[linux] 01/03: abiupdate.py: Use current config instead of downloading previous config

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Jan 12 02:42:14 UTC 2018 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 789ed93580772a1b987ed151af463ab4564ecbd6
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jan 7 17:42:39 2017 +0000

    abiupdate.py: Use current config instead of downloading previous config
    
    Until we authenticate downloads we should not do this as pickle.load
    allows running arbitrary code.
    
    (cherry picked from commit f3ddd1118d6dbde61b5a59ca7fb8a44122ab9aae)
---
 debian/bin/abiupdate.py | 11 ++++-------
 debian/changelog        |  6 ++++++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/debian/bin/abiupdate.py b/debian/bin/abiupdate.py
index 2808b3f..a9efacf 100755
--- a/debian/bin/abiupdate.py
+++ b/debian/bin/abiupdate.py
@@ -113,13 +113,10 @@ class Main(object):
         return version_abi, s
 
     def get_config(self):
-        filename = "linux-support-%s_%s_all.deb" % (self.version_abi, self.version_source)
-        f = self.retrieve_package(self.url_config, filename, 'all')
-        d = self.extract_package(f, "linux-support")
-        c = d + "/usr/src/linux-support-" + self.version_abi + "/config.defines.dump"
-        config = ConfigCoreDump(fp=open(c, "rb"))
-        shutil.rmtree(d)
-        return config
+        # XXX We used to fetch the previous version of linux-support here,
+        # but until we authenticate downloads we should not do that as
+        # pickle.load allows running arbitrary code.
+        return self.config
 
     def retrieve_package(self, url, filename, arch):
         u = url(self.source, filename, arch)
diff --git a/debian/changelog b/debian/changelog
index baeab31..982fbcf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.51-3+deb8u2) UNRELEASED; urgency=medium
+
+  * abiupdate.py: Use current config instead of downloading previous config
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Fri, 12 Jan 2018 02:40:09 +0000
+
 linux (3.16.51-3+deb8u1) jessie-security; urgency=high
 
   * dccp: CVE-2017-8824: use-after-free in DCCP code

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list