From b4ff4c69f38e72bf118cffe01cf420f5719b2da7 Mon Sep 17 00:00:00 2001
From: Miroslav Suchý <msuchy@redhat.com>
Date: Sep 21 2018 13:33:09 +0000
Subject: Update python-marshmallow to 2.11.1-8


---

diff --git a/.gitignore b/.gitignore
index 4b55400..1a3bc86 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,5 @@
 /marshmallow-2.10.4.tar.gz
 /marshmallow-2.10.5.tar.gz
 /marshmallow-2.11.1.tar.gz
+/ordered_set.patch
+/CVE-2018-17175.patch
diff --git a/CVE-2018-17175.patch b/CVE-2018-17175.patch
new file mode 100644
index 0000000..dfe92e4
--- /dev/null
+++ b/CVE-2018-17175.patch
@@ -0,0 +1,46 @@
+diff -Naur marshmallow-2.11.1.orig/marshmallow/schema.py marshmallow-2.11.1/marshmallow/schema.py
+--- marshmallow-2.11.1.orig/marshmallow/schema.py	2017-01-08 22:23:48.000000000 +0100
++++ marshmallow-2.11.1/marshmallow/schema.py	2018-09-21 14:20:06.756913165 +0200
+@@ -324,7 +324,7 @@
+         """
+         pass
+ 
+-    def __init__(self, extra=None, only=(), exclude=(), prefix='', strict=None,
++    def __init__(self, extra=None, only=None, exclude=(), prefix='', strict=None,
+                  many=False, context=None, load_only=(), dump_only=(),
+                  partial=False):
+         # copy declared fields from metaclass
+@@ -692,7 +692,7 @@
+ 
+     def _normalize_nested_options(self):
+         """Apply then flatten nested schema options"""
+-        if self.only:
++        if self.only is not None:
+             # Apply the only option to nested fields.
+             self.__apply_nested_option('only', self.only)
+             # Remove the child field names from the only option.
+@@ -725,7 +725,7 @@
+ 
+     def _update_fields(self, obj=None, many=False):
+         """Update fields based on the passed in object."""
+-        if self.only:
++        if self.only is not None:
+             # Return only fields specified in only option
+             if self.opts.fields:
+                 field_names = self.set_class(self.opts.fields) & self.set_class(self.only)
+diff -Naur marshmallow-2.11.1.orig/tests/test_schema.py marshmallow-2.11.1/tests/test_schema.py
+--- marshmallow-2.11.1.orig/tests/test_schema.py	2017-01-08 22:23:48.000000000 +0100
++++ marshmallow-2.11.1/tests/test_schema.py	2018-09-21 14:20:06.758913124 +0200
+@@ -884,6 +884,12 @@
+     sch = MySchema(only=('baz', ))
+     assert sch.dump({'foo': 42}).data == {}
+ 
++def test_only_empty():
++    class MySchema(Schema):
++        foo = fields.Field()
++
++    sch = MySchema(only=())
++    assert 'foo' not in sch.dump({'foo': 'bar'})
+ 
+ def test_nested_only_and_exclude():
+     class Inner(Schema):
diff --git a/ordered_set.patch b/ordered_set.patch
new file mode 100644
index 0000000..177e1ef
--- /dev/null
+++ b/ordered_set.patch
@@ -0,0 +1,12 @@
+diff -Naur marshmallow-2.11.1.orig/marshmallow/schema.py test/marshmallow/schema.py
+--- marshmallow-2.11.1.orig/marshmallow/schema.py	2017-01-08 22:23:48.000000000 +0100
++++ test/marshmallow/schema.py	2018-09-21 15:24:08.994234083 +0200
+@@ -17,7 +17,7 @@
+ from marshmallow.compat import (with_metaclass, iteritems, text_type,
+                                 binary_type, OrderedDict)
+ from marshmallow.exceptions import ValidationError
+-from marshmallow.orderedset import OrderedSet
++from ordered_set import OrderedSet
+ from marshmallow.decorators import (PRE_DUMP, POST_DUMP, PRE_LOAD, POST_LOAD,
+                                     VALIDATES, VALIDATES_SCHEMA)
+ from marshmallow.utils import missing
diff --git a/python-marshmallow.spec b/python-marshmallow.spec
index 5bede14..ac6d5eb 100644
--- a/python-marshmallow.spec
+++ b/python-marshmallow.spec
@@ -3,11 +3,13 @@
 
 Name:           python-%{modname}
 Version:        2.11.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Python library for converting complex datatypes to and from primitive types
 License:        MIT
 URL:            http://marshmallow.readthedocs.org/
 Source0:        https://github.com/marshmallow-code/marshmallow/archive/%{version}/%{modname}-%{version}.tar.gz
+Patch0:         ordered_set.patch
+Patch1:         CVE-2018-17175.patch
 
 BuildArch:      noarch
 
@@ -71,14 +73,15 @@ Recommends:     python3-simplejson
 Python 3 version.
 
 %prep
-%autosetup -n %{modname}-%{version}
+%setup -n %{modname}-%{version}
+%patch0 -p1
+%patch1 -p1
 
 # remove bundled library
 # instead of orderedsett we patch code to usu python-ordered-set
 # ordereddict.py is used only for compatibility with python2.6,
 # which we do not need
 rm -f ./marshmallow/ordereddict.py ./marshmallow/orderedset.py
-sed -i -e "s/from marshmallow.orderedset/from ordered_set/g" %{modname}/schema.py
 
 # Drop support for sphinx-issues as it's not yet packaged
 sed -i -e "/sphinx_issues/d" docs/conf.py
@@ -117,6 +120,9 @@ py.test-%{python3_version} -v
 %{python3_sitelib}/%{modname}-*.egg-info/
 
 %changelog
+* Fri Sep 21 2018 Miroslav Suchý <msuchy@redhat.com> 2.11.1-8
+- add patch for CVE-2018-17175.patch
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.1-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
diff --git a/sources b/sources
index ca93138..1fe7f66 100644
--- a/sources
+++ b/sources
@@ -1 +1,3 @@
 SHA512 (marshmallow-2.11.1.tar.gz) = daf0623af43a835b4841a5ea3b2277805873f86ca4138caa50522b2419314c62b6535dace1e16c6a03462ec9dda79aa7223c29865914302b65a337efb3a44798
+SHA512 (ordered_set.patch) = 86e3f9b1f643121b13c46b2302e7eb05399a90515fff5ee1430431550085116921a175498e29f2e35e2d6f3a737fb761713001a60f9f9e9812c7ccf49fe6500e
+SHA512 (CVE-2018-17175.patch) = d414414518eec7d72f1eec9969c85d98d4a865ca06315dc55b929ed8532f567ac54e1149378b4cf0c05028202e59d3b600f979799631ccf50a2f7f0e2df8b534