1 |
commit: 4d4181e97c8eb35dbb021f4d6a8daca122aa52c3 |
2 |
Author: James Le Cuirot <chewi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Aug 31 21:15:12 2017 +0000 |
4 |
Commit: James Le Cuirot <chewi <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Aug 31 21:16:19 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4181e9 |
7 |
|
8 |
dev-java/jython: Patch against CVE-2016-4000 (bug #621876) |
9 |
|
10 |
Also unpeg the dev-java/asm version as 5.1 works fine. 5.0.3 was the |
11 |
latest when that restriction was put in place so a newer version could |
12 |
not have been breaking it. |
13 |
|
14 |
Package-Manager: Portage-2.3.8, Repoman-2.3.2 |
15 |
|
16 |
dev-java/jython/files/CVE-2016-4000.patch | 158 +++++++++++++++++++++ |
17 |
...thon-2.7.0-r1.ebuild => jython-2.7.0-r2.ebuild} | 3 +- |
18 |
2 files changed, 160 insertions(+), 1 deletion(-) |
19 |
|
20 |
diff --git a/dev-java/jython/files/CVE-2016-4000.patch b/dev-java/jython/files/CVE-2016-4000.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..81785eb05b0 |
23 |
--- /dev/null |
24 |
+++ b/dev-java/jython/files/CVE-2016-4000.patch |
25 |
@@ -0,0 +1,158 @@ |
26 |
+ |
27 |
+# HG changeset patch |
28 |
+# User Jim Baker <jim.baker@×××××××××.com> |
29 |
+# Date 1454384221 25200 |
30 |
+# Node ID d06e29d100c04576735e86c75a26c5f33669bb72 |
31 |
+# Parent b6735606c13df95f770527e629954407f82808c5 |
32 |
+Do not deserialize PyFunction objects. Fixes #2454 |
33 |
+ |
34 |
+Instead use standard Python pickling; or subclass PyFunction. |
35 |
+ |
36 |
+diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py |
37 |
+--- a/Lib/test/test_java_integration.py |
38 |
++++ b/Lib/test/test_java_integration.py |
39 |
+@@ -14,8 +14,9 @@ import re |
40 |
+ from collections import deque |
41 |
+ from test import test_support |
42 |
+ |
43 |
+-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System, |
44 |
+- Runtime, Math, Byte) |
45 |
++from java.lang import ( |
46 |
++ ClassCastException, ExceptionInInitializerError, UnsupportedOperationException, |
47 |
++ String, Runnable, System, Runtime, Math, Byte) |
48 |
+ from java.math import BigDecimal, BigInteger |
49 |
+ from java.net import URI |
50 |
+ from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream, |
51 |
+@@ -656,13 +657,30 @@ class SerializationTest(unittest.TestCas |
52 |
+ self.assertEqual(date_list, roundtrip_serialization(date_list)) |
53 |
+ |
54 |
+ def test_java_serialization_pycode(self): |
55 |
+- |
56 |
+ def universal_answer(): |
57 |
+ return 42 |
58 |
+ |
59 |
+ serialized_code = roundtrip_serialization(universal_answer.func_code) |
60 |
+ self.assertEqual(eval(serialized_code), universal_answer()) |
61 |
+ |
62 |
++ def test_java_serialization_pyfunction(self): |
63 |
++ # Not directly supported due to lack of general utility |
64 |
++ # (globals will usually be in the function object in |
65 |
++ # func_globals), and problems with unserialization |
66 |
++ # vulnerabilities. Users can always subclass from PyFunction |
67 |
++ # for specific cases, as seen in PyCascading |
68 |
++ import new |
69 |
++ def f(): |
70 |
++ return 6 * 7 + max(0, 1, 2) |
71 |
++ # However, using the new module, it's possible to create a |
72 |
++ # function with no globals, which means the globals will come |
73 |
++ # from the current context |
74 |
++ g = new.function(f.func_code, {}, "g") |
75 |
++ # But still forbid Java deserialization of this function |
76 |
++ # object. Use pickling or other support instead. |
77 |
++ with self.assertRaises(UnsupportedOperationException): |
78 |
++ roundtrip_serialization(g) |
79 |
++ |
80 |
+ def test_builtin_names(self): |
81 |
+ import __builtin__ |
82 |
+ names = [x for x in dir(__builtin__)] |
83 |
+@@ -872,7 +890,7 @@ class SingleMethodInterfaceTest(unittest |
84 |
+ future.get() |
85 |
+ self.assertEqual(x, [42]) |
86 |
+ |
87 |
+- @unittest.skip("FIXME: not working") |
88 |
++ @unittest.skip("FIXME: not working; see http://bugs.jython.org/issue2115") |
89 |
+ def test_callable_object(self): |
90 |
+ callable_obj = CallableObject() |
91 |
+ future = self.executor.submit(callable_obj) |
92 |
+diff --git a/Lib/test/test_new.py b/Lib/test/test_new.py |
93 |
+--- a/Lib/test/test_new.py |
94 |
++++ b/Lib/test/test_new.py |
95 |
+@@ -24,18 +24,10 @@ class NewTest(unittest.TestCase): |
96 |
+ c = new.instance(C, {'yolks': 3}) |
97 |
+ |
98 |
+ o = new.instance(C) |
99 |
+- |
100 |
