| 1 |
commit: 4d4181e97c8eb35dbb021f4d6a8daca122aa52c3 |
| 2 |
Author: James Le Cuirot <chewi <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Aug 31 21:15:12 2017 +0000 |
| 4 |
Commit: James Le Cuirot <chewi <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Aug 31 21:16:19 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d4181e9 |
| 7 |
|
| 8 |
dev-java/jython: Patch against CVE-2016-4000 (bug #621876) |
| 9 |
|
| 10 |
Also unpeg the dev-java/asm version as 5.1 works fine. 5.0.3 was the |
| 11 |
latest when that restriction was put in place so a newer version could |
| 12 |
not have been breaking it. |
| 13 |
|
| 14 |
Package-Manager: Portage-2.3.8, Repoman-2.3.2 |
| 15 |
|
| 16 |
dev-java/jython/files/CVE-2016-4000.patch | 158 +++++++++++++++++++++ |
| 17 |
...thon-2.7.0-r1.ebuild => jython-2.7.0-r2.ebuild} | 3 +- |
| 18 |
2 files changed, 160 insertions(+), 1 deletion(-) |
| 19 |
|
| 20 |
diff --git a/dev-java/jython/files/CVE-2016-4000.patch b/dev-java/jython/files/CVE-2016-4000.patch |
| 21 |
new file mode 100644 |
| 22 |
index 00000000000..81785eb05b0 |
| 23 |
--- /dev/null |
| 24 |
+++ b/dev-java/jython/files/CVE-2016-4000.patch |
| 25 |
@@ -0,0 +1,158 @@ |
| 26 |
+ |
| 27 |
+# HG changeset patch |
| 28 |
+# User Jim Baker <jim.baker@×××××××××.com> |
| 29 |
+# Date 1454384221 25200 |
| 30 |
+# Node ID d06e29d100c04576735e86c75a26c5f33669bb72 |
| 31 |
+# Parent b6735606c13df95f770527e629954407f82808c5 |
| 32 |
+Do not deserialize PyFunction objects. Fixes #2454 |
| 33 |
+ |
| 34 |
+Instead use standard Python pickling; or subclass PyFunction. |
| 35 |
+ |
| 36 |
+diff --git a/Lib/test/test_java_integration.py b/Lib/test/test_java_integration.py |
| 37 |
+--- a/Lib/test/test_java_integration.py |
| 38 |
++++ b/Lib/test/test_java_integration.py |
| 39 |
+@@ -14,8 +14,9 @@ import re |
| 40 |
+ from collections import deque |
| 41 |
+ from test import test_support |
| 42 |
+ |
| 43 |
+-from java.lang import (ClassCastException, ExceptionInInitializerError, String, Runnable, System, |
| 44 |
+- Runtime, Math, Byte) |
| 45 |
++from java.lang import ( |
| 46 |
++ ClassCastException, ExceptionInInitializerError, UnsupportedOperationException, |
| 47 |
++ String, Runnable, System, Runtime, Math, Byte) |
| 48 |
+ from java.math import BigDecimal, BigInteger |
| 49 |
+ from java.net import URI |
| 50 |
+ from java.io import (ByteArrayInputStream, ByteArrayOutputStream, File, FileInputStream, |
| 51 |
+@@ -656,13 +657,30 @@ class SerializationTest(unittest.TestCas |
| 52 |
+ self.assertEqual(date_list, roundtrip_serialization(date_list)) |
| 53 |
+ |
| 54 |
+ def test_java_serialization_pycode(self): |
| 55 |
+- |
| 56 |
+ def universal_answer(): |
| 57 |
+ return 42 |
| 58 |
+ |
| 59 |
+ serialized_code = roundtrip_serialization(universal_answer.func_code) |
| 60 |
+ self.assertEqual(eval(serialized_code), universal_answer()) |
| 61 |
+ |
| 62 |
++ def test_java_serialization_pyfunction(self): |
| 63 |
++ # Not directly supported due to lack of general utility |
| 64 |
++ # (globals will usually be in the function object in |
| 65 |
++ # func_globals), and problems with unserialization |
