1 |
commit: 384deab9737c204d6c61b06fa96d4e9ab93a18c1 |
2 |
Author: Arthur Zamarin <arthurzam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Sep 12 16:36:09 2021 +0000 |
4 |
Commit: Arthur Zamarin <arthurzam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 12 16:36:09 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=384deab9 |
7 |
|
8 |
dev-python/rencode: import fix CVE-2021-40839 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/812437 |
11 |
Signed-off-by: Arthur Zamarin <arthurzam <AT> gentoo.org> |
12 |
|
13 |
.../files/rencode-1.0.6-fix-CVE-2021-40839.patch | 34 +++++++++++++++++++++ |
14 |
dev-python/rencode/rencode-1.0.6-r2.ebuild | 35 ++++++++++++++++++++++ |
15 |
2 files changed, 69 insertions(+) |
16 |
|
17 |
diff --git a/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..0a997d40801 |
20 |
--- /dev/null |
21 |
+++ b/dev-python/rencode/files/rencode-1.0.6-fix-CVE-2021-40839.patch |
22 |
@@ -0,0 +1,34 @@ |
23 |
+From: Andrew Resch <andrewresch@×××××.com> |
24 |
+Date: Mon, 9 Aug 2021 20:44:51 -0700 |
25 |
+Subject: [PATCH] Fix checking if typecode is valid while decoding. |
26 |
+ |
27 |
+This bug will cause rencode to hang if the invalid typecode is included |
28 |
+in a sequence type (list, dict) since the position will not change and |
29 |
+the loop checking for the termination byte never returns. |
30 |
+ |
31 |
+This change is a copy of PR #29 with a few aesthetic changes. |
32 |
+ |
33 |
+--- a/rencode/rencode.pyx |
34 |
++++ b/rencode/rencode.pyx |
35 |
+@@ -527,6 +527,8 @@ |
36 |
+ return decode_fixed_dict(data, pos) |
37 |
+ elif typecode == CHR_DICT: |
38 |
+ return decode_dict(data, pos) |
39 |
++ else: |
40 |
++ raise ValueError("Invalid typecode: %d at pos: %d" % (typecode, pos[0])) |
41 |
+ |
42 |
+ def loads(data, decode_utf8=False): |
43 |
+ """ |
44 |
+--- a/tests/test_rencode.py |
45 |
++++ b/tests/test_rencode.py |
46 |
+@@ -223,5 +223,10 @@ |
47 |
+ assert rencode_orig.__version__ |
48 |
+ self.assertEqual(rencode.__version__[1:], rencode_orig.__version__[1:], "version number does not match") |
49 |
+ |
50 |
++ def test_invalid_typecode(self): |
51 |
++ s = b";\x2f\x7f" |
52 |
++ with self.assertRaises(ValueError): |
53 |
++ rencode.loads(s) |
54 |
++ |
55 |
+ if __name__ == '__main__': |
56 |
+ unittest.main() |
57 |
|
58 |
diff --git a/dev-python/rencode/rencode-1.0.6-r2.ebuild b/dev-python/rencode/rencode-1.0.6-r2.ebuild |
59 |
new file mode 100644 |
60 |
index 00000000000..db75d8fdb88 |
61 |
--- /dev/null |
62 |
+++ b/dev-python/rencode/rencode-1.0.6-r2.ebuild |
63 |
@@ -0,0 +1,35 @@ |
64 |
+# Copyright 1999-2021 Gentoo Authors |
65 |
+# Distributed under the terms of the GNU General Public License v2 |
66 |
+ |
67 |
+EAPI=8 |
68 |
+ |
69 |
+PYTHON_COMPAT=( python3_{8..10} ) |
70 |
+ |
71 |
+inherit distutils-r1 |
72 |
+ |
73 |
+DESCRIPTION="similar to bencode from the BitTorrent project" |
74 |
+HOMEPAGE="https://github.com/aresch/rencode" |
75 |
+SRC_URI="https://github.com/aresch/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" |
76 |
+ |
77 |
+LICENSE="GPL-3+" |
78 |
+SLOT="0" |
79 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~sparc ~x86 ~amd64-linux ~x86-linux" |
80 |
+ |
81 |
+BDEPEND="dev-python/cython[${PYTHON_USEDEP}]" |
82 |
+ |
83 |
+distutils_enable_tests pytest |
84 |
+ |
85 |
+PATCHES=( |
86 |
+ # https://github.com/aresch/rencode/commit/16e61e1ff4294bddb7c881536d3d454355c78969 |
87 |
+ "${FILESDIR}/${P}-drop-wheel-dependency.patch" |
88 |
+ # bug #812437 |
89 |
+ "${FILESDIR}/${P}-fix-CVE-2021-40839.patch" |
90 |
+) |
91 |
+ |
92 |
+python_test() { |
93 |
+ # The C extension ("_rencode") can't be imported from "${S}/rencode" |
94 |
+ # so we need to cd somewhere else to make sure "rencode" is imported |
95 |
+ # from ${BUILD_DIR}/lib (thanks to PYTHONPATH). |
96 |
+ cd "${T}" || die |
97 |
+ epytest "${S}" |
98 |
+} |