Don't add the current working directory to syspath, fixes arbitrary code execution issue (patch by chutzpah).

(Portage version: 2.2.2/cvs/Linux x86_64, signed Manifest commit with key 4AB3E85B4F064CA3)

3 files changed, 79 insertions, 1 deletions

diff --git a/app-vim/python-mode/ChangeLog b/app-vim/python-mode/ChangeLog
index fdf83ec23960..565b5247dda5 100644
--- a/app-vim/python-mode/ChangeLog
+++ b/app-vim/python-mode/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-vim/python-mode
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-vim/python-mode/ChangeLog,v 1.8 2013/07/04 07:53:00 xarthisius Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-vim/python-mode/ChangeLog,v 1.9 2013/09/12 02:38:29 radhermit Exp $
+
+*python-mode-0.6.18-r3 (12 Sep 2013)
+
+  12 Sep 2013; Tim Harder <radhermit@gentoo.org> +python-mode-0.6.18-r3.ebuild,
+  +files/python-mode-0.6.18-dont-add-cwd-to-syspath.patch:
+  Don't add the current working directory to syspath, fixes arbitrary code
+  execution issue (patch by chutzpah).
 
 *python-mode-0.6.18-r2 (04 Jul 2013)
 
diff --git a/app-vim/python-mode/files/python-mode-0.6.18-dont-add-cwd-to-syspath.patch b/app-vim/python-mode/files/python-mode-0.6.18-dont-add-cwd-to-syspath.patch
new file mode 100644
index 000000000000..fb92614233bd
--- /dev/null
+++ b/app-vim/python-mode/files/python-mode-0.6.18-dont-add-cwd-to-syspath.patch
@@ -0,0 +1,15 @@
+https://github.com/klen/python-mode/issues/162
+--- a/ftplugin/python/init-pymode.vim
++++ b/ftplugin/python/init-pymode.vim
+@@ -46,10 +46,9 @@ if !pymode#Default('g:pymode_path', 1) || g:pymode_path
+ python << EOF
+ import sys, vim, os
+ 
+-curpath = vim.eval("getcwd()")
+ libpath = os.path.join(vim.eval("expand('<sfile>:p:h:h:h')"), 'pylibs')
+ 
+-sys.path = [libpath, curpath] + vim.eval("g:pymode_paths") + sys.path
++sys.path = [libpath] + vim.eval("g:pymode_paths") + sys.path
+ EOF
+ 
+ endif " }}}
diff --git a/app-vim/python-mode/python-mode-0.6.18-r3.ebuild b/app-vim/python-mode/python-mode-0.6.18-r3.ebuild
new file mode 100644
index 000000000000..24606c539f92
--- /dev/null
+++ b/app-vim/python-mode/python-mode-0.6.18-r3.ebuild
@@ -0,0 +1,56 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-vim/python-mode/python-mode-0.6.18-r3.ebuild,v 1.1 2013/09/12 02:38:29 radhermit Exp $
+
+EAPI=5
+
+VIM_PLUGIN_MESSAGES="filetype"
+VIM_PLUGIN_HELPFILES="PythonModeCommands"
+VIM_PLUGIN_HELPURI="https://github.com/klen/python-mode"
+
+inherit vim-plugin eutils
+
+DESCRIPTION="Provide python code looking for bugs, refactoring and other useful things"
+HOMEPAGE="http://www.vim.org/scripts/script.php?script_id=3770 https://github.com/klen/python-mode"
+SRC_URI="https://github.com/klen/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="LGPL-3"
+KEYWORDS="~amd64 ~x86"
+
+RDEPEND="
+	dev-python/astng
+	dev-python/autopep8
+	dev-python/pyflakes
+	dev-python/pylint
+	dev-python/rope
+	dev-python/ropemode
+	"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-dont-add-cwd-to-syspath.patch
+
+	# debundling fun
+	rm -rf pylibs/pylama/{pep8.py,pyflakes} pylibs/{autopep8.py}
+	#rm -rf pylibs/{rope,ropemode}  #475686
+	sed -e 's/from .pep8/from pep8/g' \
+		-e 's/from .pyflakes/from pyflakes/g' \
+		-i pylibs/pylama/utils.py || die
+	# there's still pylint left, I failed to debundle it :/
+
+	mv pylint.ini "${T}" || die
+	sed -e "s|expand(\"<sfile>:p:h:h\")|\"${EPREFIX}/usr/share/${PN}\"|" \
+		-i autoload/pymode.vim || die # use custom path
+}
+
+src_install() {
+	vim-plugin_src_install
+	insinto usr/share/${PN}
+	doins "${T}"/pylint.ini
+}
+
+pkg_postinst() {
+	vim-plugin_pkg_postinst
+	einfo "If you use custom pylintrc make sure you append the contents of"
+	einfo " ${EPREFIX}/usr/share/${PN}/pylint.ini"
+	einfo "to it. Otherwise PyLint command will not work properly."
+}