svn commit: r346614 - in head/lang: python27 python27/files python31 python31/files python32 python32/files python33 python33/files
Kubilay Kocak
koobs at FreeBSD.org
Sat Mar 1 10:52:58 UTC 2014
Author: koobs
Date: Sat Mar 1 10:52:55 2014
New Revision: 346614
URL: http://svnweb.freebsd.org/changeset/ports/346614
QAT: https://qat.redports.org/buildarchive/r346614/
Log:
lang/python*: Backport security fix for CVE-2014-1912
A vulnerability was reported [1] in Python's socket module, due to a
boundary error within the sock_recvfrom_into() function, which could be
exploited to cause a buffer overflow.
This could be used to crash a Python application that uses the
socket.recvfrom_info() function or, possibly, execute arbitrary code
with the permissions of the user running vulnerable Python code.
This vulnerable function, socket.recvfrom_into(), was introduced in
Python 2.5. Earlier versions are not affected by this flaw. This is
fixed in upstream branches for version 2.7, 3.1, 3.2 and 3.3.
[1] http://bugs.python.org/issue20246
MFH: 2014Q1
Security: 8e5e6d42-a0fa-11e3-b09a-080027f2d077
Added:
head/lang/python27/files/patch-CVE-2014-1912 (contents, props changed)
head/lang/python31/files/patch-CVE-2014-1912 (contents, props changed)
head/lang/python32/files/patch-CVE-2014-1912 (contents, props changed)
head/lang/python33/files/patch-CVE-2014-1912 (contents, props changed)
Modified:
head/lang/python27/Makefile
head/lang/python31/Makefile
head/lang/python32/Makefile
head/lang/python33/Makefile
Modified: head/lang/python27/Makefile
==============================================================================
--- head/lang/python27/Makefile Sat Mar 1 10:51:34 2014 (r346613)
+++ head/lang/python27/Makefile Sat Mar 1 10:52:55 2014 (r346614)
@@ -3,7 +3,7 @@
PORTNAME= python27
PORTVERSION= 2.7.6
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= lang python ipv6
MASTER_SITES= PYTHON
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
Added: head/lang/python27/files/patch-CVE-2014-1912
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/lang/python27/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614)
@@ -0,0 +1,50 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1389671978 18000
+# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9
+# Parent 2631d33ee7fbd5f0288931ef37872218d511d2e8
+complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
+
+# HG changeset patch
+# User Stefan Krah <skrah at bytereef.org>
+# Date 1390341952 -3600
+# Node ID b6c5a37b221f5c617125faa363d1b460b0b61b42
+# Parent d55d1cbf5f9a9efa7908fc9412bae676a6b675ef
+Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest):
+
+ _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ with test_support.check_py3k_warnings():
++ buf = buffer(MSG)
++ self.serv_conn.send(buf)
++
+
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+
+diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
+--- Modules/socketmodule.c
++++ Modules/socketmodule.c
+@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ goto error;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
+
Modified: head/lang/python31/Makefile
==============================================================================
--- head/lang/python31/Makefile Sat Mar 1 10:51:34 2014 (r346613)
+++ head/lang/python31/Makefile Sat Mar 1 10:52:55 2014 (r346614)
@@ -2,7 +2,7 @@
PORTNAME= python31
PORTVERSION= 3.1.5
-PORTREVISION= 10
+PORTREVISION= 11
CATEGORIES= lang python ipv6
MASTER_SITES= PYTHON
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
Added: head/lang/python31/files/patch-CVE-2014-1912
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/lang/python31/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614)
@@ -0,0 +1,50 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1389672374 18000
+# Node ID 715fd3d8ac93878e49a072474a4706a449720d9b
+# Parent b1ddcb220a7f375146c090a854438cf31fa3a388# Parent 87673659d8f7ba1623cd4914f09ad3d2ade034e9
+complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
+
+# HG changeset patch
+# User Stefan Krah <skrah at bytereef.org>
+# Date 1390341520 -3600
+# Node ID c25e1442529f16ba5fb9df8786a019866b0686e9
+# Parent fbb4d48046e564dd89511598dbbf04422ac6da35
+Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -1424,6 +1424,14 @@ class BufferIOTest(SocketConnectedTest):
