diff -Nru bzr-2.6.0~bzr6571/bzrlib/crash.py bzr-2.6.0~bzr6574/bzrlib/crash.py --- bzr-2.6.0~bzr6571/bzrlib/crash.py 2011-12-19 08:23:58.000000000 -0500 +++ bzr-2.6.0~bzr6574/bzrlib/crash.py 2013-01-30 00:55:38.000000000 -0500 @@ -170,7 +170,7 @@ pr['Platform'] = platform.platform(aliased=1) pr['UserEncoding'] = osutils.get_user_encoding() pr['FileSystemEncoding'] = sys.getfilesystemencoding() - pr['Locale'] = os.environ.get('LANG') + pr['Locale'] = os.environ.get('LANG', 'C') pr['BzrPlugins'] = _format_plugin_list() pr['PythonLoadedModules'] = _format_module_list() pr['BzrDebugFlags'] = pprint.pformat(debug.debug_flags) @@ -259,7 +259,7 @@ os.open(filename, os.O_WRONLY|os.O_CREAT|os.O_EXCL, 0600), - 'w') + 'wb') def _format_plugin_list(): diff -Nru bzr-2.6.0~bzr6571/bzrlib/tests/test_https_urllib.py bzr-2.6.0~bzr6574/bzrlib/tests/test_https_urllib.py --- bzr-2.6.0~bzr6571/bzrlib/tests/test_https_urllib.py 2012-01-31 11:36:53.000000000 -0500 +++ bzr-2.6.0~bzr6574/bzrlib/tests/test_https_urllib.py 2013-05-20 12:38:11.000000000 -0400 @@ -88,6 +88,22 @@ self.assertRaises(ValueError, _urllib2_wrappers.match_hostname, {}, "example.com") + def test_wildcards_in_cert(self): + def ok(cert, hostname): + _urllib2_wrappers.match_hostname(cert, hostname) + + # Python Issue #17980: avoid denials of service by refusing more than + # one wildcard per fragment. + cert = {'subject': ((('commonName', 'a*b.com'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b.co*'),),)} + ok(cert, 'axxb.com') + cert = {'subject': ((('commonName', 'a*b*.com'),),)} + try: + _urllib2_wrappers.match_hostname(cert, 'axxbxxc.com') + except ValueError as e: + self.assertIn("too many wildcards", str(e)) + def test_no_valid_attributes(self): self.assertRaises(CertificateError, _urllib2_wrappers.match_hostname, {"Problem": "Solved"}, "example.com") diff -Nru bzr-2.6.0~bzr6571/bzrlib/tests/test_ui.py bzr-2.6.0~bzr6574/bzrlib/tests/test_ui.py --- bzr-2.6.0~bzr6571/bzrlib/tests/test_ui.py 2012-09-17 05:06:56.000000000 -0400 +++ bzr-2.6.0~bzr6574/bzrlib/tests/test_ui.py 2012-12-04 09:21:42.000000000 -0500 @@ -103,7 +103,6 @@ ui.stdout = tests.StringIOWrapper() ui.stderr = tests.StringIOWrapper() ui.stderr.encoding = ui.stdout.encoding = ui.stdin.encoding = 'utf8' - pb = ui.nested_progress_bar() password = ui.get_password(u'Hello \u1234 %(user)s', user=u'some\u1234') self.assertEqual(u'baz\u1234', password) self.assertEqual(u'Hello \u1234 some\u1234: ', diff -Nru bzr-2.6.0~bzr6571/bzrlib/transport/http/_urllib2_wrappers.py bzr-2.6.0~bzr6574/bzrlib/transport/http/_urllib2_wrappers.py --- bzr-2.6.0~bzr6571/bzrlib/transport/http/_urllib2_wrappers.py 2012-06-10 18:48:08.000000000 -0400 +++ bzr-2.6.0~bzr6574/bzrlib/transport/http/_urllib2_wrappers.py 2013-05-20 12:38:11.000000000 -0400 @@ -400,9 +400,16 @@ # These two methods were imported from Python 3.2's ssl module -def _dnsname_to_pat(dn): +def _dnsname_to_pat(dn, max_wildcards=1): pats = [] for frag in dn.split(r'.'): + if frag.count('*') > max_wildcards: + # Python Issue #17980: avoid denials of service by refusing more + # than one wildcard per fragment. A survery of established + # policy among SSL implementations showed it to be a + # reasonable choice. + raise ValueError( + "too many wildcards in certificate DNS name: " + repr(dn)) if frag == '*': # When '*' is a fragment by itself, it matches a non-empty dotless # fragment. diff -Nru bzr-2.6.0~bzr6571/bzrlib/ui/text.py