| 66 |
++ # vulnerabilities. Users can always subclass from PyFunction |
| 67 |
++ # for specific cases, as seen in PyCascading |
| 68 |
++ import new |
| 69 |
++ def f(): |
| 70 |
++ return 6 * 7 + max(0, 1, 2) |
| 71 |
++ # However, using the new module, it's possible to create a |
| 72 |
++ # function with no globals, which means the globals will come |
| 73 |
++ # from the current context |
| 74 |
++ g = new.function(f.func_code, {}, "g") |
| 75 |
++ # But still forbid Java deserialization of this function |
| 76 |
++ # object. Use pickling or other support instead. |
| 77 |
++ with self.assertRaises(UnsupportedOperationException): |
| 78 |
++ roundtrip_serialization(g) |
| 79 |
++ |
| 80 |
+ def test_builtin_names(self): |
| 81 |
+ import __builtin__ |
| 82 |
+ names = [x for x in dir(__builtin__)] |
| 83 |
+@@ -872,7 +890,7 @@ class SingleMethodInterfaceTest(unittest |
| 84 |
+ future.get() |
| 85 |
+ self.assertEqual(x, [42]) |
| 86 |
+ |
| 87 |
+- @unittest.skip("FIXME: not working") |
| 88 |
++ @unittest.skip("FIXME: not working; see http://bugs.jython.org/issue2115") |
| 89 |
+ def test_callable_object(self): |
| 90 |
+ callable_obj = CallableObject() |
| 91 |
+ future = self.executor.submit(callable_obj) |
| 92 |
+diff --git a/Lib/test/test_new.py b/Lib/test/test_new.py |
| 93 |
+--- a/Lib/test/test_new.py |
| 94 |
++++ b/Lib/test/test_new.py |
| 95 |
+@@ -24,18 +24,10 @@ class NewTest(unittest.TestCase): |
| 96 |
+ c = new.instance(C, {'yolks': 3}) |
| 97 |
+ |
| 98 |
+ o = new.instance(C) |
| 99 |
+- |
| 100 |
+- # __dict__ is a non dict mapping in Jython |
| 101 |
+- if test_support.is_jython: |
| 102 |
+- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") |
| 103 |
+- else: |
| 104 |
+- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
| 105 |
++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
| 106 |
+ del o |
| 107 |
+ o = new.instance(C, None) |
| 108 |
+- if test_support.is_jython: |
| 109 |
+- self.assertEqual(len(o.__dict__), 0, "new __dict__ should be empty") |
| 110 |
+- else: |
| 111 |
+- self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
| 112 |
++ self.assertEqual(o.__dict__, {}, "new __dict__ should be empty") |
| 113 |
+ del o |
| 114 |
+ |
| 115 |
+ def break_yolks(self): |
| 116 |
+@@ -109,7 +101,14 @@ class NewTest(unittest.TestCase): |
| 117 |
+ test_closure(g, (1, 1), ValueError) # closure is wrong size |
| 118 |
+ test_closure(f, g.func_closure, ValueError) # no closure needed |
| 119 |
+ |
| 120 |
+- if hasattr(new, 'code') and not test_support.is_jython: |
| 121 |
++ # [Obsolete] Note: Jython will never have new.code() |
| 122 |
++ # |
| 123 |
++ # Who said that?!!! guess what, we do! :) |
| 124 |
++ # |
| 125 |
++ # Unfortunately we still need a way to compile to Python bytecode, |
| 126 |
++ # so support is still incomplete, as seen in the fact that we need |
| 127 |
++ # to get values from CPython 2.7. |
| 128 |
++ if hasattr(new, 'code'): |
| 129 |
+ def test_code(self): |
| 130 |
+ # bogus test of new.code() |
| 131 |
+ def f(a): pass |
| 132 |
+@@ -117,16 +116,16 @@ class NewTest(unittest.TestCase): |
| 133 |
+ c = f.func_code |
| 134 |