+ buf = bytes(MSG)
+ self.serv_conn.send(buf)
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ self.serv_conn.send(MSG)
++
+
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+
+diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
+--- Modules/socketmodule.c
++++ Modules/socketmodule.c
+@@ -2494,6 +2494,12 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyBuffer_Release(&pbuf);
++ Py_XDECREF(addr);
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ return NULL;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
+
Modified: head/lang/python32/Makefile
==============================================================================
--- head/lang/python32/Makefile Sat Mar 1 10:51:34 2014 (r346613)
+++ head/lang/python32/Makefile Sat Mar 1 10:52:55 2014 (r346614)
@@ -2,7 +2,7 @@
PORTNAME= python32
PORTVERSION= 3.2.5
-PORTREVISION= 7
+PORTREVISION= 8
CATEGORIES= lang python ipv6
MASTER_SITES= PYTHON
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
Added: head/lang/python32/files/patch-CVE-2014-1912
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/lang/python32/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614)
@@ -0,0 +1,49 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1389671978 18000
+# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c
+# Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6
+complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
+
+# HG changeset patch
+# User Stefan Krah <skrah at bytereef.org>
+# Date 1390341520 -3600
+# Node ID e82dcd700e8cfb174d6bf6031fd6666627b20f5f
+# Parent 29b1eebecb8ed946e1db8e4bb86310d681cf4a91
+Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest):
+
+ _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ self.serv_conn.send(MSG)
++
+
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+
+diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
+--- Modules/socketmodule.c
++++ Modules/socketmodule.c
+@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyBuffer_Release(&pbuf);
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ return NULL;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
+
Modified: head/lang/python33/Makefile
==============================================================================
--- head/lang/python33/Makefile Sat Mar 1 10:51:34 2014 (r346613)
+++ head/lang/python33/Makefile Sat Mar 1 10:52:55 2014 (r346614)
@@ -2,7 +2,7 @@
PORTNAME= python33
PORTVERSION= 3.3.3
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= lang python ipv6
MASTER_SITES= PYTHON
MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR}
Added: head/lang/python33/files/patch-CVE-2014-1912
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/lang/python33/files/patch-CVE-2014-1912 Sat Mar 1 10:52:55 2014 (r346614)
@@ -0,0 +1,49 @@
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1389672775 18000
+# Node ID 7f176a45211ff3cb85a2fbdc75f7979d642bb563
+# Parent ed1c27b68068c942c6e845bdf8e987e963d50920# Parent 9c56217e5c793685eeaf0ee224848c402bdf1e4c
+merge 3.2 (#20246)
+
+# HG changeset patch
+# User Stefan Krah <skrah at bytereef.org>
+# Date 1390341520 -3600
+# Node ID 5c4f4db8107cc7b99e0a4e9c7b760c816dafa034
+# Parent 2fe0b2dcc98cd9013642fb9642365de80ff0dc30
+Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -4538,6 +4538,14 @@ class BufferIOTest(SocketConnectedTest):
+
+ _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+
++ def testRecvFromIntoSmallBuffer(self):
++ # See issue #20246.
++ buf = bytearray(8)
++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++ def _testRecvFromIntoSmallBuffer(self):
++ self.serv_conn.send(MSG)
++
+
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+
+diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c
+--- Modules/socketmodule.c
++++ Modules/socketmodule.c
+@@ -2935,6 +2935,11 @@ sock_recvfrom_into(PySocketSockObject *s
+ if (recvlen == 0) {
+ /* If nbytes was not specified, use the buffer's length */
+ recvlen = buflen;
++ } else if (recvlen > buflen) {
++ PyBuffer_Release(&pbuf);
++ PyErr_SetString(PyExc_ValueError,
++ "nbytes is greater than the length of the buffer");
++ return NULL;
+ }
+
+ readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
+
More information about the svn-ports-all
mailing list