Gentoo Archives: gentoo-commits

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-python/pysaml2/, dev-python/pysaml2/files/
Date: Fri, 28 Feb 2020 16:30:01
Message-Id: 1582907384.e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb.prometheanfire@gentoo
1 commit: e7a247aadc5e35bf5aed61f78f7e8b0d9ed21dfb
2 Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
3 AuthorDate: Fri Feb 28 16:28:00 2020 +0000
4 Commit: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
5 CommitDate: Fri Feb 28 16:29:44 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7a247aa
7
8 dev-python/pysaml2: 4.6.5-r1 added fast stable for CVE-2020-5390
9
10 Bug: https://bugs.gentoo.org/710732
11 Package-Manager: Portage-2.3.84, Repoman-2.3.20
12 RepoMan-Options: --force
13 Signed-off-by: Matthew Thode <prometheanfire <AT> gentoo.org>
14
15 dev-python/pysaml2/files/cve-2020-5390.patch | 189 +++++++++++++++++++++++++++
16 dev-python/pysaml2/metadata.xml | 2 +-
17 dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild | 42 ++++++
18 3 files changed, 232 insertions(+), 1 deletion(-)
19
20 diff --git a/dev-python/pysaml2/files/cve-2020-5390.patch b/dev-python/pysaml2/files/cve-2020-5390.patch
21 new file mode 100644
22 index 00000000000..bef46808d92
23 --- /dev/null
24 +++ b/dev-python/pysaml2/files/cve-2020-5390.patch
25 @@ -0,0 +1,189 @@
26 +From 5e9d5acbcd8ae45c4e736ac521fd2df5b1c62e25 Mon Sep 17 00:00:00 2001
27 +From: Ivan Kanakarakis <ivan.kanak@×××××.com>
28 +Date: Sat, 4 Jan 2020 00:39:47 +0200
29 +Subject: [PATCH] Fix XML Signature Wrapping (XSW) vulnerabilities
30 +
31 +PySAML2 did not check that the signature in a SAML document is enveloped and thus
32 +XML signature wrapping (XSW) was effective.
33 +
34 +The signature information and the node/object that is signed can be in different places
35 +and thus the signature verification will succeed, but the wrong data will be used. This
36 +specifically affects the verification of assertions that have been signed.
37 +
38 +This was assigned CVE-2020-5390
39 +
40 +Thanks to Alexey Sintsov and Yuri Goltsev from HERE Technologies to report this.
41 +
42 ++ + + + + + + +
43 +
44 +In more detail:
45 +
46 +libxml2 follows the xmldsig-core specification. The xmldsig specification is way too
47 +general. saml-core reuses the xmldsig specification, but constrains it to use of
48 +specific facilities. The implementation of the SAML specification is responsible to
49 +enforce those constraints. libxml2/xmlsec1 are not aware of those constraints and thus
50 +process the document based on the full/general xmldsig rules.
51 +
52 +What is happening is the following:
53 +
54 +- xmldsig-core allows the signature-information and the data that was signed to be in
55 + different places. This works by setting the URI attribute of the Reference element.
56 + The URI attribute contains an optional identifier of the object being signed. (see
57 + "4.4.3 The Reference Element" -- https://www.w3.org/TR/xmldsig-core1/#sec-Reference)
58 + This identifier is actually a pointer that can be defined in many different ways; from
59 + XPath expressions that need to be executed(!), to a full URL that should be fetched(!)
60 + in order to recalculate the signature.
61 +
62 +- saml-core section "5.4 XML Signature Profile" defines constrains on the xmldsig-core
63 + facilities. It explicitly dictates that enveloped signatures are the only signatures
64 + allowed. This mean that:
65 + * Assertion/RequestType/ResponseType elements must have an ID attribute
66 + * signatures must have a single Reference element
67 + * the Reference element must have a URI attribute
68 + * the URI attribute contains an anchor
69 + * the anchor points to the enclosing element's ID attribute
70 +
71 +xmlsec1 does the right thing - it follows the reference URI pointer and validates the
72 +assertion. But, the pointer points to an assertion in another part of the document; not
73 +the assertion in which the signature is embedded/enveloped. SAML processing thinks that
74 +the signature is fine (that's what xmlsec1 said), and gets the assertion data from the
75 +assertion that contains the signature - but that assertion was never validated. The
76 +issue is that pysaml2 does not enforce the constrains on the signature validation
77 +facilities of xmldsig-core, that the saml-core spec defines.
