[linux] 01/03: abiupdate.py: Use current config instead of downloading previous config

[debian-kernel at lists.debian.org]

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 561b3f01c7ed947f31ac3238bbee416c2fb32b1b
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jan 7 17:42:39 2017 +0000

    abiupdate.py: Use current config instead of downloading previous config
    
    Until we authenticate downloads we should not do this as pickle.load
    allows running arbitrary code.
    
    (cherry picked from commit f3ddd1118d6dbde61b5a59ca7fb8a44122ab9aae,
    plus a little bit of commit eb1f86e012a2cce3b7b381ed59c52fbd494208f9)
---
 debian/bin/abiupdate.py | 15 ++++++---------
 debian/changelog        |  6 ++++++
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/debian/bin/abiupdate.py b/debian/bin/abiupdate.py
index 69a2a23..fbec1d4 100755
--- a/debian/bin/abiupdate.py
+++ b/debian/bin/abiupdate.py
@@ -63,9 +63,9 @@ class Main(object):
         self.version = changelog.version.linux_version
         self.version_source = changelog.version.complete
 
-        local_config = ConfigCoreDump(fp=file("debian/config.defines.dump"))
+        self.config = ConfigCoreDump(fp=file("debian/config.defines.dump"))
 
-        self.version_abi = local_config['version', ]['abiname']
+        self.version_abi = self.config['version', ]['abiname']
 
     def __call__(self):
         self.dir = tempfile.mkdtemp(prefix='abiupdate')
@@ -103,13 +103,10 @@ class Main(object):
         return s
 
     def get_config(self):
-        filename = "linux-support-%s_%s_all.deb" % (self.version_abi, self.version_source)
-        f = self.retrieve_package(self.url_config, filename, 'all')
-        d = self.extract_package(f, "linux-support")
-        c = d + "/usr/src/linux-support-" + self.version_abi + "/config.defines.dump"
-        config = ConfigCoreDump(fp=file(c))
-        shutil.rmtree(d)
-        return config
+        # XXX We used to fetch the previous version of linux-support here,
+        # but until we authenticate downloads we should not do that as
+        # pickle.load allows running arbitrary code.
+        return self.config
 
     def retrieve_package(self, url, filename, arch):
         u = url(self.source, filename, arch)
diff --git a/debian/changelog b/debian/changelog
index 60893a1..dbe4225 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.2.96-4) UNRELEASED; urgency=medium
+
+  * abiupdate.py: Use current config instead of downloading previous config
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 07 Jan 2017 17:41:34 +0000
+
 linux (3.2.96-3) wheezy-security; urgency=high
 
   * [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git