| 1 |
pinkbyte 14/07/29 07:19:13 |
| 2 |
|
| 3 |
Added: python-3.2-CVE-2014-4616.patch |
| 4 |
python-3.3-CVE-2014-4616.patch |
| 5 |
Log: |
| 6 |
Revision bump: add patch for CVE-2014-4616, bug #514686. Drop old revisions. Acked by Python team |
| 7 |
|
| 8 |
(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0x1F357D42) |
| 9 |
|
| 10 |
Revision Changes Path |
| 11 |
1.1 dev-lang/python/files/python-3.2-CVE-2014-4616.patch |
| 12 |
|
| 13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.2-CVE-2014-4616.patch?rev=1.1&view=markup |
| 14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.2-CVE-2014-4616.patch?rev=1.1&content-type=text/plain |
| 15 |
|
| 16 |
Index: python-3.2-CVE-2014-4616.patch |
| 17 |
=================================================================== |
| 18 |
# HG changeset patch |
| 19 |
# User Benjamin Peterson <benjamin@××××××.org> |
| 20 |
# Date 1397441438 14400 |
| 21 |
# Node ID 50c07ed1743da9cd4540d83de0c30bd17aeb41b0 |
| 22 |
# Parent 218e28a935ab4494d05215c243e2129625a71893 |
| 23 |
in scan_once, prevent the reading of arbitrary memory when passed a negative index |
| 24 |
|
| 25 |
Bug reported by Guido Vranken. |
| 26 |
|
| 27 |
Index: Python-3.2.5/Lib/json/tests/test_decode.py |
| 28 |
=================================================================== |
| 29 |
--- Python-3.2.5.orig/Lib/test/json_tests/test_decode.py 2014-06-26 18:40:10.825269130 +0200 |
| 30 |
+++ Python-3.2.5/Lib/test/json_tests/test_decode.py 2014-06-26 18:40:21.962323035 +0200 |
| 31 |
@@ -60,5 +60,9 @@ |
| 32 |
msg = 'escape' |
| 33 |
self.assertRaisesRegexp(ValueError, msg, self.loads, s) |
| 34 |
|
| 35 |
+ def test_negative_index(self): |
| 36 |
+ d = self.json.JSONDecoder() |
| 37 |
+ self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000) |
| 38 |
+ |
| 39 |
class TestPyDecode(TestDecode, PyTest): pass |
| 40 |
class TestCDecode(TestDecode, CTest): pass |
| 41 |
Index: Python-3.2.5/Modules/_json.c |
| 42 |
=================================================================== |
| 43 |
--- a/Modules/_json.c |
| 44 |
+++ b/Modules/_json.c |
| 45 |
@@ -930,7 +930,10 @@ scan_once_unicode(PyScannerObject *s, Py |
| 46 |
PyObject *res; |
| 47 |
Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr); |
| 48 |
Py_ssize_t length = PyUnicode_GET_SIZE(pystr); |
| 49 |
- if (idx >= length) { |
| 50 |
+ if (idx < 0) |
| 51 |
+ /* Compatibility with Python version. */ |
| 52 |
+ idx += length; |
| 53 |
+ if (idx < 0 || idx >= length) { |
| 54 |
PyErr_SetNone(PyExc_StopIteration); |
| 55 |
return NULL; |
| 56 |
} |
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
1.1 dev-lang/python/files/python-3.3-CVE-2014-4616.patch |
| 61 |
|
| 62 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.3-CVE-2014-4616.patch?rev=1.1&view=markup |
| 63 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-lang/python/files/python-3.3-CVE-2014-4616.patch?rev=1.1&content-type=text/plain |
| 64 |
|
| 65 |
Index: python-3.3-CVE-2014-4616.patch |
| 66 |
=================================================================== |
| 67 |
# HG changeset patch |
| 68 |
# User Benjamin Peterson <benjamin@××××××.org> |
| 69 |
# Date 1397441438 14400 |
| 70 |
# Node ID 50c07ed1743da9cd4540d83de0c30bd17aeb41b0 |
| 71 |
# Parent 218e28a935ab4494d05215c243e2129625a71893 |
| 72 |
in scan_once, prevent the reading of arbitrary memory when passed a negative index |
| 73 |
|
| 74 |
Bug reported by Guido Vranken. |
| 75 |
|
| 76 |
Index: Python-3.3.5/Lib/json/tests/test_decode.py |
| 77 |
=================================================================== |
| 78 |
--- Python-3.3.5.orig/Lib/test/test_json/test_decode.py 2014-06-26 18:40:10.825269130 +0200 |
| 79 |
+++ Python-3.3.5/Lib/test/test_json/test_decode.py 2014-06-26 18:40:21.962323035 +0200 |
| 80 |
@@ -60,5 +60,10 @@ |
| 81 |
msg = 'escape' |
| 82 |
self.assertRaisesRegexp(ValueError, msg, self.loads, s) |
| 83 |
|
| 84 |
+ def test_negative_index(self): |
| 85 |
+ d = self.json.JSONDecoder() |
| 86 |
+ self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000) |
| 87 |
+ self.assertRaises(ValueError, d.raw_decode, u'a'*42, -50000) |
| 88 |
+ |
| 89 |
class TestPyDecode(TestDecode, PyTest): pass |
| 90 |
class TestCDecode(TestDecode, CTest): pass |
| 91 |
Index: Python-3.3.5/Misc/ACKS |
| 92 |
=================================================================== |
| 93 |
--- Python-3.3.5.orig/Misc/ACKS 2014-06-26 18:40:10.826269135 +0200 |
| 94 |
+++ Python-3.3.5/Misc/ACKS 2014-06-26 18:40:21.962323035 +0200 |
| 95 |
@@ -1085,6 +1085,7 @@ |
| 96 |
Frank Visser |
| 97 |
Johannes Vogel |
| 98 |
Alex Volkov |
| 99 |
+Guido Vranken |
| 100 |
Martijn Vries |
| 101 |
Niki W. Waibel |
| 102 |
Wojtek Walczak |
| 103 |
Index: Python-3.3.5/Modules/_json.c |
| 104 |
=================================================================== |
| 105 |
--- a/Modules/_json.c |
| 106 |
+++ b/Modules/_json.c |
| 107 |
@@ -975,7 +975,10 @@ scan_once_unicode(PyScannerObject *s, Py |
| 108 |
kind = PyUnicode_KIND(pystr); |
| 109 |
length = PyUnicode_GET_LENGTH(pystr); |
| 110 |
|
| 111 |
- if (idx >= length) { |
| 112 |
+ if (idx < 0) |
| 113 |
+ /* Compatibility with Python version. */ |
| 114 |
+ idx += length; |
| 115 |
+ if (idx < 0 || idx >= length) { |
| 116 |
PyErr_SetNone(PyExc_StopIteration); |
| 117 |
return NULL; |
| 118 |
} |
Archives