78 +
79 +The solution is simple; all we need is to make sure that assertions with signatures (1)
80 +contain one reference element that (2) has a URI attribute (3) that is an anchor that
81 +(4) points to the assertion in which the signature is embedded. If those conditions are
82 +met then we're good, otherwise we should fail the verification.
83 +
84 +Signed-off-by: Ivan Kanakarakis <ivan.kanak@×××××.com>
85 +---
86 + src/saml2/sigver.py | 49 ++++++++++++++++++++++++++++++++++++
87 + tests/saml2_response_xsw.xml | 6 +++++
88 + tests/test_xsw.py | 44 ++++++++++++++++++++++++++++++++
89 + 3 files changed, 99 insertions(+)
90 + create mode 100644 tests/saml2_response_xsw.xml
91 + create mode 100644 tests/test_xsw.py
92 +
93 +diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py
94 +index cbeca41f..c3d298a9 100644
95 +--- a/src/saml2/sigver.py
96 ++++ b/src/saml2/sigver.py
97 +@@ -1476,6 +1476,55 @@ def _check_signature(self, decoded_xml, item, node_name=NODE_NAME, origdoc=None,
98 + if not certs:
99 + raise MissingKey(_issuer)
100 +
101 ++ # saml-core section "5.4 XML Signature Profile" defines constrains on the
102 ++ # xmldsig-core facilities. It explicitly dictates that enveloped signatures
103 ++ # are the only signatures allowed. This mean that:
104 ++ # * Assertion/RequestType/ResponseType elements must have an ID attribute
105 ++ # * signatures must have a single Reference element
106 ++ # * the Reference element must have a URI attribute
107 ++ # * the URI attribute contains an anchor
108 ++ # * the anchor points to the enclosing element's ID attribute
109 ++ references = item.signature.signed_info.reference
110 ++ signatures_must_have_a_single_reference_element = len(references) == 1
111 ++ the_Reference_element_must_have_a_URI_attribute = (
112 ++ signatures_must_have_a_single_reference_element
113 ++ and hasattr(references[0], "uri")
114 ++ )
115 ++ the_URI_attribute_contains_an_anchor = (
116 ++ the_Reference_element_must_have_a_URI_attribute
117 ++ and references[0].uri.startswith("#")
118 ++ and len(references[0].uri) > 1
119 ++ )
120 ++ the_anchor_points_to_the_enclosing_element_ID_attribute = (
121 ++ the_URI_attribute_contains_an_anchor
122 ++ and references[0].uri == "#{id}".format(id=item.id)
123 ++ )
124 ++ validators = {
125 ++ "signatures must have a single reference element": (
126 ++ signatures_must_have_a_single_reference_element
127 ++ ),
128 ++ "the Reference element must have a URI attribute": (
129 ++ the_Reference_element_must_have_a_URI_attribute
130 ++ ),
131 ++ "the URI attribute contains an anchor": (
132 ++ the_URI_attribute_contains_an_anchor
133 ++ ),
134 ++ "the anchor points to the enclosing element ID attribute": (
135 ++ the_anchor_points_to_the_enclosing_element_ID_attribute
136 ++ ),
137 ++ }
138 ++ if not all(validators.values()):
139 ++ error_context = {
140 ++ "message": "Signature failed to meet constraints on xmldsig",
141 ++ "validators": validators,
142 ++ "item ID": item.id,
143 ++ "reference URI": item.signature.signed_info.reference[0].uri,
144 ++ "issuer": _issuer,
145 ++ "node name": node_name,
146 ++ "xml document": decoded_xml,
147 ++ }
148 ++ raise SignatureError(error_context)
149 ++
150 + verified = False
151 + last_pem_file = None
152 +
153 +diff --git a/tests/saml2_response_xsw.xml b/tests/saml2_response_xsw.xml
154 +new file mode 100644
155 +index 00000000..3671eb48
156 +--- /dev/null
157 ++++ b/tests/saml2_response_xsw.xml
158 +@@ -0,0 +1,6 @@
159 ++<?xml version="1.0" encoding="UTF-8"?>
160 ++<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://lingon.catalogix.se:8087/" ID="id-vqOQ72JCppXaBWnBE" InResponseTo="id12" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns0:Status><ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></ns0:Status><ns1:Assertion ID="id-SPOOFED_ASSERTION" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns2:Signature Id="Signature2"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Referen
