pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2008Q2]: pkgsrc/lang/python24 Pullup ticket 2480 - requested b...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/e364535850b4
branches:  pkgsrc-2008Q2
changeset: 544233:e364535850b4
user:      tron <tron%pkgsrc.org@localhost>
date:      Sun Aug 10 17:02:25 2008 +0000

description:
Pullup ticket 2480 - requested by drochner
Security patches for python24

Revisions pulled up:
- lang/python24/Makefile                1.44-1.45
- lang/python24/distinfo                1.29-1.31
- lang/python24/patches/patch-ba        1.1
- lang/python24/patches/patch-bb        1.1
- lang/python24/patches/patch-bc        1.1
- lang/python24/patches/patch-bd        1.1
- lang/python24/patches/patch-be        1.1
- lang/python24/patches/patch-bf        1.1
- lang/python24/patches/patch-bg        1.1
- lang/python24/patches/patch-bh        1.1
- lang/python24/patches/patch-bi        1.1
- lang/python24/patches/patch-bj        1.1
- lang/python24/patches/patch-bk        1.1
- lang/python24/patches/patch-bl        1.1
- lang/python24/patches/patch-bm        1.1
---
    Module Name:    pkgsrc
    Committed By:   joerg
    Date:           Mon Jul 14 14:42:51 UTC 2008

    Modified Files:
        pkgsrc/lang/python24: Makefile

    Log Message:
    Always build depend on readline, so that devel/py-readline can pick up
    the right config. Bump revision.
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Tue Aug  5 10:13:34 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: Makefile distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-ba patch-bb patch-bc patch-bd
                patch-be patch-bf patch-bg

    Log Message:
    add patches from upstream svn rev.65333, fix integer overflows in
    memory allocation (CVE-2008-2315)
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Tue Aug  5 10:45:46 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-bh patch-bi patch-bj patch-bk
                patch-bl

    Log Message:
    also apply upstream svn rev.65262, fixes overflow checks in memory
    allocation (CVE-2008-3142), ride on PKGREVISION bump some minutes ago
---
    Module Name:    pkgsrc
    Committed By:   drochner
    Date:           Thu Aug  7 11:20:18 UTC 2008

    Modified Files:
            pkgsrc/lang/python24: distinfo
    Added Files:
            pkgsrc/lang/python24/patches: patch-bm

    Log Message:
    Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an
    integer overflow in the vsnprintf replacement function.
    This is likely not a real problem, and the patch wasn't pulled to
    the upstream 2.4 branch, but so we can formally declare our 2.4
    as not vulnerable now.

diffstat:

 lang/python24/Makefile         |    7 ++-
 lang/python24/distinfo         |   15 +++++-
 lang/python24/patches/patch-ba |   25 ++++++++
 lang/python24/patches/patch-bb |   13 ++++
 lang/python24/patches/patch-bc |   33 +++++++++++
 lang/python24/patches/patch-bd |   15 +++++
 lang/python24/patches/patch-be |   44 +++++++++++++++
 lang/python24/patches/patch-bf |   19 ++++++
 lang/python24/patches/patch-bg |  114 +++++++++++++++++++++++++++++++++++++++++
 lang/python24/patches/patch-bh |   60 +++++++++++++++++++++
 lang/python24/patches/patch-bi |   16 +++++
 lang/python24/patches/patch-bj |   35 ++++++++++++
 lang/python24/patches/patch-bk |   18 ++++++
 lang/python24/patches/patch-bl |   36 ++++++++++++
 lang/python24/patches/patch-bm |   57 ++++++++++++++++++++
 15 files changed, 505 insertions(+), 2 deletions(-)

diffs (truncated from 589 to 300 lines):

diff -r 8052829fb8b3 -r e364535850b4 lang/python24/Makefile
--- a/lang/python24/Makefile    Sun Aug 10 15:30:12 2008 +0000
+++ b/lang/python24/Makefile    Sun Aug 10 17:02:25 2008 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.43 2008/04/12 22:43:02 jlam Exp $
+# $NetBSD: Makefile,v 1.43.4.1 2008/08/10 17:02:25 tron Exp $
 
 DISTNAME=      Python-2.4.5
 PKGNAME=       python24-2.4.5
+PKGREVISION=   2
 CATEGORIES=    lang python
 MASTER_SITES=  http://www.python.org/ftp/python/2.4.5/
 EXTRACT_SUFX=  .tar.bz2
@@ -163,8 +164,12 @@
                ${DESTDIR}${PREFIX}/lib/libpython2.4.sl.1.0
 .endif
 
+USE_GNU_READLINE=      # defined
+BUILDLINK_DEPMETHOD.readline=          build
+
 .include "../../archivers/bzip2/buildlink3.mk"
 .include "../../devel/gettext-lib/buildlink3.mk"
+.include "../../devel/readline/buildlink3.mk"
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/dlopen.buildlink3.mk"
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/distinfo
--- a/lang/python24/distinfo    Sun Aug 10 15:30:12 2008 +0000
+++ b/lang/python24/distinfo    Sun Aug 10 17:02:25 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2008/04/11 10:44:08 drochner Exp $
+$NetBSD: distinfo,v 1.28.4.1 2008/08/10 17:02:25 tron Exp $
 
 SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -23,3 +23,16 @@
 SHA1 (patch-ar) = f132998e3e81f3093f9bddf32fe6dcb40fcfa76f
 SHA1 (patch-at) = 9d66115cc561c99dcc3478678aa286c1c0c3df6b
 SHA1 (patch-au) = d0a234efabe7d6a1f2b1dcbf26780fdc6b452214
+SHA1 (patch-ba) = c9b88da8efc334771eff578585e2e9e7e21a0634
+SHA1 (patch-bb) = 89829819c5a38f3bbd8be1737568f87b9ffbd598
+SHA1 (patch-bc) = e72dc346087f78760e623344e9eff147283c202c
+SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe
+SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
+SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
+SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
+SHA1 (patch-bh) = 4eee3ae6ff7ea9ca5c599dd782d78fb35a0562f4
+SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05
+SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98
+SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885
+SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897
+SHA1 (patch-bm) = bd8a9f5b2cc3909bc69d9b585b42643057dae646
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-ba
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-ba    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-ba,v 1.1.2.2 2008/08/10 17:02:25 tron Exp $
+
+--- Modules/gcmodule.c.orig    2006-09-28 19:08:01.000000000 +0200
++++ Modules/gcmodule.c
+@@ -1249,7 +1249,10 @@ PyObject *
+ _PyObject_GC_Malloc(size_t basicsize)
+ {
+       PyObject *op;
+-      PyGC_Head *g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
++      PyGC_Head *g;
++      if (basicsize > INT_MAX - sizeof(PyGC_Head))
++              return PyErr_NoMemory();
++      g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
+       if (g == NULL)
+               return PyErr_NoMemory();
+       g->gc.gc_refs = GC_UNTRACKED;
+@@ -1291,6 +1294,8 @@ _PyObject_GC_Resize(PyVarObject *op, int
+ {
+       const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
+       PyGC_Head *g = AS_GC(op);
++      if (basicsize > INT_MAX - sizeof(PyGC_Head))
++              return (PyVarObject *)PyErr_NoMemory();
+       g = PyObject_REALLOC(g,  sizeof(PyGC_Head) + basicsize);
+       if (g == NULL)
+               return (PyVarObject *)PyErr_NoMemory();
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-bb
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bb    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-bb,v 1.1.2.2 2008/08/10 17:02:25 tron Exp $
+
+--- Modules/mmapmodule.c.orig  2008-08-05 12:00:52.000000000 +0200
++++ Modules/mmapmodule.c
+@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self,
+               return(NULL);
+ 
+       /* silently 'adjust' out-of-range requests */
+-      if ((self->pos + num_bytes) > self->size) {
++      if (num_bytes > self->size - self->pos) {
+               num_bytes -= (self->pos+num_bytes) - self->size;
+       }
+       result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-bc
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bc    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-bc,v 1.1.2.2 2008/08/10 17:02:25 tron Exp $
+
+--- Modules/stropmodule.c.orig 2008-03-02 20:20:32.000000000 +0100
++++ Modules/stropmodule.c
+@@ -214,6 +214,13 @@ strop_joinfields(PyObject *self, PyObjec
+                               return NULL;
+                       }
+                       slen = PyString_GET_SIZE(item);
++                      if (slen > INT_MAX - reslen ||
++                          seplen > INT_MAX - reslen - seplen) {
++                              PyErr_SetString(PyExc_OverflowError,
++                                              "input too long");
++                              Py_DECREF(res);
++                              return NULL;
++                      }
+                       while (reslen + slen + seplen >= sz) {
+                               if (_PyString_Resize(&res, sz * 2) < 0)
+                                       return NULL;
+@@ -251,6 +258,14 @@ strop_joinfields(PyObject *self, PyObjec
+                       return NULL;
+               }
+               slen = PyString_GET_SIZE(item);
++              if (slen > INT_MAX - reslen ||
++                  seplen > INT_MAX - reslen - seplen) {
++                      PyErr_SetString(PyExc_OverflowError,
++                                      "input too long");
++                      Py_DECREF(res);
++                      Py_XDECREF(item);
++                      return NULL;
++              }
+               while (reslen + slen + seplen >= sz) {
+                       if (_PyString_Resize(&res, sz * 2) < 0) {
+                               Py_DECREF(item);
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-bd
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bd    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-bd,v 1.1.2.2 2008/08/10 17:02:25 tron Exp $
+
+--- Objects/bufferobject.c.orig        2008-03-02 20:20:32.000000000 +0100
++++ Objects/bufferobject.c
+@@ -384,6 +384,10 @@ buffer_repeat(PyBufferObject *self, int 
+               count = 0;
+       if (!get_buf(self, &ptr, &size))
+               return NULL;
++      if (count > INT_MAX / size) {
++              PyErr_SetString(PyExc_MemoryError, "result too large");
++              return NULL;
++      }
+       ob = PyString_FromStringAndSize(NULL, size * count);
