744764eb0d9db6a52d62175c61352230dbe98165c05e3afc8f7524b
-EBUILD pyxdg-0.24.ebuild 749 SHA256 47b1899e8bb57a5eb311bd88e09fbbc96dabfba9cec674dc96a3fe0009e7cd26 SHA512 e25f792a2fb62c026f3b50fa3496beeed94c13237c2d189ad2c60ff79ae76e4c97587b21a7eb5b228cd275ec6cd8227b3793e5f8e3d627d42c3eac044f950c21 WHIRLPOOL 42fd1947bf0822d7f2e26d0f51b3ba64fbd666971c8f704a99d26b8d96776563cb5f2f35d8ee4ca9be03c144aa3040e538769f370baae4435baa7c592b83fb97
+EBUILD pyxdg-0.25-r1.ebuild 902 SHA256 3ae3b018a74d6220eca2b56de71edc2a5c471f370bfc9c5077076ac00ec4f272 SHA512 ebff795bf101a0b2d1c05548dc9e85ddb96b2eba6ebc8bfa0b10912adcdf5c447a1ed207faaa3228eecc036339880af43fbf5134f0bcb868c6e7e7f20420d462 WHIRLPOOL 877041945106da37595d2f1301575a3724c61b0375b64b4b4c4d587bc54908fc9a0f78e15852c6650a04c9770289a5f45d85b05f2b808dd6cd3f38601803e3f9
 EBUILD pyxdg-0.25.ebuild 837 SHA256 7aeca6586c451157ed63f4101c39f705bd7122226567c269cc177f4101098d38 SHA512 5d685593f235c7b7f9c8b9f506cb374fc5cd1c27476ee922a60a090fc864246e3e778f4961084f1b060daf1cd8ae8cde5f206103afc2012d2c837aa09d597eab WHIRLPOOL 9f1de252c61fa84175d20e6499f904435aa7c904d264aaa9c673f0ae7bdea316c149c4fe34adbc5075a51602843267e74dd129dbbd4c37806590d62cc343b088
-MISC ChangeLog 13726 SHA256 4c135af90f389e54339168e630e69a54297c7dc562f099bf95bb7019c20cf8ed SHA512 96154973793bb771b03126bafa8885d8277367c1acdea5f098c2dab31f9bbd541b4de3d0af07e6a9e2b422dbd7720ca4edfede60d0c65d9164f499dd0b225b79 WHIRLPOOL f69556c58e9c3d4390d1c56fc6863b754075ba463424a6022df01caabf968b1fcf170d4b65a19bea9069d3db0f4b435501fe3e6821db8c91298d942814a55435
+MISC ChangeLog 13949 SHA256 fed9b9ef6e6125cb99428392146dee134812f0771a166b99fffbe299bd4eacec SHA512 587c672e4d642ff0173aa7b761c5486bb83222b5123101231d42c0d7b57e5b2c291401b28b6e21967a4fea327b2aeb09e675920a0d01cbc66b8d23cf9f20ef39 WHIRLPOOL aa002522eb3cd8dbb2d471d09a7a102e7f81a08e0304bc61d9c77dad342201ca69704735e1d43b6f6d52efe1c781fb7ff56be8f3be96090dc05259b0e07efc45
 MISC metadata.xml 159 SHA256 9f01104d3484792496faff4805eed0ecea2352a897151f3397d49a13800037b4 SHA512 d5a29b9f6ecddfc368dc0f1f8919cd3c3d6ecf2c7a82bc8d4c0dd51b7aa15561ed0462acb8ae39bc84f97e706e82d9b4b06357494f164f1648219f604b473fbe WHIRLPOOL 36e19b63a1b307cc200e1d73499b7477f73799db3909e71b5a0916084728351c76d400f65e2c8b3f8fffb2c9ba54c0bd235f785b47414178d98f11d64a9420d7
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQJ8BAEBCABmBQJSWZjXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
-ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzNTVDNDczOUYzRjJEMTRGNDRGMzU2RkMw
-OUJGNEY1NEMyQkE3RjNDAAoJEAm/T1TCun88uOkP/j2tgfruWJoCSIAJAn4iXRh3
-7XyzYujOyIelbHJEgk3kxBCcjZWS/g/qE7PLTn+qBNIgqxJScpbDtwgwg07rurTk
-2QPYr35p9w+fKQPOrYO/1nypGwZjEN+gHTbHm20yfbYKHVc90+keOORSTf1rjGT5
-zTVBrtNczn64kHQvJVgweAeVRhKSBBVL3GiRwuaSLAReAVjAyAyBvOPhnuSAb1Uw
-j2HW+FB+by41/fanfuPFQCoQEY9fpaOlDCnKPcs7zDoRPm+Wl4d3KZ/rDYYCyz0O
-Fmz0KGUKKJ9Zj5y7CCbkcPVXmRMWjeXHR4N0F2J2wqy6pv7ETkKzog/RiwwuHelp
-7kJrOK5aIUr74OkNJYl0wKMDh8VLBuArxBgNdj9vUYuDuHxC27HjkomQazm/steE
-wRT7KjFxBO6i3gWSF8+gN4mk7Wt+D9hNBgG7PW+JkqSi+Te6rpUcae1uz3iBKNgM
-Lvah92zl66tXWLr9dQczAPH/SXLc4PY/8Qzg1HupmKc10oZFJmuhth2DKf7hfTnK
-QiwS3bKPzuTG8E6MNFnFs+P1T0xXeNrkkLL+3Tl9C25QA/UPTrFMksZWfr28p/Bn
-ueCc3HLzjsR0uqyqPCCXJh9N1jGvUTkYjy13t/xUTDbbu+7t806rjON1mON6o/zp
-sDtOrGIS5IUBzNdnAj4G
-=eRqH
+iEYEAREIAAYFAlMyhAMACgkQso7CE7gHKw1WkwCgrg+JfdI/+Kpd0rknqRKKjHIc
+zhsAnRemsBdFn/Ffk3eec7r8NzPUpkWy
+=EOc6
 -----END PGP SIGNATURE-----
diff --git a/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch b/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch
new file mode 100644
index 000000000000..d94c0a42bddb
--- /dev/null
+++ b/dev-python/pyxdg/files/sec-patch-CVE-2014-1624.patch
@@ -0,0 +1,54 @@
+Improve security of get_runtime_dir(strict=False) 
+https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4
+diff --git a/xdg/BaseDirectory.py b/xdg/BaseDirectory.py
+index cececa3..a7c31b1 100644
+--- a/xdg/BaseDirectory.py
++++ b/xdg/BaseDirectory.py
+@@ -25,7 +25,7 @@
+ Note: see the rox.Options module for a higher-level API for managing options.
+ """
+ 
+-import os
++import os, stat
+ 
+ _home = os.path.expanduser('~')
+ xdg_data_home = os.environ.get('XDG_DATA_HOME') or \
+@@ -131,15 +131,30 @@ def get_runtime_dir(strict=True):
+         
+         import getpass
+         fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser()
++        create = False
++
+         try:
+-            os.mkdir(fallback, 0o700)
++            # This must be a real directory, not a symlink, so attackers can't
++            # point it elsewhere. So we use lstat to check it.
++            st = os.lstat(fallback)
+         except OSError as e:
+             import errno
+-            if e.errno == errno.EEXIST:
+-                # Already exists - set 700 permissions again.
