pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/lang/python24 also apply upstream svn rev.65262, fixes...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0b1b1d9dac1c
branches:  trunk
changeset: 545486:0b1b1d9dac1c
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Tue Aug 05 10:45:45 2008 +0000

description:
also apply upstream svn rev.65262, fixes overflow checks in memory
allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago

diffstat:

 lang/python24/distinfo         |   7 ++++-
 lang/python24/patches/patch-bh |  60 ++++++++++++++++++++++++++++++++++++++++++
 lang/python24/patches/patch-bi |  16 +++++++++++
 lang/python24/patches/patch-bj |  35 ++++++++++++++++++++++++
 lang/python24/patches/patch-bk |  18 ++++++++++++
 lang/python24/patches/patch-bl |  36 +++++++++++++++++++++++++
 6 files changed, 171 insertions(+), 1 deletions(-)

diffs (203 lines):

diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/distinfo
--- a/lang/python24/distinfo    Tue Aug 05 10:25:14 2008 +0000
+++ b/lang/python24/distinfo    Tue Aug 05 10:45:45 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $
+$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $
 
 SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -30,3 +30,8 @@
 SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
 SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
 SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
+SHA1 (patch-bh) = 4eee3ae6ff7ea9ca5c599dd782d78fb35a0562f4
+SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05
+SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98
+SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885
+SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bh    Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-bh,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Include/pymem.h.orig       2008-03-02 20:20:32.000000000 +0100
++++ Include/pymem.h
+@@ -66,8 +66,12 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+    for malloc(0), which would be treated as an error. Some platforms
+    would return a pointer with no memory behind it, which would break
+    pymalloc. To solve these problems, allocate an extra byte. */
+-#define PyMem_MALLOC(n)         malloc((n) ? (n) : 1)
+-#define PyMem_REALLOC(p, n)     realloc((p), (n) ? (n) : 1)
++/* Returns NULL to indicate error if a negative size or size larger than
++   Py_ssize_t can represent is supplied.  Helps prevents security holes. */
++#define PyMem_MALLOC(n)               (((n) < 0 || (n) > INT_MAX) ? NULL \
++                              : malloc((n) ? (n) : 1))
++#define PyMem_REALLOC(p, n)   (((n) < 0 || (n) > INT_MAX) ? NULL \
++                              : realloc((p), (n) ? (n) : 1))
+ 
+ #endif        /* PYMALLOC_DEBUG */
+ 
+@@ -80,24 +84,31 @@ PyAPI_FUNC(void) PyMem_Free(void *);
+  * Type-oriented memory interface
+  * ==============================
+  *
+- * These are carried along for historical reasons.  There's rarely a good
+- * reason to use them anymore (you can just as easily do the multiply and
+- * cast yourself).
++ * Allocate memory for n objects of the given type.  Returns a new pointer
++ * or NULL if the request was too large or memory allocation failed.  Use
++ * these macros rather than doing the multiplication yourself so that proper
++ * overflow checking is always done.
+  */
+ 
+ #define PyMem_New(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+       ( (type *) PyMem_Malloc((n) * sizeof(type)) ) )
+ #define PyMem_NEW(type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
++  ( ((n) > INT_MAX / sizeof(type)) ? NULL : \
+       ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) )
+ 
++/*
++ * The value of (p) is always clobbered by this macro regardless of success.
++ * The caller MUST check if (p) is NULL afterwards and deal with the memory
++ * error if so.  This means the original value of (p) MUST be saved for the
++ * caller's memory error handler to not lose track of it.
++ */
+ #define PyMem_Resize(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-      ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++      (type *) PyMem_Realloc((p), (n) * sizeof(type)) )
+ #define PyMem_RESIZE(p, type, n) \
+-  ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \
+-      ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) )
++  ( (p) = ((n) > INT_MAX / sizeof(type)) ? NULL : \
++      (type *) PyMem_REALLOC((p), (n) * sizeof(type)) )
+ 
+ /* In order to avoid breaking old code mixing PyObject_{New, NEW} with
+    PyMem_{Del, DEL} and PyMem_{Free, FREE}, the PyMem "release memory"
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bi