+       if ( ob == NULL )
+               return NULL;
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-be
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-be    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-be,v 1.1.2.2 2008/08/10 17:02:25 tron Exp $
+
+--- Objects/stringobject.c.orig        2006-10-06 21:26:14.000000000 +0200
++++ Objects/stringobject.c
+@@ -69,6 +69,11 @@ PyString_FromStringAndSize(const char *s
+               return (PyObject *)op;
+       }
+ 
++      if (size > INT_MAX - sizeof(PyStringObject)) {
++              PyErr_SetString(PyExc_OverflowError, "string is too large");
++              return NULL;
++      }
++
+       /* Inline PyObject_NewVar */
+       op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+       if (op == NULL)
+@@ -104,7 +109,7 @@ PyString_FromString(const char *str)
+ 
+       assert(str != NULL);
+       size = strlen(str);
+-      if (size > INT_MAX) {
++      if (size > INT_MAX - sizeof(PyStringObject)) {
+               PyErr_SetString(PyExc_OverflowError,
+                       "string is too long for a Python string");
+               return NULL;
+@@ -907,7 +912,18 @@ string_concat(register PyStringObject *a
+               Py_INCREF(a);
+               return (PyObject *)a;
+       }
++      /* Check that string sizes are not negative, to prevent an
++         overflow in cases where we are passed incorrectly-created
++         strings with negative lengths (due to a bug in other code).
++      */
+       size = a->ob_size + b->ob_size;
++      if (a->ob_size < 0 || b->ob_size < 0 ||
++          a->ob_size > INT_MAX - b->ob_size) {
++              PyErr_SetString(PyExc_OverflowError,
++                              "strings are too large to concat");
++              return NULL;
++      }
++
+       /* Inline PyObject_NewVar */
+       op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+       if (op == NULL)
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-bf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bf    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-bf,v 1.1.2.2 2008/08/10 17:02:26 tron Exp $
+
+--- Objects/tupleobject.c.orig 2006-03-17 20:04:15.000000000 +0100
++++ Objects/tupleobject.c
+@@ -60,11 +60,12 @@ PyTuple_New(register int size)
+               int nbytes = size * sizeof(PyObject *);
+               /* Check for overflow */
+               if (nbytes / sizeof(PyObject *) != (size_t)size ||
+-                  (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+-                  <= 0)
++                  (nbytes > INT_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
+               {
+                       return PyErr_NoMemory();
+               }
++              nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
++
+               op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
+               if (op == NULL)
+                       return NULL;
diff -r 8052829fb8b3 -r e364535850b4 lang/python24/patches/patch-bg
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bg    Sun Aug 10 17:02:25 2008 +0000
@@ -0,0 +1,114 @@
+$NetBSD: patch-bg,v 1.1.2.2 2008/08/10 17:02:26 tron Exp $
+
+--- Objects/unicodeobject.c.orig       2006-10-05 20:08:58.000000000 +0200
++++ Objects/unicodeobject.c
+@@ -186,6 +186,11 @@ PyUnicodeObject *_PyUnicode_New(int leng
+         return unicode_empty;
+     }
+ 
++    /* Ensure we won't overflow the size. */
++    if (length > ((INT_MAX / sizeof(Py_UNICODE)) - 1)) {
++        return (PyUnicodeObject *)PyErr_NoMemory();
++    }
++
+     /* Unicode freelist & memory allocation */
+     if (unicode_freelist) {
+         unicode = unicode_freelist;
+@@ -1040,6 +1045,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_
+     char * out;
+     char * start;
+ 
++    if (cbAllocated / 5 != size)
++        return PyErr_NoMemory();
++
+     if (size == 0)
+               return PyString_FromStringAndSize(NULL, 0);
+ 
+@@ -1638,6 +1646,7 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ {
+     PyObject *v;
+     unsigned char *p;
++    int nsize, bytesize;
+ #ifdef Py_UNICODE_WIDE
+     int i, pairs;
+ #else
+@@ -1662,8 +1671,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+       if (s[i] >= 0x10000)
+           pairs++;
+ #endif
+-    v = PyString_FromStringAndSize(NULL,
+-                2 * (size + pairs + (byteorder == 0)));
++    /* 2 * (size + pairs + (byteorder == 0)) */
++    if (size > INT_MAX ||
++      size > INT_MAX - pairs - (byteorder == 0))
++      return PyErr_NoMemory();
++    nsize = (size + pairs + (byteorder == 0));
++    bytesize = nsize * 2;
++    if (bytesize / 2 != nsize)
++      return PyErr_NoMemory();
++    v = PyString_FromStringAndSize(NULL, bytesize);
+     if (v == NULL)
+         return NULL;
+ 
+@@ -1977,6 +1993,11 @@ PyObject *unicodeescape_string(const Py_
+     char *p;
+ 
+     static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++    const int expandsize = 10;
++#else
++    const int expandsize = 6;
++#endif
+ 
+     /* Initial allocation is based on the longest-possible unichr
+        escape.
+@@ -1992,13 +2013,12 @@ PyObject *unicodeescape_string(const Py_
+        escape.
+     */
+ 
++    if (size > (INT_MAX - 2 - 1) / expandsize)
++      return PyErr_NoMemory();
++



Home | Main Index | Thread Index | Old Index