[linux] 01/03: abiupdate.py: Use current config instead of downloading previous config
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jan 12 02:42:14 UTC 2018
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 789ed93580772a1b987ed151af463ab4564ecbd6
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jan 7 17:42:39 2017 +0000
abiupdate.py: Use current config instead of downloading previous config
Until we authenticate downloads we should not do this as pickle.load
allows running arbitrary code.
(cherry picked from commit f3ddd1118d6dbde61b5a59ca7fb8a44122ab9aae)
---
debian/bin/abiupdate.py | 11 ++++-------
debian/changelog | 6 ++++++
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/debian/bin/abiupdate.py b/debian/bin/abiupdate.py
index 2808b3f..a9efacf 100755
--- a/debian/bin/abiupdate.py
+++ b/debian/bin/abiupdate.py
@@ -113,13 +113,10 @@ class Main(object):
return version_abi, s
def get_config(self):
- filename = "linux-support-%s_%s_all.deb" % (self.version_abi, self.version_source)
- f = self.retrieve_package(self.url_config, filename, 'all')
- d = self.extract_package(f, "linux-support")
- c = d + "/usr/src/linux-support-" + self.version_abi + "/config.defines.dump"
- config = ConfigCoreDump(fp=open(c, "rb"))
- shutil.rmtree(d)
- return config
+ # XXX We used to fetch the previous version of linux-support here,
+ # but until we authenticate downloads we should not do that as
+ # pickle.load allows running arbitrary code.
+ return self.config
def retrieve_package(self, url, filename, arch):
u = url(self.source, filename, arch)
diff --git a/debian/changelog b/debian/changelog
index baeab31..982fbcf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.51-3+deb8u2) UNRELEASED; urgency=medium
+
+ * abiupdate.py: Use current config instead of downloading previous config
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 12 Jan 2018 02:40:09 +0000
+
linux (3.16.51-3+deb8u1) jessie-security; urgency=high
* dccp: CVE-2017-8824: use-after-free in DCCP code
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list