FreeBSD Bugzilla – Attachment 90081 Details for
Bug 127172
[PATCH]lang/python25: security fixes for 2.5.2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 35.54 KB, created by
bf
on 2008-09-07 07:20:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
bf
Created:
2008-09-07 07:20:01 UTC
Size:
35.54 KB
patch
obsolete
>diff -ruN python25.orig/Makefile python25/Makefile >--- python25.orig/Makefile 2008-08-21 02:17:31.000000000 -0400 >+++ python25/Makefile 2008-09-07 01:54:52.726296290 -0400 >@@ -6,7 +6,7 @@ > > PORTNAME= python25 > PORTVERSION= 2.5.2 >-PORTREVISION= 2 >+PORTREVISION= 3 > CATEGORIES= lang python ipv6 > MASTER_SITES= ${PYTHON_MASTER_SITES} > MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} >diff -ruN python25.orig/files/patch-at python25/files/patch-at >--- python25.orig/files/patch-at 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-at 2008-09-07 01:54:52.566294111 -0400 >@@ -0,0 +1,15 @@ >+ >+ >+Part of the fix for CVE-2008-2315 taken from Gentoo. >+ >+--- Modules/mmapmodule.c.orig 2006-08-22 14:57:07.000000000 +0100 >++++ Modules/mmapmodule.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -223,7 +223,7 @@ >+ return(NULL); >+ >+ /* silently 'adjust' out-of-range requests */ >+- if ((self->pos + num_bytes) > self->size) { >++ if (num_bytes > self->size - self->pos) { >+ num_bytes -= (self->pos+num_bytes) - self->size; >+ } >+ result = Py_BuildValue("s#", self->data+self->pos, num_bytes); >diff -ruN python25.orig/files/patch-ba python25/files/patch-ba >--- python25.orig/files/patch-ba 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-ba 2008-09-07 01:54:52.576295382 -0400 >@@ -0,0 +1,119 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Objects/unicodeobject.c.orig 2007-11-02 22:46:38.000000000 +0000 >++++ Objects/unicodeobject.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -239,6 +239,11 @@ >+ return unicode_empty; >+ } >+ >++ /* Ensure we won't overflow the size. */ >++ if (length > ((PY_SSIZE_T_MAX / sizeof(Py_UNICODE)) - 1)) { >++ return (PyUnicodeObject *)PyErr_NoMemory(); >++ } >++ >+ /* Unicode freelist & memory allocation */ >+ if (unicode_freelist) { >+ unicode = unicode_freelist; >+@@ -1091,6 +1096,9 @@ >+ char * out; >+ char * start; >+ >++ if (cbAllocated / 5 != size) >++ return PyErr_NoMemory(); >++ >+ if (size == 0) >+ return PyString_FromStringAndSize(NULL, 0); >+ >+@@ -1689,8 +1697,9 @@ >+ { >+ PyObject *v; >+ unsigned char *p; >++ Py_ssize_t nsize, bytesize; >+ #ifdef Py_UNICODE_WIDE >+- int i, pairs; >++ Py_ssize_t i, pairs; >+ #else >+ const int pairs = 0; >+ #endif >+@@ -1713,8 +1722,15 @@ >+ if (s[i] >= 0x10000) >+ pairs++; >+ #endif >+- v = PyString_FromStringAndSize(NULL, >+- 2 * (size + pairs + (byteorder == 0))); >++ /* 2 * (size + pairs + (byteorder == 0)) */ >++ if (size > PY_SSIZE_T_MAX || >++ size > PY_SSIZE_T_MAX - pairs - (byteorder == 0)) >++ return PyErr_NoMemory(); >++ nsize = (size + pairs + (byteorder == 0)); >++ bytesize = nsize * 2; >++ if (bytesize / 2 != nsize) >++ return PyErr_NoMemory(); >++ v = PyString_FromStringAndSize(NULL, bytesize); >+ if (v == NULL) >+ return NULL; >+ >+@@ -2042,6 +2058,11 @@ >+ char *p; >+ >+ static const char *hexdigit = "0123456789abcdef"; >++#ifdef Py_UNICODE_WIDE >++ const Py_ssize_t expandsize = 10; >++#else >++ const Py_ssize_t expandsize = 6; >++#endif >+ >+ /* Initial allocation is based on the longest-possible unichr >+ escape. >+@@ -2057,13 +2078,12 @@ >+ escape. >+ */ >+ >++ if (size > (PY_SSIZE_T_MAX - 2 - 1) / expandsize) >++ return PyErr_NoMemory(); >++ >+ repr = PyString_FromStringAndSize(NULL, >+ 2 >+-#ifdef Py_UNICODE_WIDE >+- + 10*size >+-#else >+- + 6*size >+-#endif >++ + expandsize*size >+ + 1); >+ if (repr == NULL) >+ return NULL; >+@@ -2304,12 +2324,16 @@ >+ char *q; >+ >+ static const char *hexdigit = "0123456789abcdef"; >+- >+ #ifdef Py_UNICODE_WIDE >+- repr = PyString_FromStringAndSize(NULL, 10 * size); >++ const Py_ssize_t expandsize = 10; >+ #else >+- repr = PyString_FromStringAndSize(NULL, 6 * size); >++ const Py_ssize_t expandsize = 6; >+ #endif >++ >++ if (size > PY_SSIZE_T_MAX / expandsize) >++ return PyErr_NoMemory(); >++ >++ repr = PyString_FromStringAndSize(NULL, expandsize * size); >+ if (repr == NULL) >+ return NULL; >+ if (size == 0) >+@@ -4719,6 +4743,11 @@ >+ return self; >+ } >+ >++ if (left > PY_SSIZE_T_MAX - self->length || >++ right > PY_SSIZE_T_MAX - (left + self->length)) { >++ PyErr_SetString(PyExc_OverflowError, "padded string is too long"); >++ return NULL; >++ } >+ u = _PyUnicode_New(left + self->length + right); >+ if (u) { >+ if (left) >diff -ruN python25.orig/files/patch-bb python25/files/patch-bb >--- python25.orig/files/patch-bb 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bb 2008-09-07 01:54:52.586294418 -0400 >@@ -0,0 +1,21 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Objects/tupleobject.c.orig 2006-08-12 18:03:09.000000000 +0100 >++++ Objects/tupleobject.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -60,11 +60,12 @@ >+ Py_ssize_t nbytes = size * sizeof(PyObject *); >+ /* Check for overflow */ >+ if (nbytes / sizeof(PyObject *) != (size_t)size || >+- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *)) >+- <= 0) >++ (nbytes > PY_SSIZE_T_MAX - sizeof(PyTupleObject) - sizeof(PyObject *))) >+ { >+ return PyErr_NoMemory(); >+ } >++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *); >++ >+ op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size); >+ if (op == NULL) >+ return NULL; >diff -ruN python25.orig/files/patch-bc python25/files/patch-bc >--- python25.orig/files/patch-bc 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bc 2008-09-07 01:54:52.586294418 -0400 >@@ -0,0 +1,17 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Objects/bufferobject.c.orig 2008-02-14 11:26:18.000000000 +0000 >++++ Objects/bufferobject.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -427,6 +427,10 @@ >+ count = 0; >+ if (!get_buf(self, &ptr, &size, ANY_BUFFER)) >+ return NULL; >++ if (count > PY_SSIZE_T_MAX / size) { >++ PyErr_SetString(PyExc_MemoryError, "result too large"); >++ return NULL; >++ } >+ ob = PyString_FromStringAndSize(NULL, size * count); >+ if ( ob == NULL ) >+ return NULL; >diff -ruN python25.orig/files/patch-bd python25/files/patch-bd >--- python25.orig/files/patch-bd 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bd 2008-09-07 01:54:52.596295410 -0400 >@@ -0,0 +1,15 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Objects/longobject.c.orig 2007-05-07 19:30:48.000000000 +0100 >++++ Objects/longobject.