Date: Sun, 7 Sep 2008 06:13:00 GMT From: bf <bf2006a@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/127172: [PATCH]lang/python25: security fixes for 2.5.2 Message-ID: <200809070613.m876D0ZI010003@www.freebsd.org> Resent-Message-ID: <200809070620.m876K1XN047402@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127172 >Category: ports >Synopsis: [PATCH]lang/python25: security fixes for 2.5.2 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 07 06:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: bf >Release: 7-STABLE i386 >Organization: - >Environment: >Description: While we're waiting for the new version of python, be on the safe side and add patches for CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, and CVE-2008-3144. These should be documented in vuxml. lang/python24 should also be patched for these, and also for CVE-2008-3143. (See, for example, http://www.gentoo.org/security/en/glsa/glsa-200807-16.xml , and the links in that page.) >How-To-Repeat: >Fix: Patch attached with submission follows: diff -ruN python25.orig/Makefile python25/Makefile --- python25.orig/Makefile 2008-08-21 02:17:31.000000000 -0400 +++ python25/Makefile 2008-09-07 01:54:52.726296290 -0400 @@ -6,7 +6,7 @@ PORTNAME= python25 PORTVERSION= 2.5.2 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= lang python ipv6 MASTER_SITES= ${PYTHON_MASTER_SITES} MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} diff -ruN python25.orig/files/patch-at python25/files/patch-at --- python25.orig/files/patch-at 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-at 2008-09-07 01:54:52.566294111 -0400 @@ -0,0 +1,15 @@ + + +Part of the fix for CVE-2008-2315 taken from Gentoo. + +--- Modules/mmapmodule.c.orig 2006-08-22 14:57:07.000000000 +0100 ++++ Modules/mmapmodule.c 2008-08-30 10:16:13.000000000 +0100 +@@ -223,7 +223,7 @@ + return(NULL); + + /* silently 'adjust' out-of-range requests */ +- if ((self->pos + num_bytes) > self->size) { ++ if (num_bytes > self->size - self->pos) { + num_bytes -= (self->pos+num_bytes) - self->size; + } + result = Py_BuildValue("s#", self->data+self->pos, num_bytes); diff -ruN python25.orig/files/patch-ba python25/files/patch-ba --- python25.orig/files/patch-ba 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-ba 2008-09-07 01:54:52.576295382 -0400 @@ -0,0 +1,119 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Objects/unicodeobject.c.orig 2007-11-02 22:46:38.000000000 +0000 ++++ Objects/unicodeobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -239,6 +239,11 @@ + return unicode_empty; + } + ++ /* Ensure we won't overflow the size. */ ++ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) { ++ return (PyUnicodeObject *)PyErr_NoMemory(); ++ } ++ + /* Unicode freelist & memory allocation */ + if (unicode_freelist) { + unicode = unicode_freelist; +@@ -1091,6 +1096,9 @@ + char * out; + char * start; + ++ if (cbAllocated / 5 != size) ++ return PyErr_NoMemory(); ++ + if (size == 0) + return PyString_FromStringAndSize(NULL, 0); + +@@ -1689,8 +1697,9 @@ + { + PyObject *v; + unsigned char *p; ++ Py_ssize_t nsize, bytesize; + #ifdef Py_UNICODE_WIDE +- int i, pairs; ++ Py_ssize_t i, pairs; + #else + const int pairs = 0; + #endif +@@ -1713,8 +1722,15 @@ + if (s[i] >= 0x10000) + pairs++; + #endif +- v = PyString_FromStringAndSize(NULL, +- 2 * (size + pairs + (byteorder == 0))); ++ /* 2 * (size + pairs + (byteorder == 0)) */ ++ if (size > PY_SSIZE_T_MAX || ++ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0)) ++ return PyErr_NoMemory(); ++ nsize = (size + pairs + (byteorder == 0)); ++ bytesize = nsize * 2; ++ if (bytesize / 2 != nsize) ++ return PyErr_NoMemory(); ++ v = PyString_FromStringAndSize(NULL, bytesize); + if (v == NULL) + return NULL; + +@@ -2042,6 +2058,11 @@ + char *p; + + static const char *hexdigit = "0123456789abcdef"; ++#ifdef Py_UNICODE_WIDE ++ const Py_ssize_t expandsize = 10; ++#else ++ const Py_ssize_t expandsize = 6; ++#endif + + /* Initial allocation is based on the longest-possible unichr + escape. +@@ -2057,13 +2078,12 @@ + escape. + */ + ++ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize) ++ return PyErr_NoMemory(); ++ + repr = PyString_FromStringAndSize(NULL, + 2 +-#ifdef Py_UNICODE_WIDE +- + 10*size +-#else +- + 6*size +-#endif ++ + expandsize*size + + 1); + if (repr == NULL) + return NULL; +@@ -2304,12 +2324,16 @@ + char *q; + + static const char *hexdigit = "0123456789abcdef"; +- + #ifdef Py_UNICODE_WIDE +- repr = PyString_FromStringAndSize(NULL, 10 * size); ++ const Py_ssize_t expandsize = 10; + #else +- repr = PyString_FromStringAndSize(NULL, 6 * size); ++ const Py_ssize_t expandsize = 6; + #endif ++ ++ if (size > PY_SSIZE_T_MAX / expandsize) ++ return PyErr_NoMemory(); ++ ++ repr = PyString_FromStringAndSize(NULL, expandsize * size); + if (repr == NULL) + return NULL; + if (size == 0) +@@ -4719,6 +4743,11 @@ + return self; + } + ++ if (left > PY_SSIZE_T_MAX - self->length || ++ right > PY_SSIZE_T_MAX - (left + self->length)) { ++ PyErr_SetString(PyExc_OverflowError, "padded string is too long"); ++ return NULL; ++ } + u = _PyUnicode_New(left + self->length + right); + if (u) { + if (left) diff -ruN python25.orig/files/patch-bb python25/files/patch-bb --- python25.orig/files/patch-bb 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bb 2008-09-07 01:54:52.586294418 -0400 @@ -0,0 +1,21 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Objects/tupleobject.c.orig 2006-08-12 18:03:09.000000000 +0100 ++++ Objects/tupleobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -60,11 +60,12 @@ + Py_ssize_t nbytes = size * sizeof(PyObject *); + /* Check for overflow */ + if (nbytes / sizeof(PyObject *) != (size_t)size || +- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *)) +- <= 0) ++ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *))) + { + return PyErr_NoMemory(); + } ++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); ++ + op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); + if (op == NULL) + return NULL; diff -ruN python25.orig/files/patch-bc python25/files/patch-bc --- python25.orig/files/patch-bc 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bc 2008-09-07 01:54:52.586294418 -0400 @@ -0,0 +1,17 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Objects/bufferobject.c.orig 2008-02-14 11:26:18.000000000 +0000 ++++ Objects/bufferobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -427,6 +427,10 @@ + count = 0; + if (!get_buf(self, &ptr, &size, ANY_BUFFER)) + return NULL; ++ if (count > PY_SSIZE_T_MAX / size) { ++ PyErr_SetString(PyExc_MemoryError, "result too large"); ++ return NULL; ++ } + ob = PyString_FromStringAndSize(NULL, size * count); + if ( ob == NULL ) + return NULL; diff -ruN python25.orig/files/patch-bd python25/files/patch-bd --- python25.orig/files/patch-bd 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bd 2008-09-07 01:54:52.596295410 -0400 @@ -0,0 +1,15 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Objects/longobject.c.orig 2007-05-07 19:30:48.000000000 +0100 ++++ Objects/longobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -70,6 +70,8 @@ + PyErr_NoMemory(); + return NULL; + } ++ /* XXX(nnorwitz): This can overflow -- ++ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */ + return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size); + } + diff -ruN python25.orig/files/patch-be python25/files/patch-be --- python25.orig/files/patch-be 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-be 2008-09-07 01:54:52.596295410 -0400 @@ -0,0 +1,53 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Objects/stringobject.c.orig 2007-11-07 01:19:49.000000000 +0000 ++++ Objects/stringobject.c 2008-08-30 10:16:13.000000000 +0100 +@@ -71,6 +71,11 @@ + return (PyObject *)op; + } + ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, "string is too large"); ++ return NULL; ++ } ++ + /* Inline PyObject_NewVar */ + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) +@@ -106,7 +111,7 @@ + + assert(str != NULL); + size = strlen(str); +- if (size > PY_SSIZE_T_MAX) { ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { + PyErr_SetString(PyExc_OverflowError, + "string is too long for a Python string"); + return NULL; +@@ -967,14 +972,24 @@ + Py_INCREF(a); + return (PyObject *)a; + } ++ /* Check that string sizes are not negative, to prevent an ++ overflow in cases where we are passed incorrectly-created ++ strings with negative lengths (due to a bug in other code). ++ */ + size = a->ob_size + b->ob_size; +- if (size < 0) { ++ if (a->ob_size < 0 || b->ob_size < 0 || ++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) { + PyErr_SetString(PyExc_OverflowError, + "strings are too large to concat"); + return NULL; + } + + /* Inline PyObject_NewVar */ ++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { ++ PyErr_SetString(PyExc_OverflowError, ++ "strings are too large to concat"); ++ return NULL; ++ } + op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); + if (op == NULL) + return PyErr_NoMemory(); diff -ruN python25.orig/files/patch-bf python25/files/patch-bf --- python25.orig/files/patch-bf 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bf 2008-09-07 01:54:52.616293482 -0400 @@ -0,0 +1,25 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Lib/test/seq_tests.py.orig 2007-11-12 20:04:41.000000000 +0000 ++++ Lib/test/seq_tests.py 2008-08-30 10:16:13.000000000 +0100 +@@ -307,11 +307,13 @@ + self.assertEqual(id(s), id(s*1)) + + def test_bigrepeat(self): +- x = self.type2test([0]) +- x *= 2**16 +- self.assertRaises(MemoryError, x.__mul__, 2**16) +- if hasattr(x, '__imul__'): +- self.assertRaises(MemoryError, x.__imul__, 2**16) ++ import sys ++ if sys.maxint <= 2147483647: ++ x = self.type2test([0]) ++ x *= 2**16 ++ self.assertRaises(MemoryError, x.__mul__, 2**16) ++ if hasattr(x, '__imul__'): ++ self.assertRaises(MemoryError, x.__imul__, 2**16) + + def test_subscript(self): + a = self.type2test([10, 11]) diff -ruN python25.orig/files/patch-bg python25/files/patch-bg --- python25.orig/files/patch-bg 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bg 2008-09-07 01:54:52.616293482 -0400 @@ -0,0 +1,32 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Lib/test/test_strop.py.orig 2002-07-31 00:27:12.000000000 +0100 ++++ Lib/test/test_strop.py 2008-08-30 10:16:13.000000000 +0100 +@@ -115,6 +115,25 @@ + strop.uppercase + strop.whitespace + ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5) ++ def test_stropjoin_huge_list(self, size): ++ a = "A" * size ++ try: ++ r = strop.join([a, a], a) ++ except OverflowError: ++ pass ++ else: ++ self.assertEquals(len(r), len(a) * 3) ++ ++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1) ++ def test_stropjoin_huge_tup(self, size): ++ a = "A" * size ++ try: ++ r = strop.join((a, a), a) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(r), len(a) * 3) + + transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`xyzdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377' + diff -ruN python25.orig/files/patch-bh python25/files/patch-bh --- python25.orig/files/patch-bh 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bh 2008-09-07 01:54:52.656294376 -0400 @@ -0,0 +1,167 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Lib/test/test_bigmem.py.orig 2007-11-30 21:53:17.000000000 +0000 ++++ Lib/test/test_bigmem.py 2008-08-30 10:16:13.000000000 +0100 +@@ -1,5 +1,5 @@ + from test import test_support +-from test.test_support import bigmemtest, _1G, _2G ++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest + + import unittest + import operator +@@ -54,6 +54,22 @@ + self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) + self.assertEquals(s.strip(), SUBSTR.strip()) + ++ @precisionbigmemtest(size=_2G - 1, memuse=1) ++ def test_center_unicode(self, size): ++ SUBSTR = u' abc def ghi' ++ try: ++ s = SUBSTR.center(size) ++ except OverflowError: ++ pass # acceptable on 32-bit ++ else: ++ self.assertEquals(len(s), size) ++ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2 ++ if len(s) % 2: ++ lpadsize += 1 ++ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) ++ self.assertEquals(s.strip(), SUBSTR.strip()) ++ del s ++ + @bigmemtest(minsize=_2G, memuse=2) + def test_count(self, size): + SUBSTR = ' abc def ghi' +@@ -70,10 +86,44 @@ + s = '.' * size + self.assertEquals(len(s.decode('utf-8')), size) + ++ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None): ++ if expectedsize is None: ++ expectedsize = size ++ ++ s = c * size ++ self.assertEquals(len(s.encode(enc)), expectedsize) ++ + @bigmemtest(minsize=_2G + 2, memuse=3) + def test_encode(self, size): +- s = u'.' * size +- self.assertEquals(len(s.encode('utf-8')), size) ++ return self.basic_encode_test(size, 'utf-8') ++ ++ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2) ++ def test_encode_raw_unicode_escape(self, size): ++ try: ++ return self.basic_encode_test(size, 'raw_unicode_escape') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3) ++ def test_encode_utf7(self, size): ++ try: ++ return self.basic_encode_test(size, 'utf7') ++ except MemoryError: ++ pass # acceptable on 32-bit ++ ++ @precisionbigmemtest(size=_2G-1, memuse=2) ++ def test_decodeascii(self, size): ++ return self.basic_encode_test(size, 'ascii', c='A') ++ ++ @precisionbigmemtest(size=_4G / 5, memuse=6+2) ++ def test_unicode_repr_oflw(self, size): ++ try: ++ s = u"\uAAAA"*size ++ r = repr(s) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ self.failUnless(s == eval(r)) + + @bigmemtest(minsize=_2G, memuse=2) + def test_endswith(self, size): +@@ -459,6 +509,11 @@ + self.assertEquals(s.count('\\'), size) + self.assertEquals(s.count('0'), size * 2) + ++ @bigmemtest(minsize=2**32 / 5, memuse=6+2) ++ def test_unicode_repr(self, size): ++ s = u"\uAAAA" * size ++ self.failUnless(len(repr(s)) > size) ++ + # This test is meaningful even with size < 2G, as long as the + # doubled string is > 2G (but it tests more if both are > 2G :) + @bigmemtest(minsize=_1G + 2, memuse=3) +@@ -642,6 +697,35 @@ + def test_repeat_large(self, size): + return self.basic_test_repeat(size) + ++ @bigmemtest(minsize=_1G - 1, memuse=12) ++ def test_repeat_large_2(self, size): ++ return self.basic_test_repeat(size) ++ ++ @precisionbigmemtest(size=_1G - 1, memuse=9) ++ def test_from_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ ++ @precisionbigmemtest(size=_1G - 25, memuse=9) ++ def test_from_almost_2G_generator(self, size): ++ try: ++ t = tuple(xrange(size)) ++ count = 0 ++ for item in t: ++ self.assertEquals(item, count) ++ count += 1 ++ self.assertEquals(count, size) ++ except MemoryError: ++ pass # acceptable, expected on 32-bit ++ + # Like test_concat, split in two. + def basic_test_repr(self, size): + t = (0,) * size +@@ -957,8 +1041,34 @@ + self.assertEquals(l[:10], [1] * 10) + self.assertEquals(l[-10:], [5] * 10) + ++class BufferTest(unittest.TestCase): ++ ++ @precisionbigmemtest(size=_1G, memuse=4) ++ def test_repeat(self, size): ++ try: ++ b = buffer("AAAA")*size ++ except MemoryError: ++ pass # acceptable on 32-bit ++ else: ++ count = 0 ++ for c in b: ++ self.assertEquals(c, 'A') ++ count += 1 ++ self.assertEquals(count, size*4) ++ + def test_main(): +- test_support.run_unittest(StrTest, TupleTest, ListTest) ++ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest) ++ ++# Expected failures (crashers) ++# del StrTest.test_center_unicode ++del StrTest.test_decodeascii ++# del StrTest.test_encode_utf32 ++# del StrTest.test_encode_utf7 ++# del StrTest.test_encode_raw_unicode_escape ++# ++# del TupleTest.test_from_2G_generator ++# ++# del BufferTest.test_repeat + + if __name__ == '__main__': + if len(sys.argv) > 1: diff -ruN python25.orig/files/patch-bi python25/files/patch-bi --- python25.orig/files/patch-bi 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bi 2008-09-07 01:54:52.666295927 -0400 @@ -0,0 +1,66 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Lib/test/test_support.py.orig 2008-01-27 01:24:44.000000000 +0000 ++++ Lib/test/test_support.py 2008-08-30 10:16:13.000000000 +0100 +@@ -33,6 +33,7 @@ + use_resources = None # Flag set to [] by regrtest.py + max_memuse = 0 # Disable bigmem tests (they will still be run with + # small sizes, to make sure they work.) ++real_max_memuse = 0 + + # _original_stdout is meant to hold stdout at the time regrtest began. + # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever. +@@ -323,6 +324,7 @@ + _1M = 1024*1024 + _1G = 1024 * _1M + _2G = 2 * _1G ++_4G = 4 * _1G + + # Hack to get at the maximum value an internal index can take. + class _Dummy: +@@ -333,6 +335,7 @@ + def set_memlimit(limit): + import re + global max_memuse ++ global real_max_memuse + sizes = { + 'k': 1024, + 'm': _1M, +@@ -344,6 +347,7 @@ + if m is None: + raise ValueError('Invalid memory limit %r' % (limit,)) + memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()]) ++ real_max_memuse = memlimit + if memlimit > MAX_Py_ssize_t: + memlimit = MAX_Py_ssize_t + if memlimit < _2G - 1: +@@ -389,6 +393,27 @@ + return wrapper + return decorator + ++def precisionbigmemtest(size, memuse, overhead=5*_1M): ++ def decorator(f): ++ def wrapper(self): ++ if not real_max_memuse: ++ maxsize = 5147 ++ else: ++ maxsize = size ++ ++ if real_max_memuse and real_max_memuse < maxsize * memuse: ++ if verbose: ++ sys.stderr.write("Skipping %s because of memory " ++ "constraint\n" % (f.__name__,)) ++ return ++ ++ return f(self, maxsize) ++ wrapper.size = size ++ wrapper.memuse = memuse ++ wrapper.overhead = overhead ++ return wrapper ++ return decorator ++ + def bigaddrspacetest(f): + """Decorator for tests that fill the address space.""" + def wrapper(self): diff -ruN python25.orig/files/patch-bj python25/files/patch-bj --- python25.orig/files/patch-bj 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bj 2008-09-07 01:54:52.676296639 -0400 @@ -0,0 +1,35 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Modules/stropmodule.c.orig 2008-02-14 11:26:18.000000000 +0000 ++++ Modules/stropmodule.c 2008-08-30 10:16:13.000000000 +0100 +@@ -216,6 +216,13 @@ + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) + return NULL; +@@ -253,6 +260,14 @@ + return NULL; + } + slen = PyString_GET_SIZE(item); ++ if (slen > PY_SSIZE_T_MAX - reslen || ++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { ++ PyErr_SetString(PyExc_OverflowError, ++ "input too long"); ++ Py_DECREF(res); ++ Py_XDECREF(item); ++ return NULL; ++ } + while (reslen + slen + seplen >= sz) { + if (_PyString_Resize(&res, sz * 2) < 0) { + Py_DECREF(item); diff -ruN python25.orig/files/patch-bk python25/files/patch-bk --- python25.orig/files/patch-bk 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-bk 2008-09-07 01:54:52.676296639 -0400 @@ -0,0 +1,27 @@ + + +Patch for CVE-2008-2315 taken from Gentoo. + +--- Modules/gcmodule.c.orig 2006-10-09 20:42:33.000000000 +0100 ++++ Modules/gcmodule.c 2008-08-30 10:16:13.000000000 +0100 +@@ -1318,7 +1318,10 @@ + _PyObject_GC_Malloc(size_t basicsize) + { + PyObject *op; +- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( ++ PyGC_Head *g; ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return PyErr_NoMemory(); ++ g = (PyGC_Head *)PyObject_MALLOC( + sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return PyErr_NoMemory(); +@@ -1361,6 +1364,8 @@ + { + const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems); + PyGC_Head *g = AS_GC(op); ++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) ++ return (PyVarObject *)PyErr_NoMemory(); + g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); + if (g == NULL) + return (PyVarObject *)PyErr_NoMemory(); diff -ruN python25.orig/files/patch-ca python25/files/patch-ca --- python25.orig/files/patch-ca 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-ca 2008-09-07 01:54:52.686297072 -0400 @@ -0,0 +1,62 @@ + + +Patch for