+-                import stat
+-                os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
+-            else: # pragma: no cover
++            if e.errno == errno.ENOENT:
++                create = True
++            else:
+                 raise
+-        
++        else:
++            # The fallback must be a directory
++            if not stat.S_ISDIR(st.st_mode):
++                os.unlink(fallback)
++                create = True
++            # Must be owned by the user and not accessible by anyone else
++            elif (st.st_uid != os.getuid()) \
++              or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)):
++                os.rmdir(fallback)
++                create = True
++
++        if create:
++            os.mkdir(fallback, 0o700)
++
+         return fallback
+
diff --git a/dev-python/pyxdg/pyxdg-0.23.ebuild b/dev-python/pyxdg/pyxdg-0.23.ebuild
deleted file mode 100644
index bd6a9e585c34..000000000000
--- a/dev-python/pyxdg/pyxdg-0.23.ebuild
+++ /dev/null
@@ -1,33 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/pyxdg/pyxdg-0.23.ebuild,v 1.8 2012/10/07 09:35:39 nixnut Exp $
-
-EAPI=4
-
-PYTHON_DEPEND="*:2.6"
-SUPPORT_PYTHON_ABIS=1
-RESTRICT_PYTHON_ABIS="2.5"
-
-inherit distutils
-
-DESCRIPTION="A Python module to deal with freedesktop.org specifications"
-HOMEPAGE="http://freedesktop.org/wiki/Software/pyxdg http://cgit.freedesktop.org/xdg/pyxdg/"
-SRC_URI="http://people.freedesktop.org/~takluyver/${P}.tar.gz"
-
-LICENSE="LGPL-2"
-SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
-IUSE="examples"
-
-PYTHON_MODNAME=xdg
-
-DOCS="AUTHORS ChangeLog README TODO"
-
-src_install() {
-	distutils_src_install
-
-	if use examples; then
-		docinto examples
-		dodoc test/*.py
-	fi
-}
diff --git a/dev-python/pyxdg/pyxdg-0.24.ebuild b/dev-python/pyxdg/pyxdg-0.24.ebuild
deleted file mode 100644
index c32fe1cca199..000000000000
--- a/dev-python/pyxdg/pyxdg-0.24.ebuild
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-python/pyxdg/pyxdg-0.24.ebuild,v 1.1 2012/11/12 04:29:51 radhermit Exp $
-
-EAPI=4
-
-PYTHON_DEPEND="*:2.6"
-SUPPORT_PYTHON_ABIS=1
-RESTRICT_PYTHON_ABIS="2.5"
-DISTUTILS_SRC_TEST="nosetests"
-
-inherit distutils
-
-DESCRIPTION="A Python module to deal with freedesktop.org specifications"
-HOMEPAGE="http://freedesktop.org/wiki/Software/pyxdg http://cgit.freedesktop.org/xdg/pyxdg/"
-SRC_URI="http://people.freedesktop.org/~takluyver/${P}.tar.gz"
-
-LICENSE="LGPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
-IUSE=""
-
-PYTHON_MODNAME=xdg
-
-DOCS="AUTHORS ChangeLog README TODO"
diff --git a/dev-python/pyxdg/pyxdg-0.25-r1.ebuild b/dev-python/pyxdg/pyxdg-0.25-r1.ebuild
new file mode 100644
index 000000000000..776108144007
--- /dev/null
+++ b/dev-python/pyxdg/pyxdg-0.25-r1.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-python/pyxdg/pyxdg-0.25-r1.ebuild,v 1.1 2014/03/26 07:45:51 idella4 Exp $
+
+EAPI=5
+
+# py3.3 removed due to nosetests
+PYTHON_COMPAT=( python{2_6,2_7,3_2,3_3} pypy2_0 )
+inherit distutils-r1
+
+DESCRIPTION="A Python module to deal with freedesktop.org specifications"
+HOMEPAGE="http://freedesktop.org/wiki/Software/pyxdg http://cgit.freedesktop.org/xdg/pyxdg/"
+SRC_URI="http://people.freedesktop.org/~takluyver/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="test"
+
+DEPEND="test? ( dev-python/nose[${PYTHON_USEDEP}]
+	x11-themes/hicolor-icon-theme )"
+
+DOCS=( AUTHORS ChangeLog README TODO )
+PATCHES=( "${FILESDIR}"/sec-patch-CVE-2014-1624.patch )
+python_test() {
+	nosetests || die
+}