Bug 127172 - [PATCH]lang/python25: security fixes for 2.5.2
Summary: [PATCH]lang/python25: security fixes for 2.5.2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-07 07:20 UTC by bf
Modified: 2008-09-11 09:33 UTC (History)
0 users

See Also:

Attachments
file.diff (35.54 KB, patch)
2008-09-07 07:20 UTC, bf 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description bf 2008-09-07 07:20:01 UTC 
While we're waiting for the new version of python, be on the safe side and add patches for CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, and CVE-2008-3144.  These should be documented in vuxml.  lang/python24 should also be patched for these, and also for CVE-2008-3143.

(See, for example, 

http://www.gentoo.org/security/en/glsa/glsa-200807-16.xml  ,

and the links in that page.)

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-09-07 07:20:12 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->python

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Martin Wilke freebsd_committer freebsd_triage 2008-09-07 12:37:07 UTC 
Responsible Changed
From-To: python->miwi

I handle this.
Comment 3 dfilter service freebsd_committer freebsd_triage 2008-09-08 01:14:15 UTC 
miwi        2008-09-08 00:14:06 UTC

  FreeBSD ports repository

  Modified files:
    lang/python25        Makefile 
  Added files:
    lang/python25/files  patch-lib-test_test_bigmem.py 
                         patch-lib-test_test_hashlib.py 
                         patch-lib-test_test_strop.py 
                         patch-lib-test_test_support.py 
                         patch-lib_seq_tests.py 
                         patch-modules_almodule.c 
                         patch-modules_arraymodule.c 
                         patch-modules_gcmodule.c 
                         patch-modules_hashopenssl.c 
                         patch-modules_mmapmodule.c 
                         patch-modules_selectmodule.c 
                         patch-modules_stropmodule.c 
                         patch-objects_bufferobject.c 
                         patch-objects_longobject.c 
                         patch-objects_obmalloc.c 
                         patch-objects_stringobject.c 
                         patch-objects_tupleobject.c 
                         patch-objects_unicodeobject.c 
                         patch-python_mysnprintf.c 
  Log:
  - Security fixes
  
  Multiple vulnerabilities:
  
          1) Various integer overflow errors exist in core modules e.g. stringobject,
             unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
          2) An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
          3) Integer overflow errors in the processing of unicode strings can be exploited to cause
             buffer overflows on 32-bit systems.
          4) An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not
             have a "vsnprintf()" function.
          5) An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings
             can lead to memory corruption.
  
  PR:             127172 (based on)
  Submitted by:   bf <bf2006a@yahoo.com>
  Obtained from:  python svn
  Security:       CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-3143. (vuxml come later)
  
  Revision  Changes    Path
  1.152     +1 -1      ports/lang/python25/Makefile
  1.1       +163 -0    ports/lang/python25/files/patch-lib-test_test_bigmem.py (new)
  1.1       +41 -0     ports/lang/python25/files/patch-lib-test_test_hashlib.py (new)
  1.1       +28 -0     ports/lang/python25/files/patch-lib-test_test_strop.py (new)
  1.1       +62 -0     ports/lang/python25/files/patch-lib-test_test_support.py (new)
  1.1       +21 -0     ports/lang/python25/files/patch-lib_seq_tests.py (new)
  1.1       +14 -0     ports/lang/python25/files/patch-modules_almodule.c (new)
  1.1       +33 -0     ports/lang/python25/files/patch-modules_arraymodule.c (new)
  1.1       +58 -0     ports/lang/python25/files/patch-modules_gcmodule.c (new)
  1.1       +104 -0    ports/lang/python25/files/patch-modules_hashopenssl.c (new)
  1.1       +11 -0     ports/lang/python25/files/patch-modules_mmapmodule.c (new)
  1.1       +16 -0     ports/lang/python25/files/patch-modules_selectmodule.c (new)
  1.1       +31 -0     ports/lang/python25/files/patch-modules_stropmodule.c (new)
  1.1       +13 -0     ports/lang/python25/files/patch-objects_bufferobject.c (new)
  1.1       +11 -0     ports/lang/python25/files/patch-objects_longobject.c (new)
  1.1       +34 -0     ports/lang/python25/files/patch-objects_obmalloc.c (new)
  1.1       +49 -0     ports/lang/python25/files/patch-objects_stringobject.c (new)
  1.1       +17 -0     ports/lang/python25/files/patch-objects_tupleobject.c (new)
  1.1       +115 -0    ports/lang/python25/files/patch-objects_unicodeobject.c (new)
  1.1       +55 -0     ports/lang/python25/files/patch-python_mysnprintf.c (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Martin Wilke freebsd_committer freebsd_triage 2008-09-08 01:15:02 UTC 
State Changed
From-To: open->patched

Ok python25 is now fixed, vuxml entry is needed and patches for python2.4.5.
Comment 5 Martin Wilke freebsd_committer freebsd_triage 2008-09-11 09:33:25 UTC 
State Changed
From-To: patched->closed

python24 is now patched and documented. Thanks for your submission and 
help.