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bi    Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-bi,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/almodule.c.orig    2006-09-27 21:17:32.000000000 +0200
++++ Modules/almodule.c
+@@ -1633,9 +1633,11 @@ al_QueryValues(PyObject *self, PyObject 
+       if (nvals < 0)
+               goto cleanup;
+       if (nvals > setsize) {
++              ALvalue *old_return_set = return_set;
+               setsize = nvals;
+               PyMem_RESIZE(return_set, ALvalue, setsize);
+               if (return_set == NULL) {
++                      return_set = old_return_set;
+                       PyErr_NoMemory();
+                       goto cleanup;
+               }
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bj
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bj    Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-bj,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/arraymodule.c.orig 2008-03-02 20:20:32.000000000 +0100
++++ Modules/arraymodule.c
+@@ -814,6 +814,7 @@ static int
+ array_do_extend(arrayobject *self, PyObject *bb)
+ {
+       int size;
++      char *old_item;
+ 
+       if (!array_Check(bb))
+               return array_iter_extend(self, bb);
+@@ -829,10 +830,11 @@ array_do_extend(arrayobject *self, PyObj
+                       return -1;
+       }
+       size = self->ob_size + b->ob_size;
++      old_item = self->ob_item;
+         PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize);
+         if (self->ob_item == NULL) {
+-                PyObject_Del(self);
+-                PyErr_NoMemory();
++              self->ob_item = old_item;
++              PyErr_NoMemory();
+               return -1;
+         }
+       memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize,
+@@ -884,7 +886,7 @@ array_inplace_repeat(arrayobject *self, 
+                       if (size > INT_MAX / n) {
+                               return PyErr_NoMemory();
+                       }
+-                      PyMem_Resize(items, char, n * size);
++                      PyMem_RESIZE(items, char, n * size);
+                       if (items == NULL)
+                               return PyErr_NoMemory();
+                       p = items;
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bk
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bk    Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-bk,v 1.1 2008/08/05 10:45:45 drochner Exp $
+
+--- Modules/selectmodule.c.orig        2006-09-27 21:17:32.000000000 +0200
++++ Modules/selectmodule.c
+@@ -342,10 +342,12 @@ update_ufd_array(pollObject *self)
+ {
+       int i, pos;
+       PyObject *key, *value;
++        struct pollfd *old_ufds = self->ufds;
+ 
+       self->ufd_len = PyDict_Size(self->dict);
+-      PyMem_Resize(self->ufds, struct pollfd, self->ufd_len);
++      PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len);
+       if (self->ufds == NULL) {
++                self->ufds = old_ufds;
+               PyErr_NoMemory();
+               return 0;
+       }
diff -r 9f2d57c06753 -r 0b1b1d9dac1c lang/python24/patches/patch-bl
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bl    Tue Aug 05 10:45:45 2008 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-bl,v 1.1 2008/08/05 10:45:46 drochner Exp $
+
+--- Objects/obmalloc.c.orig    2005-07-11 07:57:11.000000000 +0200
++++ Objects/obmalloc.c
+@@ -585,6 +585,15 @@ PyObject_Malloc(size_t nbytes)
+       uint size;
+ 
+       /*
++       * Limit ourselves to INT_MAX bytes to prevent security holes.
++       * Most python internals blindly use a signed Py_ssize_t to track
++       * things without checking for overflows or negatives.
++       * As size_t is unsigned, checking for nbytes < 0 is not required.
++       */
++      if (nbytes > INT_MAX)
++              return NULL;
++
++      /*
+        * This implicitly redirects malloc(0).
+        */
+       if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) {
+@@ -814,6 +823,15 @@ PyObject_Realloc(void *p, size_t nbytes)
+       if (p == NULL)
+               return PyObject_Malloc(nbytes);
+ 
++      /*
++       * Limit ourselves to INT_MAX bytes to prevent security holes.
++       * Most python internals blindly use a signed Py_ssize_t to track
++       * things without checking for overflows or negatives.
++       * As size_t is unsigned, checking for nbytes < 0 is not required.
++       */
++      if (nbytes > INT_MAX)
++              return NULL;
++
+       pool = POOL_ADDR(p);
+       if (Py_ADDRESS_IN_RANGE(p, pool)) {
+               /* We're in charge of this block */



Home | Main Index | Thread Index | Old Index