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -70,6 +70,8 @@ >+ PyErr_NoMemory(); >+ return NULL; >+ } >++ /* XXX(nnorwitz): This can overflow -- >++ PyObject_NEW_VAR / _PyObject_VAR_SIZE need to detect overflow */ >+ return PyObject_NEW_VAR(PyLongObject, &PyLong_Type, size); >+ } >+ >diff -ruN python25.orig/files/patch-be python25/files/patch-be >--- python25.orig/files/patch-be 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-be 2008-09-07 01:54:52.596295410 -0400 >@@ -0,0 +1,53 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Objects/stringobject.c.orig 2007-11-07 01:19:49.000000000 +0000 >++++ Objects/stringobject.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -71,6 +71,11 @@ >+ return (PyObject *)op; >+ } >+ >++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { >++ PyErr_SetString(PyExc_OverflowError, "string is too large"); >++ return NULL; >++ } >++ >+ /* Inline PyObject_NewVar */ >+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); >+ if (op == NULL) >+@@ -106,7 +111,7 @@ >+ >+ assert(str != NULL); >+ size = strlen(str); >+- if (size > PY_SSIZE_T_MAX) { >++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { >+ PyErr_SetString(PyExc_OverflowError, >+ "string is too long for a Python string"); >+ return NULL; >+@@ -967,14 +972,24 @@ >+ Py_INCREF(a); >+ return (PyObject *)a; >+ } >++ /* Check that string sizes are not negative, to prevent an >++ overflow in cases where we are passed incorrectly-created >++ strings with negative lengths (due to a bug in other code). >++ */ >+ size = a->ob_size + b->ob_size; >+- if (size < 0) { >++ if (a->ob_size < 0 || b->ob_size < 0 || >++ a->ob_size > PY_SSIZE_T_MAX - b->ob_size) { >+ PyErr_SetString(PyExc_OverflowError, >+ "strings are too large to concat"); >+ return NULL; >+ } >+ >+ /* Inline PyObject_NewVar */ >++ if (size > PY_SSIZE_T_MAX - sizeof(PyStringObject)) { >++ PyErr_SetString(PyExc_OverflowError, >++ "strings are too large to concat"); >++ return NULL; >++ } >+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size); >+ if (op == NULL) >+ return PyErr_NoMemory(); >diff -ruN python25.orig/files/patch-bf python25/files/patch-bf >--- python25.orig/files/patch-bf 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bf 2008-09-07 01:54:52.616293482 -0400 >@@ -0,0 +1,25 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Lib/test/seq_tests.py.orig 2007-11-12 20:04:41.000000000 +0000 >++++ Lib/test/seq_tests.py 2008-08-30 10:16:13.000000000 +0100 >+@@ -307,11 +307,13 @@ >+ self.assertEqual(id(s), id(s*1)) >+ >+ def test_bigrepeat(self): >+- x = self.type2test([0]) >+- x *= 2**16 >+- self.assertRaises(MemoryError, x.__mul__, 2**16) >+- if hasattr(x, '__imul__'): >+- self.assertRaises(MemoryError, x.__imul__, 2**16) >++ import sys >++ if sys.maxint <= 2147483647: >++ x = self.type2test([0]) >++ x *= 2**16 >++ self.assertRaises(MemoryError, x.__mul__, 2**16) >++ if hasattr(x, '__imul__'): >++ self.assertRaises(MemoryError, x.__imul__, 2**16) >+ >+ def test_subscript(self): >+ a = self.type2test([10, 11]) >diff -ruN python25.orig/files/patch-bg python25/files/patch-bg >--- python25.orig/files/patch-bg 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bg 2008-09-07 01:54:52.616293482 -0400 >@@ -0,0 +1,32 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Lib/test/test_strop.py.orig 2002-07-31 00:27:12.000000000 +0100 >++++ Lib/test/test_strop.py 2008-08-30 10:16:13.000000000 +0100 >+@@ -115,6 +115,25 @@ >+ strop.uppercase >+ strop.whitespace >+ >++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=5) >++ def test_stropjoin_huge_list(self, size): >++ a = "A" * size >++ try: >++ r = strop.join([a, a], a) >++ except