rdflib / CVE-2019-7653
Patch for Jessie attached.
Note this patch changes python-rdflib-tools from Python2 to
Python3. Still debating if I should change this back to Python2 (looks
like it should be easy), or if it really does not matter.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru rdflib-4.1.2/debian/changelog rdflib-4.1.2/debian/changelog
--- rdflib-4.1.2/debian/changelog 2019-03-08 07:38:55.000000000 +1100
+++ rdflib-4.1.2/debian/changelog 2014-05-25 06:47:03.000000000 +1000
@@ -1,10 +1,3 @@
-rdflib (4.1.2-3+deb8u1) UNRELEASED; urgency=high
-
- * Non-maintainer upload by the Security Team.
- * CVE-2019-7653: Use easy_install provided scripts.
-
- -- Brian May <bam@debian.org> Fri, 08 Mar 2019 07:38:55 +1100
-
rdflib (4.1.2-3) unstable; urgency=low
* Upload to unstable almost identical to 4.1.2-2.
diff -Nru rdflib-4.1.2/debian/control rdflib-4.1.2/debian/control
--- rdflib-4.1.2/debian/control 2019-03-08 07:38:55.000000000 +1100
+++ rdflib-4.1.2/debian/control 2014-05-13 14:46:55.000000000 +1000
@@ -61,7 +61,7 @@
Package: python-rdflib-tools
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, python3, python3-rdflib (>= 4.0.1-1), python3-pkg-resources
+Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-rdflib (>= 4.0.1-1)
Replaces: python-rdflib (<< 4.0.1-1)
Breaks: python-rdflib (<< 4.0.1-1)
Description: Python library containing an RDF triple store and RDF parsers/serializers
diff -Nru rdflib-4.1.2/debian/gbp.conf rdflib-4.1.2/debian/gbp.conf
--- rdflib-4.1.2/debian/gbp.conf 2019-03-08 07:38:55.000000000 +1100
+++ rdflib-4.1.2/debian/gbp.conf 2014-05-13 14:46:55.000000000 +1000
@@ -1,3 +1,3 @@
-[buildpackage]
-upstream-tag = upstream/%(version)s
-debian-branch = jessie
+[git-buildpackage]
+upstream-tag = %(version)s
+debian-branch = debian
diff -Nru rdflib-4.1.2/debian/python-rdflib-tools.install rdflib-4.1.2/debian/python-rdflib-tools.install
--- rdflib-4.1.2/debian/python-rdflib-tools.install 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/python-rdflib-tools.install 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,5 @@
+debian/scripts/rdfpipe /usr/bin/
+debian/scripts/csv2rdf /usr/bin/
+debian/scripts/rdf2dot /usr/bin/
+debian/scripts/rdfs2dot /usr/bin/
+debian/scripts/rdfgraphisomorphism /usr/bin/
diff -Nru rdflib-4.1.2/debian/rules rdflib-4.1.2/debian/rules
--- rdflib-4.1.2/debian/rules 2019-03-08 07:36:24.000000000 +1100
+++ rdflib-4.1.2/debian/rules 2014-05-13 14:46:56.000000000 +1000
@@ -11,10 +11,14 @@
export PYBUILD_NAME=rdflib
-# Install (only) those into the -tools package
-export PYBUILD_AFTER_INSTALL_python3=mv '{destdir}/usr/bin' 'debian/python-rdflib-tools/usr/'
-# The Python 2 part is only available as a library, not as tools
-export PYBUILD_AFTER_INSTALL_python2=rm -rf '{destdir}/usr/bin'
+# For the time being, don't install the /usr/bin scripts for Python2 (hack)
+# Instead, we'll patch the scripts to add a shebang and put links into /usr/bin
+export PYBUILD_INSTALL_ARGS_python2=--install-scripts=/tmp
+export PYBUILD_AFTER_INSTALL_python2=rm -fr '{destdir}/tmp/'
+# For the time being, don't install the /usr/bin scripts for Python3 (hack)
+export PYBUILD_INSTALL_ARGS_python3=--install-scripts=/tmp
+export PYBUILD_AFTER_INSTALL_python3=rm -fr '{destdir}/tmp/'
+
%:
dh $@ --with python2,python3,sphinxdoc --buildsystem=pybuild
diff -Nru rdflib-4.1.2/debian/scripts/csv2rdf rdflib-4.1.2/debian/scripts/csv2rdf
--- rdflib-4.1.2/debian/scripts/csv2rdf 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/csv2rdf 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/python -m rdflib.tools.csv2rdf $*
diff -Nru rdflib-4.1.2/debian/scripts/rdf2dot rdflib-4.1.2/debian/scripts/rdf2dot
--- rdflib-4.1.2/debian/scripts/rdf2dot 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdf2dot 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/python -m rdflib.tools.rdf2dot $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfgraphisomorphism rdflib-4.1.2/debian/scripts/rdfgraphisomorphism
--- rdflib-4.1.2/debian/scripts/rdfgraphisomorphism 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfgraphisomorphism 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/python -m rdflib.tools.graphisomorphism $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfpipe rdflib-4.1.2/debian/scripts/rdfpipe
--- rdflib-4.1.2/debian/scripts/rdfpipe 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfpipe 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/python -m rdflib.tools.rdfpipe $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfs2dot rdflib-4.1.2/debian/scripts/rdfs2dot
--- rdflib-4.1.2/debian/scripts/rdfs2dot 1970-01-01 10:00:00.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfs2dot 2014-05-13 14:46:56.000000000 +1000
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/python -m rdflib.tools.rdfs2dot $*
Reply to: