Date: Sat, 1 Mar 2014 10:52:56 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r346614 - in head/lang: python27 python27/files python31 python31/files python32 python32/files python33 python33/files Message-ID: <201403011052.s21AquLA017632@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Sat Mar 1 10:52:55 2014 New Revision: 346614 URL: http://svnweb.freebsd.org/changeset/ports/346614 QAT: https://qat.redports.org/buildarchive/r346614/ Log: lang/python*: Backport security fix for CVE-2014-1912 A vulnerability was reported [1] in Python's socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code. This vulnerable function, socket.recvfrom_into(), was introduced in Python 2.5. Earlier versions are not affected by this flaw. This is fixed in upstream branches for version 2.7, 3.1, 3.2 and 3.3. [1] http://bugs.python.org/issue20246 MFH: 2014Q1 Security: 8e5e6d42-a0fa-11e3-b09a-080027f2d077 Added: head/lang/python27/files/patch-CVE-2014-1912 (contents, props changed) head/lang/python31/files/patch-CVE-2014-1912 (contents, props changed) head/lang/python32/files/patch-CVE-2014-1912 (contents, props changed) head/lang/python33/files/patch-CVE-2014-1912 (contents, props changed) Modified: head/lang/python27/Makefile head/lang/python31/Makefile head/lang/python32/Makefile head/lang/python33/Makefile Modified: head/lang/python27/Makefile ============================================================================== --- head/lang/python27/Makefile Sat Mar 1 10:51:34 2014 (r346613) +++ head/lang/python27/Makefile Sat Mar 1 10:52:55 2014 (r346614) @@ -3,7 +3,7 @@ PORTNAME= python27 PORTVERSION= 2.7.6 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} Added: head/lang/python27/files/patch-CVE-2014-1912 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/python27/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614) @@ -0,0 +1,50 @@ +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389671978 18000 +# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9 +# Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +# HG changeset patch +# User Stefan Krah <skrah@bytereef.org> +# Date 1390341952 -3600 +# Node ID b6c5a37b221f5c617125faa363d1b460b0b61b42 +# Parent d55d1cbf5f9a9efa7908fc9412bae676a6b675ef +Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- Lib/test/test_socket.py ++++ Lib/test/test_socket.py +@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ with test_support.check_py3k_warnings(): ++ buf = buffer(MSG) ++ self.serv_conn.send(buf) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 + +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- Modules/socketmodule.c ++++ Modules/socketmodule.c +@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ goto error; + } + + readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr); + Modified: head/lang/python31/Makefile ============================================================================== --- head/lang/python31/Makefile Sat Mar 1 10:51:34 2014 (r346613) +++ head/lang/python31/Makefile Sat Mar 1 10:52:55 2014 (r346614) @@ -2,7 +2,7 @@ PORTNAME= python31 PORTVERSION= 3.1.5 -PORTREVISION= 10 +PORTREVISION= 11 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} Added: head/lang/python31/files/patch-CVE-2014-1912 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/python31/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614) @@ -0,0 +1,50 @@ +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389672374 18000 +# Node ID 715fd3d8ac93878e49a072474a4706a449720d9b +# Parent b1ddcb220a7f375146c090a854438cf31fa3a388# Parent 87673659d8f7ba1623cd4914f09ad3d2ade034e9 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +# HG changeset patch +# User Stefan Krah <skrah@bytereef.org> +# Date 1390341520 -3600 +# Node ID c25e1442529f16ba5fb9df8786a019866b0686e9 +# Parent fbb4d48046e564dd89511598dbbf04422ac6da35 +Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- Lib/test/test_socket.py ++++ Lib/test/test_socket.py +@@ -1424,6 +1424,14 @@ class BufferIOTest(SocketConnectedTest): + buf = bytes(MSG) + self.serv_conn.send(buf) + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 + +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- Modules/socketmodule.c ++++ Modules/socketmodule.c +@@ -2494,6 +2494,12 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ Py_XDECREF(addr); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); + Modified: head/lang/python32/Makefile ============================================================================== --- head/lang/python32/Makefile Sat Mar 1 10:51:34 2014 (r346613) +++ head/lang/python32/Makefile Sat Mar 1 10:52:55 2014 (r346614) @@ -2,7 +2,7 @@ PORTNAME= python32 PORTVERSION= 3.2.5 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} Added: head/lang/python32/files/patch-CVE-2014-1912 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/python32/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614) @@ -0,0 +1,49 @@ +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389671978 18000 +# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c +# Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +# HG changeset patch +# User Stefan Krah <skrah@bytereef.org> +# Date 1390341520 -3600 +# Node ID e82dcd700e8cfb174d6bf6031fd6666627b20f5f +# Parent 29b1eebecb8ed946e1db8e4bb86310d681cf4a91 +Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- Lib/test/test_socket.py ++++ Lib/test/test_socket.py +@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 + +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- Modules/socketmodule.c ++++ Modules/socketmodule.c +@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); + Modified: head/lang/python33/Makefile ============================================================================== --- head/lang/python33/Makefile Sat Mar 1 10:51:34 2014 (r346613) +++ head/lang/python33/Makefile Sat Mar 1 10:52:55 2014 (r346614) @@ -2,7 +2,7 @@ PORTNAME= python33 PORTVERSION= 3.3.3 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} Added: head/lang/python33/files/patch-CVE-2014-1912 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/lang/python33/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614) @@ -0,0 +1,49 @@ +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389672775 18000 +# Node ID 7f176a45211ff3cb85a2fbdc75f7979d642bb563 +# Parent ed1c27b68068c942c6e845bdf8e987e963d50920# Parent 9c56217e5c793685eeaf0ee224848c402bdf1e4c +merge 3.2 (#20246) + +# HG changeset patch +# User Stefan Krah <skrah@bytereef.org> +# Date 1390341520 -3600 +# Node ID 5c4f4db8107cc7b99e0a4e9c7b760c816dafa034 +# Parent 2fe0b2dcc98cd9013642fb9642365de80ff0dc30 +Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- Lib/test/test_socket.py ++++ Lib/test/test_socket.py +@@ -4538,6 +4538,14 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 + +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- Modules/socketmodule.c ++++ Modules/socketmodule.c +@@ -2935,6 +2935,11 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403011052.s21AquLA017632>