OverflowError: >++ pass >++ else: >++ self.assertEquals(len(r), len(a) * 3) >++ >++ @test_support.precisionbigmemtest(size=test_support._2G - 1, memuse=1) >++ def test_stropjoin_huge_tup(self, size): >++ a = "A" * size >++ try: >++ r = strop.join((a, a), a) >++ except OverflowError: >++ pass # acceptable on 32-bit >++ else: >++ self.assertEquals(len(r), len(a) * 3) >+ >+ transtable = '\000\001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`xyzdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377' >+ >diff -ruN python25.orig/files/patch-bh python25/files/patch-bh >--- python25.orig/files/patch-bh 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bh 2008-09-07 01:54:52.656294376 -0400 >@@ -0,0 +1,167 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Lib/test/test_bigmem.py.orig 2007-11-30 21:53:17.000000000 +0000 >++++ Lib/test/test_bigmem.py 2008-08-30 10:16:13.000000000 +0100 >+@@ -1,5 +1,5 @@ >+ from test import test_support >+-from test.test_support import bigmemtest, _1G, _2G >++from test.test_support import bigmemtest, _1G, _2G, _4G, precisionbigmemtest >+ >+ import unittest >+ import operator >+@@ -54,6 +54,22 @@ >+ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) >+ self.assertEquals(s.strip(), SUBSTR.strip()) >+ >++ @precisionbigmemtest(size=_2G - 1, memuse=1) >++ def test_center_unicode(self, size): >++ SUBSTR = u' abc def ghi' >++ try: >++ s = SUBSTR.center(size) >++ except OverflowError: >++ pass # acceptable on 32-bit >++ else: >++ self.assertEquals(len(s), size) >++ lpadsize = rpadsize = (len(s) - len(SUBSTR)) // 2 >++ if len(s) % 2: >++ lpadsize += 1 >++ self.assertEquals(s[lpadsize:-rpadsize], SUBSTR) >++ self.assertEquals(s.strip(), SUBSTR.strip()) >++ del s >++ >+ @bigmemtest(minsize=_2G, memuse=2) >+ def test_count(self, size): >+ SUBSTR = ' abc def ghi' >+@@ -70,10 +86,44 @@ >+ s = '.' * size >+ self.assertEquals(len(s.decode('utf-8')), size) >+ >++ def basic_encode_test(self, size, enc, c=u'.', expectedsize=None): >++ if expectedsize is None: >++ expectedsize = size >++ >++ s = c * size >++ self.assertEquals(len(s.encode(enc)), expectedsize) >++ >+ @bigmemtest(minsize=_2G + 2, memuse=3) >+ def test_encode(self, size): >+- s = u'.' * size >+- self.assertEquals(len(s.encode('utf-8')), size) >++ return self.basic_encode_test(size, 'utf-8') >++ >++ @precisionbigmemtest(size=_4G / 6 + 2, memuse=2) >++ def test_encode_raw_unicode_escape(self, size): >++ try: >++ return self.basic_encode_test(size, 'raw_unicode_escape') >++ except MemoryError: >++ pass # acceptable on 32-bit >++ >++ @precisionbigmemtest(size=_4G / 5 + 70, memuse=3) >++ def test_encode_utf7(self, size): >++ try: >++ return self.basic_encode_test(size, 'utf7') >++ except MemoryError: >++ pass # acceptable on 32-bit >++ >++ @precisionbigmemtest(size=_2G-1, memuse=2) >++ def test_decodeascii(self, size): >++ return self.basic_encode_test(size, 'ascii', c='A') >++ >++ @precisionbigmemtest(size=_4G / 5, memuse=6+2) >++ def test_unicode_repr_oflw(self, size): >++ try: >++ s = u"\uAAAA"*size >++ r = repr(s) >++ except MemoryError: >++ pass # acceptable on 32-bit >++ else: >++ self.failUnless(s == eval(r)) >+ >+ @bigmemtest(minsize=_2G, memuse=2) >+ def test_endswith(self, size): >+@@ -459,6 +509,11 @@ >+ self.assertEquals(s.count('\\'), size) >+ self.assertEquals(s.count('0'), size * 2) >+ >++ @bigmemtest(minsize=2**32 / 5, memuse=6+2) >++ def