bzr-2.6.0~bzr6574/bzrlib/ui/text.py --- bzr-2.6.0~bzr6571/bzrlib/ui/text.py 2012-10-10 14:45:21.000000000 -0400 +++ bzr-2.6.0~bzr6574/bzrlib/ui/text.py 2012-12-04 09:21:42.000000000 -0500 @@ -336,7 +336,13 @@ if kwargs: # See prompt = prompt % kwargs - prompt = prompt.encode(osutils.get_terminal_encoding(), 'replace') + try: + prompt = prompt.encode(self.stderr.encoding) + except (UnicodeError, AttributeError): + # If stderr has no encoding attribute or can't properly encode, + # fallback to terminal encoding for robustness (better display + # something to the user than aborting with a traceback). + prompt = prompt.encode(osutils.get_terminal_encoding(), 'replace') self.clear_term() self.stdout.flush() self.stderr.write(prompt) diff -Nru bzr-2.6.0~bzr6571/debian/changelog bzr-2.6.0~bzr6574/debian/changelog --- bzr-2.6.0~bzr6571/debian/changelog 2013-04-02 06:10:22.000000000 -0400 +++ bzr-2.6.0~bzr6574/debian/changelog 2013-05-20 20:57:32.000000000 -0400 @@ -1,3 +1,33 @@ +bzr (2.6.0~bzr6574-1ubuntu1) saucy; urgency=low + + * Merge from Debian unstable. Remaining Ubuntu changes: + - Drop build dependencies on python-{meliae,lzma,medusa}, + which are not in main. + * Drop changes to Vcs fields. The UDD imports are out of date. + + -- Andrew Starr-Bochicchio Mon, 20 May 2013 20:55:13 -0400 + +bzr (2.6.0~bzr6574-1) unstable; urgency=low + + * New upstream snapshot. + - Fix CVE 2013-2009. Avoid allowing multiple wildcards in a single + SSL cert hostname segment (Closes: #709068, LP: #1182124). + + -- Andrew Starr-Bochicchio Mon, 20 May 2013 19:16:44 -0400 + +bzr (2.6.0~bzr6573-1) unstable; urgency=low + + * Upload to unstable. + * New upstream snapshot. + * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test + (LP: #1116079, #1160572). + * Drop debian/patches/04_revert_ui_changes, fixed upstream. + * Drop deprecated Dm-Upload-Allowed field. + * Bump Standards-Version to 3.9.4, no changes needed. + * Drop un-needed Build-Conflicts on python-gpgme. + + -- Andrew Starr-Bochicchio Sat, 11 May 2013 19:13:15 -0400 + bzr (2.6.0~bzr6571-4ubuntu2) raring; urgency=low * Remove the test_tuned_gzip.TestToGzip.test_enormous_chunks test. diff -Nru bzr-2.6.0~bzr6571/debian/control bzr-2.6.0~bzr6574/debian/control --- bzr-2.6.0~bzr6571/debian/control 2013-01-22 05:56:08.000000000 -0500 +++ bzr-2.6.0~bzr6574/debian/control 2013-05-20 21:01:03.000000000 -0400 @@ -5,7 +5,6 @@ XSBC-Original-Maintainer: Debian Bazaar Maintainers Uploaders: Wouter van Heyst , Andrew Starr-Bochicchio -Build-Conflicts: python-gpgme Build-Depends: ca-certificates, cython-dbg | python-pyrex, debhelper (>= 9), @@ -20,11 +19,11 @@ python-sphinx (>= 1.0.7+dfsg), python-subunit, python-testtools (>= 0.9.5~) -Standards-Version: 3.9.3 +Standards-Version: 3.9.4 X-Python-Version: >= 2.6 -Vcs-Bzr: https://code.launchpad.net/ubuntu/+source/bzr +Vcs-Bzr: http://bzr.debian.org/bzr/pkg-bazaar/bzr/2.6 +Vcs-Browser: http://bzr.debian.org/loggerhead/pkg-bazaar/bzr/2.6 Homepage: http://bazaar-vcs.org -Dm-Upload-Allowed: yes XS-Testsuite: autopkgtest Package: bzr diff -Nru bzr-2.6.0~bzr6571/debian/patches/04_revert_ui_changes bzr-2.6.0~bzr6574/debian/patches/04_revert_ui_changes --- bzr-2.6.0~bzr6571/debian/patches/04_revert_ui_changes 2012-12-19 18:21:28.000000000 -0500 +++ bzr-2.6.0~bzr6574/debian/patches/04_revert_ui_changes 1969-12-31 19:00:00.000000000 -0500 @@ -1,137 +0,0 @@ -Description: Revert UI changes that break tests with LC_ALL=C -Author: Jelmer Vernooij -Bug: https://bugs.launchpad.net/bzr/+bug/1086209 - -=== modified file 'bzrlib/tests/test_ui.py' ---- old/bzrlib/tests/test_ui.py 2012-09-17 09:06:56 +0000 -+++ new/bzrlib/tests/test_ui.py 2012-12-04 00:57:43 +0000 -@@ -97,20 +97,28 @@ - pb.finished() - - def test_text_factory_utf8_password(self): -- """Test an utf8 password.""" -- ui = _mod_ui_text.TextUIFactory(None, None, None) -- ui.stdin = tests.StringIOWrapper(u'baz\u1234'.encode('utf8')) -- ui.stdout = tests.StringIOWrapper() -- ui.stderr = tests.StringIOWrapper() -+ """Test an utf8 password. -+ -+ We can't predict what encoding users will have for stdin, so we force -+ it to utf8 to test that we transport the password correctly. -+ """ -+ ui = self.make_test_ui_factory(u'baz\u1234'.encode('utf8')) - ui.stderr.encoding = ui.stdout.encoding = ui.stdin.encoding = 'utf8' - pb = ui.nested_progress_bar() -- password = ui.get_password(u'Hello \u1234 %(user)s', user=u'some\u1234') -- self.assertEqual(u'baz\u1234', password) -- self.assertEqual(u'Hello \u1234 some\u1234: ', -- ui.stderr.getvalue().decode('utf8')) -- # stdin and stdout should be empty -- self.assertEqual('', ui.stdin.readline()) -- self.assertEqual('', ui.stdout.getvalue()) -+ try: -+ password = self.apply_redirected(ui.stdin, ui.stdout, ui.stderr, -+ ui.get_password, -+ u'Hello \u1234 %(user)s', -+ user=u'some\u1234') -+ # We use StringIO objects, we need to decode them -+ self.assertEqual(u'baz\u1234', password.decode('utf8')) -+ self.assertEqual(u'Hello \u1234 some\u1234: ', -+ ui.stderr.getvalue().decode('utf8')) -+ # stdin and stdout should be empty -+ self.assertEqual('', ui.stdin.readline()) -+ self.assertEqual('', ui.stdout.readline()) -+ finally: -+ pb.finished() - - def test_text_ui_get_boolean(self): - stdin = tests.StringIOWrapper("y\n" # True -@@ -262,30 +270,36 @@ - pb.finished() - - def test_text_ui_getusername(self): -- ui = _mod_ui_text.TextUIFactory(None, None, None) -- ui.stdin = tests.StringIOWrapper('someuser\n\n') -- ui.stdout = tests.StringIOWrapper() -- ui.stderr = tests.StringIOWrapper() -- ui.stdout.encoding = 'utf8' -- self.assertEqual('someuser', -- ui.get_username(u'Hello %(host)s', host='some')) -- self.assertEquals('Hello some: ', ui.stderr.getvalue()) -- self.assertEquals('', ui.stdout.getvalue()) -- self.assertEqual('', ui.get_username(u"Gebruiker")) -+ factory = _mod_ui_text.TextUIFactory(None, None, None) -+ factory.stdin = tests.StringIOWrapper("someuser\n\n") -+ factory.stdout = tests.StringIOWrapper() -+ factory.stderr = tests.StringIOWrapper() -+ factory.stdout.encoding = "utf8" -+ # there is no output from the base factory -+ self.assertEqual("someuser", -+ factory.get_username(u'Hello %(host)s', host='some')) -+ self.assertEquals("Hello some: ", factory.stderr.getvalue()) -+ self.assertEquals('', factory.stdout.getvalue()) -+ self.assertEqual("", factory.get_username(u"Gebruiker")) - # stdin should be empty -- self.assertEqual('', ui.stdin.readline()) -+ self.assertEqual('', factory.stdin.readline()) - - def test_text_ui_getusername_utf8(self): -- ui = _mod_ui_text.TextUIFactory(None, None, None) -- ui.stdin = tests.StringIOWrapper(u'someuser\u1234'.encode('utf8')) -- ui.stdout = tests.StringIOWrapper() -- ui.stderr = tests.StringIOWrapper() -+ ui = tests.TestUIFactory(stdin=u'someuser\u1234'.encode('utf8'), -+ stdout=tests.StringIOWrapper(), -+ stderr=tests.StringIOWrapper()) - ui.stderr.encoding = ui.stdout.encoding = ui.stdin.encoding = "utf8" -- username = ui.get_username(u'Hello %(host)s', host=u'some\u1234') -- self.assertEquals(u"someuser\u1234", username) -- self.assertEquals(u"Hello some\u1234: ", -- ui.stderr.getvalue().decode("utf8")) -- self.assertEquals('', ui.stdout.getvalue()) -+ pb = ui.nested_progress_bar() -+ try: -+ # there is no output from the base factory -+ username = self.apply_redirected(ui.stdin, ui.stdout, ui.stderr, -+ ui.get_username, u'Hello\u1234 %(host)s', host=u'some\u1234') -+ self.assertEquals(u"someuser\u1234", username.decode('utf8')) -+ self.assertEquals(u"Hello\u1234 some\u1234: ", -+ ui.stderr.getvalue().decode("utf8")) -+ self.assertEquals('', ui.stdout.getvalue()) -+ finally: -+ pb.finished() - - def test_quietness(self): - self.overrideEnv('BZR_PROGRESS_BAR', 'text') - -=== modified file 'bzrlib/ui/text.py' ---- old/bzrlib/ui/text.py 2012-10-13 15:18:13 +0000 -+++ new/bzrlib/ui/text.py 2012-12-04 00:57:43 +0000 -@@ -238,11 +238,8 @@ - password = self.stdin.readline() - if not password: - password = None -- else: -- password = password.decode(self.stdin.encoding) -- -- if password[-1] == '\n': -- password = password[:-1] -+ elif password[-1] == '\n': -+ password = password[:-1] - return password - - def get_password(self, prompt=u'', **kwargs): -@@ -276,10 +273,8 @@ - username = self.stdin.readline() - if not username: - username = None -- else: -- username = username.decode(self.stdin.encoding) -- if username[-1] == '\n': -- username = username[:-1] -+ elif username[-1] == '\n': -+ username = username[:-1] - return username - - def make_progress_view(self): - diff -Nru bzr-2.6.0~bzr6571/debian/patches/05_remove_gzip_test bzr-2.6.0~bzr6574/debian/patches/05_remove_gzip_test --- bzr-2.6.0~bzr6571/debian/patches/05_remove_gzip_test 2013-04-02 06:09:21.000000000 -0400 +++ bzr-2.6.0~bzr6574/debian/patches/05_remove_gzip_test 2013-05-20 19:11:39.000000000 -0400 @@ -1,3 +1,9 @@ +Description: Fix some spurious failure. +Origin: Ubuntu +Author: Matthias Klose +Status: Not forwarded upstream (workaround) +LP-Bug: https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1116079 + Index: b/bzrlib/tests/test_tuned_gzip.py =================================================================== --- a/bzrlib/tests/test_tuned_gzip.py 2011-05-13 12:51:05.000000000 +0000 diff -Nru bzr-2.6.0~bzr6571/debian/patches/series bzr-2.6.0~bzr6574/debian/patches/series --- bzr-2.6.0~bzr6571/debian/patches/series 2013-04-02 06:09:03.000000000 -0400 +++ bzr-2.6.0~bzr6574/debian/patches/series 2013-05-20 19:11:39.000000000 -0400 @@ -1,5 +1,4 @@ 01_selftest_package 02_external_configobj 03_spurious_test_failure -04_revert_ui_changes 05_remove_gzip_test diff -Nru bzr-2.6.0~bzr6571/doc/en/release-notes/bzr-2.6.txt bzr-2.6.0~bzr6574/doc/en/release-notes/bzr-2.6.txt --- bzr-2.6.0~bzr6571/doc/en/release-notes/bzr-2.6.txt 2012-10-23 06:22:25.000000000 -0400 +++ bzr-2.6.0~bzr6574/doc/en/release-notes/bzr-2.6.txt 2012-12-04 11:36:55.000000000 -0500 @@ -104,9 +104,9 @@ Testing ******* -.. Fixes and changes that are only relevant to bzr's test framework and - suite. This can include new facilities for writing tests, fixes to - spurious test failures and changes to the way things should be tested. +* Fix test failures occurring only with LC_ALL=C, when prompting a user, + ``stderr`` encoding should be preferred over terminal encoding if + available. (Vincent Ladeuil, #1086209) bzr 2.6b2