+- # __dict__ is a non dict mapping in Jython |
101 |
+- if test_support.is_jython: |
102 |
+- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") |
103 |
+- else: |
104 |
+- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
105 |
++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
106 |
+ del o |
107 |
+ o = new.instance(C, None) |
108 |
+- if test_support.is_jython: |
109 |
+- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") |
110 |
+- else: |
111 |
+- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
112 |
++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
113 |
+ del o |
114 |
+ |
115 |
+ def break_yolks(self): |
116 |
+@@ -109,7 +101,14 @@ class NewTest(unittest.TestCase): |
117 |
+ test_closure(g, (1, 1), ValueError) # closure is wrong size |
118 |
+ test_closure(f, g.func_closure, ValueError) # no closure needed |
119 |
+ |
120 |
+- if hasattr(new, 'code') and not test_support.is_jython: |
121 |
++ # [Obsolete] Note: Jython will never have new.code() |
122 |
++ # |
123 |
++ # Who said that?!!! guess what, we do! :) |
124 |
++ # |
125 |
++ # Unfortunately we still need a way to compile to Python bytecode, |
126 |
++ # so support is still incomplete, as seen in the fact that we need |
127 |
++ # to get values from CPython 2.7. |
128 |
++ if hasattr(new, 'code'): |
129 |
+ def test_code(self): |
130 |
+ # bogus test of new.code() |
131 |
+ def f(a): pass |
132 |
+@@ -117,16 +116,16 @@ class NewTest(unittest.TestCase): |
133 |
+ c = f.func_code |
134 |
+ argcount = c.co_argcount |
135 |
+ nlocals = c.co_nlocals |
136 |
+- stacksize = c.co_stacksize |
137 |
++ stacksize = 1 # TODO c.co_stacksize |
138 |
+ flags = c.co_flags |
139 |
+- codestring = c.co_code |
140 |
+- constants = c.co_consts |
141 |
+- names = c.co_names |
142 |
++ codestring = 'd\x00\x00S' # TODO c.co_code |
143 |
++ constants = (None,) # TODO c.co_consts |
144 |
++ names = () # TODO c.co_names |
145 |
+ varnames = c.co_varnames |
146 |
+ filename = c.co_filename |
147 |
+ name = c.co_name |
148 |
+ firstlineno = c.co_firstlineno |
149 |
+- lnotab = c.co_lnotab |
150 |
++ lnotab = '' # TODO c.co_lnotab, but also see http://bugs.jython.org/issue1638 |
151 |
+ freevars = c.co_freevars |
152 |
+ cellvars = c.co_cellvars |
153 |
+ |
154 |
+diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java |
155 |
+--- a/src/org/python/core/PyBytecode.java |
156 |
++++ b/src/org/python/core/PyBytecode.java |
157 |
+@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCo |
158 |
+ |
159 |
+ debug = defaultDebug; |
160 |
+ |
161 |
++ if (argcount < 0) { |
162 |
++ throw Py.ValueError("code: argcount must not be negative"); |
163 |
++ } else if (nlocals < 0) { |
164 |
++ throw Py.ValueError("code: nlocals must not be negative"); |
165 |
++ } |
166 |
++ |
167 |
+ co_argcount = nargs = argcount; |
168 |
+ co_varnames = varnames; |
169 |
+ co_nlocals = nlocals; // maybe assert = varnames.length; |
170 |
+diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java |
171 |
+--- a/src/org/python/core/PyFunction.java |
172 |
++++ b/src/org/python/core/PyFunction.java |
173 |
+@@ -545,6 +545,9 @@ public class PyFunction extends PyObject |
174 |
+ @Override |
175 |
+ public boolean isSequenceType() { return false; } |
176 |
+ |
177 |
++ private Object readResolve() { |
178 |
++ throw new UnsupportedOperationException(); |
179 |
++ } |
180 |
+ |
181 |
+ /* Traverseproc implementation */ |
182 |
+ @Override |
183 |
+ |
184 |
|
185 |
diff --git a/dev-java/jython/jython-2.7.0-r1.ebuild b/dev-java/jython/jython-2.7.0-r2.ebuild |
186 |
similarity index 98% |
187 |
rename from dev-java/jython/jython-2.7.0-r1.ebuild |
188 |
rename to dev-java/jython/jython-2.7.0-r2.ebuild |
189 |
index d0870d8b4ac..c0b7572345d 100644 |
190 |
--- a/dev-java/jython/jython-2.7.0-r1.ebuild |
191 |
+++ b/dev-java/jython/jython-2.7.0-r2.ebuild |
192 |
@@ -20,7 +20,7 @@ IUSE="examples test" |
193 |
|
194 |
CP_DEPEND="dev-java/antlr:3 |
195 |
dev-java/netty-transport:0 |
196 |
- =dev-java/asm-5.0.3:4 |
197 |
+ >=dev-java/asm-5:4 |
198 |
dev-java/commons-compress:0 |
199 |
dev-java/guava:20 |
200 |
dev-java/jffi:1.2 |
201 |
@@ -66,6 +66,7 @@ PATCHES=( |
202 |
"${FILESDIR}"/${PN}-2.7_beta1-dont-always-recompile-classes.patch |
203 |
"${FILESDIR}"/${PN}-2.7_beta2-maxrepeat-import.patch |
204 |
"${FILESDIR}"/${PN}-2.7.0-build.xml.patch |
205 |
+ "${FILESDIR}"/CVE-2016-4000.patch |
206 |
) |
207 |
|
208 |
src_prepare() { |