pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/python24 also apply upstream svn rev.65262, fixes...
details: https://anonhg.NetBSD.org/pkgsrc/rev/0b1b1d9dac1c
branches: trunk
changeset: 545486:0b1b1d9dac1c
user: drochner <drochner%pkgsrc.org@localhost>
date: Tue Aug 05 10:45:45 2008 +0000
description:
also apply upstream svn rev.65262, fixes overflow checks in memory
allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago
diffstat:
lang/python24/distinfo | 7 ++++-
lang/python24/patches/patch-bh | 60 ++++++++++++++++++++++++++++++++++++++++++
lang/python24/patches/patch-bi | 16 +++++++++++
lang/python24/patches/patch-bj | 35 ++++++++++++++++++++++++
lang/python24/patches/patch-bk | 18 ++++++++++++
lang/python24/patches/patch-bl | 36 +++++++++++++++++++++++++
6 files changed, 171 insertions(+), 1 deletions(-)
diffs (203 lines):
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/distinfo
--- a/lang/python24/distinfo Tue Aug 05 10:25:14 2008 +0000
+++ b/lang/python24/distinfo Tue Aug 05 10:45:45 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $
+$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $
SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -30,3 +30,8 @@
SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
+SHA1 (patch-bh) = 4eee3ae6ff7ea9ca5c599dd782d78fb35a0562f4
+SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05
+SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98
+SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885
+SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bh Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-bh,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Include/pymem.h.orig 2008-03-02 20:20:32.000000000 +0100
++++ Include/pymem.h
+@@ -66,8 +66,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+ for malloc(0), which would be treated as an error. Some platforms
+ would return a pointer with no memory behind it, which would break
+ pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++ Py_ssize_t can represent is supplied. Helps prevents security holes. */
++#define PyMem_MALLOC(n) (((n) < 0 || (n) > INT_MAX) ? NULL \
++ : malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > INT_MAX) ? NULL \
++ : realloc((p), (n) ? (n) : 1))
+
+ #endif /* PYMALLOC_DEBUG */
+
+@@ -80,24 +84,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+ * Type-oriented memory interface
+ * ==============================
+ *
+- * These are carried along for historical reasons. There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type. Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed. Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+ */
+
+ #define PyMem_New(type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++ ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ ( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++ ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+ ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so. This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++ ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++ ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+
+ /* In order to avoid breaking old code mixing PyObject_{New, NEW} with
+ PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bi
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bi Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-bi,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/almodule.c.orig 2006-09-27 21:17:32.000000000 +0200
++++ Modules/almodule.c
+@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject
+ if (nvals < 0)
+ goto cleanup;
+ if (nvals > setsize) {
++ ALvalue *old_return_set = return_set;
+ setsize = nvals;
+ PyMem_RESIZE(return_set, ALvalue, setsize);
+ if (return_set == NULL) {
++ return_set = old_return_set;
+ PyErr_NoMemory();
+ goto cleanup;
+ }
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bj Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-bj,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/arraymodule.c.orig 2008-03-02 20:20:32.000000000 +0100
++++ Modules/arraymodule.c
+@@ -814,6 +814,7 @@ static int
+ array_do_extend(arrayobject *self, PyObject *bb)
+ {
+ int size;
++ char *old_item;
+
+ if (!array_Check(bb))
+ return array_iter_extend(self, bb);
+@@ -829,10 +830,11 @@ array_do_extend(arrayobject *self, PyObj
+ return -1;
+ }
+ size = self->ob_size + b->ob_size;
++ old_item = self->ob_item;
+ PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
+ if (self->ob_item == NULL) {
+- PyObject_Del(self);
+- PyErr_NoMemory();
++ self->ob_item = old_item;
++ PyErr_NoMemory();
+ return -1;
+ }
+ memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
+@@ -884,7 +886,7 @@ array_inplace_repeat(arrayobject *self,
+ if (size > INT_MAX / n) {
+ return PyErr_NoMemory();
+ }
+- PyMem_Resize(items, char, n * size);
++ PyMem_RESIZE(items, char, n * size);
+ if (items == NULL)
+ return PyErr_NoMemory();
+ p = items;
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bk Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-bk,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/selectmodule.c.orig 2006-09-27 21:17:32.000000000 +0200
++++ Modules/selectmodule.c
+@@ -342,10 +342,12 @@ update_ufd_array(pollObject *self)
+ {
+ int i, pos;
+ PyObject *key, *value;
++ struct pollfd *old_ufds = self->ufds;
+
+ self->ufd_len = PyDict_Size(self->dict);
+- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
+ if (self->ufds == NULL) {
++ self->ufds = old_ufds;
+ PyErr_NoMemory();
+ return 0;
+ }
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bl
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bl Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-bl,v 1.1 2008/08/05 10:45:46 drochner Exp $
+
+--- Objects/obmalloc.c.orig 2005-07-11 07:57:11.000000000 +0200
++++ Objects/obmalloc.c
+@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
+ uint size;
+
+ /*
++ * Limit ourselves to INT_MAX bytes to prevent security holes.
++ * Most python internals blindly use a signed Py_ssize_t to track
++ * things without checking for overflows or negatives.
++ * As size_t is unsigned, checking for nbytes < 0 is not required.
++ */
++ if (nbytes > INT_MAX)
++ return NULL;
++
++ /*
+ * This implicitly redirects malloc(0).
+ */
+ if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
+@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
+ if (p == NULL)
+ return PyObject_Malloc(nbytes);
+
++ /*
++ * Limit ourselves to INT_MAX bytes to prevent security holes.
++ * Most python internals blindly use a signed Py_ssize_t to track
++ * things without checking for overflows or negatives.
++ * As size_t is unsigned, checking for nbytes < 0 is not required.
++ */
++ if (nbytes > INT_MAX)
++ return NULL;
++
+ pool = POOL_ADDR(p);
+ if (Py_ADDRESS_IN_RANGE(p, pool)) {
+ /* We're in charge of this block */
Home |
Main Index |
Thread Index |
Old Index