+ argcount = c.co_argcount |
| 135 |
+ nlocals = c.co_nlocals |
| 136 |
+- stacksize = c.co_stacksize |
| 137 |
++ stacksize = 1 # TODO c.co_stacksize |
| 138 |
+ flags = c.co_flags |
| 139 |
+- codestring = c.co_code |
| 140 |
+- constants = c.co_consts |
| 141 |
+- names = c.co_names |
| 142 |
++ codestring = 'd\x00\x00S' # TODO c.co_code |
| 143 |
++ constants = (None,) # TODO c.co_consts |
| 144 |
++ names = () # TODO c.co_names |
| 145 |
+ varnames = c.co_varnames |
| 146 |
+ filename = c.co_filename |
| 147 |
+ name = c.co_name |
| 148 |
+ firstlineno = c.co_firstlineno |
| 149 |
+- lnotab = c.co_lnotab |
| 150 |
++ lnotab = '' # TODO c.co_lnotab, but also see http://bugs.jython.org/issue1638 |
| 151 |
+ freevars = c.co_freevars |
| 152 |
+ cellvars = c.co_cellvars |
| 153 |
+ |
| 154 |
+diff --git a/src/org/python/core/PyBytecode.java b/src/org/python/core/PyBytecode.java |
| 155 |
+--- a/src/org/python/core/PyBytecode.java |
| 156 |
++++ b/src/org/python/core/PyBytecode.java |
| 157 |
+@@ -66,6 +66,12 @@ public class PyBytecode extends PyBaseCo |
| 158 |
+ |
| 159 |
+ debug = defaultDebug; |
| 160 |
+ |
| 161 |
++ if (argcount < 0) { |
| 162 |
++ throw Py.ValueError("code: argcount must not be negative"); |
| 163 |
++ } else if (nlocals < 0) { |
| 164 |
++ throw Py.ValueError("code: nlocals must not be negative"); |
| 165 |
++ } |
| 166 |
++ |
| 167 |
+ co_argcount = nargs = argcount; |
| 168 |
+ co_varnames = varnames; |
| 169 |
+ co_nlocals = nlocals; // maybe assert = varnames.length; |
| 170 |
+diff --git a/src/org/python/core/PyFunction.java b/src/org/python/core/PyFunction.java |
| 171 |
+--- a/src/org/python/core/PyFunction.java |
| 172 |
++++ b/src/org/python/core/PyFunction.java |
| 173 |
+@@ -545,6 +545,9 @@ public class PyFunction extends PyObject |
| 174 |
+ @Override |
| 175 |
+ public boolean isSequenceType() { return false; } |
| 176 |
+ |
| 177 |
++ private Object readResolve() { |
| 178 |
++ throw new UnsupportedOperationException(); |
| 179 |
++ } |
| 180 |
+ |
| 181 |
+ /* Traverseproc implementation */ |
| 182 |
+ @Override |
| 183 |
+ |
| 184 |
|
| 185 |
diff --git a/dev-java/jython/jython-2.7.0-r1.ebuild b/dev-java/jython/jython-2.7.0-r2.ebuild |
| 186 |
similarity index 98% |
| 187 |
rename from dev-java/jython/jython-2.7.0-r1.ebuild |
| 188 |
rename to dev-java/jython/jython-2.7.0-r2.ebuild |
| 189 |
index d0870d8b4ac..c0b7572345d 100644 |
| 190 |
--- a/dev-java/jython/jython-2.7.0-r1.ebuild |
| 191 |
+++ b/dev-java/jython/jython-2.7.0-r2.ebuild |
| 192 |
@@ -20,7 +20,7 @@ IUSE="examples test" |
| 193 |
|
| 194 |
CP_DEPEND="dev-java/antlr:3 |
| 195 |
dev-java/netty-transport:0 |
| 196 |
- =dev-java/asm-5.0.3:4 |
| 197 |
+ >=dev-java/asm-5:4 |
| 198 |
dev-java/commons-compress:0 |
| 199 |
dev-java/guava:20 |
| 200 |
dev-java/jffi:1.2 |
| 201 |
@@ -66,6 +66,7 @@ PATCHES=( |
| 202 |
"${FILESDIR}"/${PN}-2.7_beta1-dont-always-recompile-classes.patch |
| 203 |
"${FILESDIR}"/${PN}-2.7_beta2-maxrepeat-import.patch |
| 204 |
"${FILESDIR}"/${PN}-2.7.0-build.xml.patch |
| 205 |
+ "${FILESDIR}"/CVE-2016-4000.patch |
| 206 |
) |
| 207 |
|
| 208 |
src_prepare() { |
Archives