161 ce URI="#id-Aa9IWfDxJVIX6GQye"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>EWBvQUlrwQbtrAjuUXkSBAVsZ50=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>m4zRgTWleMcx1dFboeiYlbiDigHWAVhHVa+GLN++ELNMFDutuzBxc3tu6okyaNQGW3leu32wzbfdpb5+3RlpGoKj2wPX570/EMJj4uw91XfXsZfpNP+5GlgNT8w/elDmBXhG/KwmSO477Imk0szKovTBMVHmo3QOd+ba//dVsJE=</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIICsDCCAhmgAwIBAgIJAJrzqSSwmDY9MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMDkxMDA2MTk0OTQxWhcNMDkxMTA1MTk0OTQxWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMX
162 E9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABo4GnMIGkMB0GA1UdDgQWBBRePsKHKYJsiojE78ZWXccK9K4aJTB1BgNVHSMEbjBsgBRePsKHKYJsiojE78ZWXccK9K4aJaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAJrzqSSwmDY9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAJSrKOEzHO7TL5cy6h3qh+3+JAk8HbGBW+cbX6KBCAw/mzU8flK25vnWwXS3dv2FF3Aod0/S7AWNfKib5U/SA9nJaz/mWeF9S0farz9AQFc8/NSzAzaVq7YbM4F6f6N2FRl7GikdXRCed45j6mrPzGzk3ECbupFnqyREH3+ZPSdk=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ANOTHER_ID</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:Subj
163 ectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">ADMIN</ns1:AttributeValue
164 ></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">HACKER@×××××.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string
165 ">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
166 ++<XSW_ATTACK>
167 ++<ns1:Assertion ID="id-Aa9IWfDxJVIX6GQye" IssueInstant="2019-12-20T12:15:16Z" Version="2.0"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:mace:example.com:saml:roland:idp</ns1:Issuer><ns1:Subject><ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="id12">ac5b22bb8eac4a26ed07a55432a0fe0da243f6e911aa614cff402c44d7cdec36</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><ns1:SubjectConfirmationData InResponseTo="id12" NotOnOrAfter="2019-12-20T12:20:16Z" Recipient="http://lingon.catalogix.se:8087/"/></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2019-12-20T12:15:16Z" NotOnOrAfter="2019-12-20T12:20:16Z"><ns1:AudienceRestriction><ns1:Audience>urn:mace:example.com:saml:roland:sp</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2019-12-20T12:15:16Z" SessionIndex="id-eEhNCc5BSiesVOl8B"><ns1:AuthnContext><ns1:AuthnCon
168 textClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword</ns1:AuthnContextClassRef><ns1:AuthenticatingAuthority>http://www.example.com/login</ns1:AuthenticatingAuthority></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement><ns1:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">staff</ns1:AttributeValue><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">member</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">foo@×××××.com</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:
169 oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Derek</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="surName" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Jeter</ns1:AttributeValue></ns1:Attribute><ns1:Attribute FriendlyName="title" Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">shortstop</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion>
170 ++</XSW_ATTACK>
171 ++</ns0:Response>
172 +diff --git a/tests/test_xsw.py b/tests/test_xsw.py
173 +new file mode 100644
174 +index 00000000..9978c4d3
175 +--- /dev/null
176 ++++ b/tests/test_xsw.py
177 +@@ -0,0 +1,44 @@
178 ++from datetime import datetime
179 ++from unittest.mock import Mock
180 ++from unittest.mock import patch
181 ++
182 ++from saml2.config import config_factory
183 ++from saml2.response import authn_response
184 ++from saml2.sigver import SignatureError
185 ++
186 ++from dateutil import parser
187 ++
188 ++from pytest import raises
189 ++
190 ++from pathutils import dotname
191 ++from pathutils import full_path
192 ++
193 ++
194 ++XML_RESPONSE_XSW = full_path("saml2_response_xsw.xml")
195 ++
196 ++
197 ++class TestAuthnResponse:
198 ++ def setup_class(self):
199 ++ self.conf = config_factory("sp", dotname("server_conf"))
200 ++ self.ar = authn_response(self.conf, "http://lingon.catalogix.se:8087/")
201 ++
202 ++ @patch('saml2.response.validate_on_or_after', return_value=True)
203 ++ def test_verify_signed_xsw(self, mock_validate_on_or_after):
204 ++ self.ar.issue_instant_ok = Mock(return_value=True)
205 ++
206 ++ with open(XML_RESPONSE_XSW) as fp:
207 ++ xml_response = fp.read()
208 ++
209 ++ self.ar.outstanding_queries = {"id12": "http://localhost:8088/sso"}
210 ++ self.ar.timeslack = 10000
211 ++ self.ar.loads(xml_response, decode=False)
212 ++
213 ++ assert self.ar.came_from == 'http://localhost:8088/sso'
214 ++ assert self.ar.session_id() == "id12"
215 ++ assert self.ar.issuer() == 'urn:mace:example.com:saml:roland:idp'
216 ++
217 ++ with raises(SignatureError):
218 ++ self.ar.verify()
219 ++
220 ++ assert self.ar.ava is None
221 ++ assert self.ar.name_id is None
222
223 diff --git a/dev-python/pysaml2/metadata.xml b/dev-python/pysaml2/metadata.xml
224 index e06acc272e6..34133f9748f 100644
225 --- a/dev-python/pysaml2/metadata.xml
226 +++ b/dev-python/pysaml2/metadata.xml
227 @@ -10,7 +10,7 @@
228 <name>Openstack</name>
229 </maintainer>
230 <longdescription lang="en">
231 - Python implementation of SAML Version 2 to be used in a WSGI environment
232 + PySAML2 is a pure python implementation of SAML Version 2 Standard. It contains all necessary pieces for building a SAML2 service provider or an identity provider. The distribution contains examples of both. Originally written to work in a WSGI environment there are extensions that allow you to use it with other frameworks.
233 </longdescription>
234 <upstream>
235 <remote-id type="pypi">pysaml2</remote-id>
236
237 diff --git a/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild
238 new file mode 100644
239 index 00000000000..9d807ccf40e
240 --- /dev/null
241 +++ b/dev-python/pysaml2/pysaml2-4.6.5-r1.ebuild
242 @@ -0,0 +1,42 @@
243 +# Copyright 1999-2020 Gentoo Authors
244 +# Distributed under the terms of the GNU General Public License v2
245 +
246 +EAPI=7
247 +PYTHON_COMPAT=( python3_{6,7} )
248 +
249 +inherit distutils-r1
250 +
251 +DESCRIPTION="Python implementation of SAML Version 2 to be used in a WSGI environment"
252 +HOMEPAGE="https://github.com/rohe/pysaml2"
253 +SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
254 +
255 +LICENSE="Apache-2.0"
256 +SLOT="0"
257 +KEYWORDS="amd64 ~arm64 x86"
258 +IUSE=""
259 +
260 +PATCHES=(
261 +)
262 +
263 +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]"
264 +RDEPEND=">=dev-python/cryptography-1.4[${PYTHON_USEDEP}]
265 + dev-python/defusedxml[${PYTHON_USEDEP}]
266 + dev-python/future[${PYTHON_USEDEP}]
267 + dev-python/pyopenssl[${PYTHON_USEDEP}]
268 + dev-python/python-dateutil[${PYTHON_USEDEP}]
269 + dev-python/pytz[${PYTHON_USEDEP}]
270 + >=dev-python/requests-1.0.0[${PYTHON_USEDEP}]
271 + dev-python/six[${PYTHON_USEDEP}]"
272 +
273 +PATCHES=( "${FILESDIR}/cve-2020-5390.patch" )
274 +
275 +python_prepare_all() {
276 + # Work-around for bug 675824
277 + # With older setuptools, version = file:... is not supported, see Note 1 in:
278 + # https://setuptools.readthedocs.io/en/latest/setuptools.html#metadata
279 + # In such cases, hardcode the version
280 + has_version ">=dev-python/setuptools-39.2.0" || \
281 + sed --in-place "s/^version = file:.*\$/version = ${PV}/" setup.cfg
282 + ##
283 + distutils-r1_python_prepare_all
284 +}