requests and #780506 (security bug)

To: debian-release@lists.debian.org
Subject: requests and #780506 (security bug)
From: Daniele Tricoli <eriol@mornie.org>
Date: Mon, 16 Mar 2015 04:20:55 +0100
Message-id: <[🔎] 2740575.Lsm0BTGnDn@mornie>

Dear Release Managers,

I need guidance on how to proper handle this: requests version
in testing is 2.4.3-4 but 2.4.3-5 was uploaded into unstable
to fix #770173. 

I already fixed on SVN #780506 but I did not uploaded
requests 2.4.3-6 because I need your hint.

This is the debdiff (requests_2.4.3-6.dsc built from SVN):

❯ debdiff requests_2.4.3-4.dsc requests_2.4.3-6.dsc
dpkg-source: warning: extracting unsigned source package (/home/eriol/devel/debian/pkg/requests/build-area/requests_2.4.3-6.dsc)
diff -Nru requests-2.4.3/debian/changelog requests-2.4.3/debian/changelog
--- requests-2.4.3/debian/changelog     2014-11-14 09:33:09.000000000 +0100
+++ requests-2.4.3/debian/changelog     2015-03-16 03:48:27.000000000 +0100
@@ -1,3 +1,21 @@
+requests (2.4.3-6) UNRELEASED; urgency=medium
+
+  * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
+    - Fix session fixation and cookie stealing: CVE-2015-2296.
+      (Closes: #780506)
+
+ -- Daniele Tricoli <eriol@mornie.org>  Mon, 16 Mar 2015 01:31:10 +0100
+
+requests (2.4.3-5) unstable; urgency=medium
+
+  * Team upload.
+  * d/control: Remove the Build-Depends on python{,3}-pytest since we
+    aren't actually running the tests at build time.  (Closes: #770173)
+  * d/rules: Update the comment about why the tests are currently disabled
+    at build time to point to the updated upstream url.
+
+ -- Barry Warsaw <barry@debian.org>  Wed, 19 Nov 2014 18:00:46 -0500
+
 requests (2.4.3-4) unstable; urgency=medium
 
   * debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch
diff -Nru requests-2.4.3/debian/control requests-2.4.3/debian/control
--- requests-2.4.3/debian/control       2014-10-21 10:23:21.000000000 +0200
+++ requests-2.4.3/debian/control       2014-11-19 23:59:48.000000000 +0100
@@ -8,12 +8,10 @@
  dh-python,
  python-all (>= 2.6.6-3),
  python-chardet,
- python-pytest,
  python-setuptools,
  python-urllib3 (>= 1.9.1),
  python3-all,
  python3-chardet,
- python3-pytest,
  python3-setuptools,
  python3-urllib3 (>= 1.7.1),
  python3-wheel
diff -Nru requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
--- requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch  1970-01-01 01:00:00.000000000 +0100
+++ requests-2.4.3/debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch  2015-03-16 03:53:20.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Session fixation and cookie stealing.
+ See http://www.openwall.com/lists/oss-security/2015/03/14/4 for a complete
+ description.
+Origin: https://github.com/kennethreitz/requests/commit/3bd8afbff29e50b38f889b2f688785a669b9aafc
+Bug-Debian: https://bugs.debian.org/780506
+
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -168,7 +168,7 @@
+             except KeyError:
+                 pass
+ 
+-            extract_cookies_to_jar(prepared_request._cookies, prepared_request, resp.raw)
++            extract_cookies_to_jar(prepared_request._cookies, req, resp.raw)
+             prepared_request._cookies.update(self.cookies)
+             prepared_request.prepare_cookies(prepared_request._cookies)
+ 
diff -Nru requests-2.4.3/debian/patches/series requests-2.4.3/debian/patches/series
--- requests-2.4.3/debian/patches/series        2014-11-11 17:28:54.000000000 +0100
+++ requests-2.4.3/debian/patches/series        2015-03-16 03:53:20.000000000 +0100
@@ -2,3 +2,4 @@
 02_use-system-chardet-and-urllib3.patch
 03_export-IncompleteRead.patch
 04_make-requests.packages.urllib3-same-as-urllib3.patch
+05_do-not-ascribe-cookies-to-the-target-domain.patch
diff -Nru requests-2.4.3/debian/rules requests-2.4.3/debian/rules
--- requests-2.4.3/debian/rules 2014-09-07 15:51:39.000000000 +0200
+++ requests-2.4.3/debian/rules 2014-11-19 23:59:48.000000000 +0100
@@ -9,9 +9,9 @@
 # can't enable it.  Once this issue is fixed, it will be easy to
 # re-enable.
 #
-# https://github.com/kennethreitz/requests/issues/1166
+# https://github.com/kennethreitz/requests/issues/2184
 #
-# barry@debian.org 2014-06-04
+# barry@debian.org 2014-11-19
 #override_dh_auto_test:
 #      PYBUILD_SYSTEM=custom \
 #      PYBUILD_TEST_ARGS="{interpreter} test_requests.py" \

Since 2.4.3-5 only removed some B-D and explained better why tests
can not be run, can I upload requests 2.4.3-6 and then fill an
unblock request for it?

Thanks in advance!

Kind regards,

-- 
 Daniele Tricoli 'Eriol'
 http://mornie.org

Reply to:

Follow-Ups:
- Re: requests and #780506 (security bug)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Processed: tagging 780491
Next by Date: NEW changes in stable-new
Previous by thread: Processed: tagging 780491
Next by thread: Re: requests and #780506 (security bug)
Index(es):
- Date
- Thread