CVE-2008-3142 taken from Gentoo. + +--- Include/pymem.h.orig 2008-02-14 11:26:18.000000000 +0000 ++++ Include/pymem.h 2008-08-30 10:39:43.000000000 +0100 +@@ -67,8 +67,12 @@ + for malloc(0), which would be treated as an error. Some platforms + would return a pointer with no memory behind it, which would break + pymalloc. To solve these problems, allocate an extra byte. */ +-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1) +-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1) ++/* Returns NULL to indicate error if a negative size or size larger than ++ Py_ssize_t can represent is supplied. Helps prevents security holes. */ ++#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : malloc((n) ? (n) : 1)) ++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ ++ : realloc((p), (n) ? (n) : 1)) + #define PyMem_FREE free + + #endif /* PYMALLOC_DEBUG */ +@@ -77,24 +81,31 @@ + * Type-oriented memory interface + * ============================== + * +- * These are carried along for historical reasons. There's rarely a good +- * reason to use them anymore (you can just as easily do the multiply and +- * cast yourself). ++ * Allocate memory for n objects of the given type. Returns a new pointer ++ * or NULL if the request was too large or memory allocation failed. Use ++ * these macros rather than doing the multiplication yourself so that proper ++ * overflow checking is always done. + */ + + #define PyMem_New(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_Malloc((n) * sizeof(type)) ) ) + #define PyMem_NEW(type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ ++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ + ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) ) + ++/* ++ * The value of (p) is always clobbered by this macro regardless of success. ++ * The caller MUST check if (p) is NULL afterwards and deal with the memory ++ * error if so. This means the original value of (p) MUST be saved for the ++ * caller's memory error handler to not lose track of it. ++ */ + #define PyMem_Resize(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) + #define PyMem_RESIZE(p, type, n) \ +- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ +- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) ++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ ++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) + + /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used + * anymore. They're just confusing aliases for PyMem_{Free,FREE} now. diff -ruN python25.orig/files/patch-cb python25/files/patch-cb --- python25.orig/files/patch-cb 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-cb 2008-09-07 01:54:52.696296108 -0400 @@ -0,0 +1,38 @@ + + +Patch for CVE-2008-3142 taken from Gentoo. + +--- Objects/obmalloc.c.orig 2008-02-14 11:26:18.000000000 +0000 ++++ Objects/obmalloc.c 2008-08-30 10:39:43.000000000 +0100 +@@ -727,6 +727,15 @@ + uint size; + + /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; ++ ++ /* + * This implicitly redirects malloc(0). + */ + if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) { +@@ -1130,6 +1139,15 @@ + if (p == NULL) + return PyObject_Malloc(nbytes); + ++ /* ++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. ++ * Most python internals blindly use a signed Py_ssize_t to track ++ * things without checking for overflows or negatives. ++ * As size_t is unsigned, checking for nbytes < 0 is not required. ++ */ ++ if (nbytes > PY_SSIZE_T_MAX) ++ return NULL; ++ + pool = POOL_ADDR(p); + if (Py_ADDRESS_IN_RANGE(p, pool)) { + /* We're in charge of this block */ diff -ruN python25.orig/files/patch-cc python25/files/patch-cc --- python25.orig/files/patch-cc 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-cc 2008-09-07 01:54:52.696296108 -0400 @@ -0,0 +1,18 @@ + + +Patch for CVE-2008-3142 taken from Gentoo. + +--- Modules/almodule.c.orig 2006-09-25 07:53:42.000000000 +0100 ++++ Modules/almodule.c 2008-08-30 10:39:43.000000000 +0100 +@@ -1633,9 +1633,11 @@ + if (nvals < 0) + goto cleanup; + if (nvals > setsize) { ++ ALvalue *old_return_set = return_set; + setsize = nvals; + PyMem_RESIZE(return_set, ALvalue, setsize); + if (return_set == NULL) { ++ return_set = old_return_set; + PyErr_NoMemory(); + goto cleanup; + } diff -ruN python25.orig/files/patch-cd python25/files/patch-cd --- python25.orig/files/patch-cd 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-cd 2008-09-07 01:54:52.706297100 -0400 @@ -0,0 +1,37 @@ + + +Patch for CVE-2008-3142 taken from Gentoo. + +--- Modules/arraymodule.c.orig 2008-02-15 19:11:46.000000000 +0000 ++++ Modules/arraymodule.c 2008-08-30 10:39:43.000000000 +0100 +@@ -816,6 +816,7 @@ + array_do_extend(arrayobject *self, PyObject *bb) + { + Py_ssize_t size; ++ char *old_item; + + if (!array_Check(bb)) + return array_iter_extend(self, bb); +@@ -831,10 +832,11 @@ + return -1; + } + size = self->ob_size + b->ob_size; ++ old_item = self->ob_item; + PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); + if (self->ob_item == NULL) { +- PyObject_Del(self); +- PyErr_NoMemory(); ++ self->ob_item = old_item; ++ PyErr_NoMemory(); + return -1; + } + memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize, +@@ -886,7 +888,7 @@ + if (size > PY_SSIZE_T_MAX / n) { + return PyErr_NoMemory(); + } +- PyMem_Resize(items, char, n * size); ++ PyMem_RESIZE(items, char, n * size); + if (items == NULL) + return PyErr_NoMemory(); + p = items; diff -ruN python25.orig/files/patch-ce python25/files/patch-ce --- python25.orig/files/patch-ce 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-ce 2008-09-07 01:54:52.706297100 -0400 @@ -0,0 +1,20 @@ + + +Patch for CVE-2008-3142 taken from Gentoo. + +--- Modules/selectmodule.c.orig 2006-07-10 02:18:57.000000000 +0100 ++++ Modules/selectmodule.c 2008-08-30 10:39:43.000000000 +0100 +@@ -349,10 +349,12 @@ + { + Py_ssize_t i, pos; + PyObject *key, *value; ++ struct pollfd *old_ufds = self->ufds; + + self->ufd_len = PyDict_Size(self->dict); +- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len); ++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len); + if (self->ufds == NULL) { ++ self->ufds = old_ufds; + PyErr_NoMemory(); + return 0; + } diff -ruN python25.orig/files/patch-da python25/files/patch-da --- python25.orig/files/patch-da 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-da 2008-09-07 01:54:52.706297100 -0400 @@ -0,0 +1,45 @@ + + +Patch for CVE-2008-2316 taken from Gentoo. + +--- Lib/test/test_hashlib.py.orig 2005-08-21 19:45:59.000000000 +0100 ++++ Lib/test/test_hashlib.py 2008-08-30 10:43:27.000000000 +0100 +@@ -9,7 +9,7 @@ + import hashlib + import unittest + from test import test_support +- ++from test.test_support import _4G, precisionbigmemtest + + def hexstr(s): + import string +@@ -55,7 +55,6 @@ + m2.update(aas + bees + cees) + self.assertEqual(m1.digest(), m2.digest()) + +- + def check(self, name, data, digest): + # test the direct constructors + computed = getattr(hashlib, name)(data).hexdigest() +@@ -75,6 +74,21 @@ + self.check('md5', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', + 'd174ab98d277d9f5a5611c2c9f419d9f') + ++ @precisionbigmemtest(size=_4G + 5, memuse=1) ++ def test_case_md5_huge(self, size): ++ if size == _4G + 5: ++ try: ++ self.check('md5', 'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d') ++ except OverflowError: ++ pass # 32-bit arch ++ ++ @precisionbigmemtest(size=_4G - 1, memuse=1) ++ def test_case_md5_uintmax(self, size): ++ if size == _4G - 1: ++ try: ++ self.check('md5', 'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') ++ except OverflowError: ++ pass # 32-bit arch + + # use the three examples from Federal Information Processing Standards + # Publication 180-1, Secure Hash Standard, 1995 April 17 diff -ruN python25.orig/files/patch-db python25/files/patch-db --- python25.orig/files/patch-db 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-db 2008-09-07 01:54:52.706297100 -0400 @@ -0,0 +1,108 @@ + + +Patch for CVE-2008-2316 taken from Gentoo. + +--- Modules/_hashopenssl.c.orig 2006-05-29 22:04:52.000000000 +0100 ++++ Modules/_hashopenssl.c 2008-08-30 10:43:27.000000000 +0100 +@@ -19,6 +19,8 @@ + /* EVP is the preferred interface to hashing in OpenSSL */ + #include <openssl/evp.h> + ++#define MUNCH_SIZE INT_MAX ++ + + #ifndef HASH_OBJ_CONSTRUCTOR + #define HASH_OBJ_CONSTRUCTOR 0 +@@ -164,9 +166,18 @@ + if (!PyArg_ParseTuple(args, "s#:update", &cp, &len)) + return NULL; + ++ if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); +- ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } + Py_INCREF(Py_None); + return Py_None; + } +@@ -255,9 +266,20 @@ + self->name = name_obj; + Py_INCREF(self->name); + +- if (cp && len) ++ if (cp && len) { ++ if (len > 0 && len <= MUNCH_SIZE) { + EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, + unsigned int)); ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } ++ } + + return 0; + } +@@ -328,7 +350,7 @@ + static PyObject * + EVPnew(PyObject *name_obj, + const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, +- const unsigned char *cp, unsigned int len) ++ const unsigned char *cp, Py_ssize_t len) + { + EVPobject *self; + +@@ -346,8 +368,20 @@ + EVP_DigestInit(&self->ctx, digest); + } + +- if (cp && len) +- EVP_DigestUpdate(&self->ctx, cp, len); ++ if (cp && len) { ++ if (len > 0 && len <= MUNCH_SIZE) { ++ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, ++ unsigned int)); ++ } else { ++ Py_ssize_t offset = 0; ++ while (len) { ++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; ++ EVP_DigestUpdate(&self->ctx, cp + offset, process); ++ len -= process; ++ offset += process; ++ } ++ } ++ } + + return (PyObject *)self; + } +@@ -384,8 +418,7 @@ + + digest = EVP_get_digestbyname(name); + +- return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, +- unsigned int)); ++ return EVPnew(name_obj, digest, NULL, cp, len); + } + + /* +@@ -410,7 +443,7 @@ + CONST_ ## NAME ## _name_obj, \ + NULL, \ + CONST_new_ ## NAME ## _ctx_p, \ +- cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \ ++ cp, len); \ + } + + /* a PyMethodDef structure for the constructor */ diff -ruN python25.orig/files/patch-ea python25/files/patch-ea --- python25.orig/files/patch-ea 1969-12-31 19:00:00.000000000 -0500 +++ python25/files/patch-ea 2008-09-07 01:54:52.536293091 -0400 @@ -0,0 +1,59 @@ + + +Patch for CVE-2008-3144 taken from Gentoo. + +--- Python/mysnprintf.c.orig 2001-12-21 16:32:15.000000000 +0000 ++++ Python/mysnprintf.c 2008-08-30 10:46:31.000000000 +0100 +@@ -54,18 +54,28 @@ + PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) + { + int len; /* # bytes written, excluding \0 */ +-#ifndef HAVE_SNPRINTF ++#ifdef HAVE_SNPRINTF ++#define _PyOS_vsnprintf_EXTRA_SPACE 1 ++#else ++#define _PyOS_vsnprintf_EXTRA_SPACE 512 + char *buffer; + #endif + assert(str != NULL); + assert(size > 0); + assert(format != NULL); ++ /* We take a size_t as input but return an int. Sanity check ++ * our input so that it won't cause an overflow in the ++ * vsnprintf return value or the buffer malloc size. */ ++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { ++ len = -666; ++ goto Done; ++ } + + #ifdef HAVE_SNPRINTF + len = vsnprintf(str, size, format, va); + #else + /* Emulate it. */ +- buffer = PyMem_MALLOC(size + 512); ++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); + if (buffer == NULL) { + len = -666; + goto Done; +@@ -75,7 +85,7 @@ + if (len < 0) + /* ignore the error */; + +- else if ((size_t)len >= size + 512) ++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) + Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); + + else { +@@ -86,8 +96,10 @@ + str[to_copy] = '\0'; + } + PyMem_FREE(buffer); +-Done: + #endif +- str[size-1] = '\0'; ++Done: ++ if (size > 0) ++ str[size-1] = '\0'; + return len; ++#undef _PyOS_vsnprintf_EXTRA_SPACE + } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809070613.m876D0ZI010003>