test_unicode_repr(self, size): >++ s = u"\uAAAA" * size >++ self.failUnless(len(repr(s)) > size) >++ >+ # This test is meaningful even with size < 2G, as long as the >+ # doubled string is > 2G (but it tests more if both are > 2G :) >+ @bigmemtest(minsize=_1G + 2, memuse=3) >+@@ -642,6 +697,35 @@ >+ def test_repeat_large(self, size): >+ return self.basic_test_repeat(size) >+ >++ @bigmemtest(minsize=_1G - 1, memuse=12) >++ def test_repeat_large_2(self, size): >++ return self.basic_test_repeat(size) >++ >++ @precisionbigmemtest(size=_1G - 1, memuse=9) >++ def test_from_2G_generator(self, size): >++ try: >++ t = tuple(xrange(size)) >++ except MemoryError: >++ pass # acceptable on 32-bit >++ else: >++ count = 0 >++ for item in t: >++ self.assertEquals(item, count) >++ count += 1 >++ self.assertEquals(count, size) >++ >++ @precisionbigmemtest(size=_1G - 25, memuse=9) >++ def test_from_almost_2G_generator(self, size): >++ try: >++ t = tuple(xrange(size)) >++ count = 0 >++ for item in t: >++ self.assertEquals(item, count) >++ count += 1 >++ self.assertEquals(count, size) >++ except MemoryError: >++ pass # acceptable, expected on 32-bit >++ >+ # Like test_concat, split in two. >+ def basic_test_repr(self, size): >+ t = (0,) * size >+@@ -957,8 +1041,34 @@ >+ self.assertEquals(l[:10], [1] * 10) >+ self.assertEquals(l[-10:], [5] * 10) >+ >++class BufferTest(unittest.TestCase): >++ >++ @precisionbigmemtest(size=_1G, memuse=4) >++ def test_repeat(self, size): >++ try: >++ b = buffer("AAAA")*size >++ except MemoryError: >++ pass # acceptable on 32-bit >++ else: >++ count = 0 >++ for c in b: >++ self.assertEquals(c, 'A') >++ count += 1 >++ self.assertEquals(count, size*4) >++ >+ def test_main(): >+- test_support.run_unittest(StrTest, TupleTest, ListTest) >++ test_support.run_unittest(StrTest, TupleTest, ListTest, BufferTest) >++ >++# Expected failures (crashers) >++# del StrTest.test_center_unicode >++del StrTest.test_decodeascii >++# del StrTest.test_encode_utf32 >++# del StrTest.test_encode_utf7 >++# del StrTest.test_encode_raw_unicode_escape >++# >++# del TupleTest.test_from_2G_generator >++# >++# del BufferTest.test_repeat >+ >+ if __name__ == '__main__': >+ if len(sys.argv) > 1: >diff -ruN python25.orig/files/patch-bi python25/files/patch-bi >--- python25.orig/files/patch-bi 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bi 2008-09-07 01:54:52.666295927 -0400 >@@ -0,0 +1,66 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Lib/test/test_support.py.orig 2008-01-27 01:24:44.000000000 +0000 >++++ Lib/test/test_support.py 2008-08-30 10:16:13.000000000 +0100 >+@@ -33,6 +33,7 @@ >+ use_resources = None # Flag set to [] by regrtest.py >+ max_memuse = 0 # Disable bigmem tests (they will still be run with >+ # small sizes, to make sure they work.) >++real_max_memuse = 0 >+ >+ # _original_stdout is meant to hold stdout at the time regrtest began. >+ # This may be "the real" stdout, or IDLE's emulation of stdout, or whatever. >+@@ -323,6 +324,7 @@ >+ _1M = 1024*1024 >+ _1G = 1024 * _1M >+ _2G = 2 * _1G >++_4G = 4 * _1G >+ >+ # Hack to get at the maximum value an internal index can take. >+ class _Dummy: >+@@ -333,6 +335,7 @@ >+ def set_memlimit(limit): >+ import re >+ global max_memuse >++ global real_max_memuse >+ sizes = { >+ 'k': 1024, >+ 'm': _1M, >+@@ -344,6 +347,7 @@ >+ if m is None: >+ raise ValueError('Invalid memory limit %r' % (limit,)) >+ memlimit = int(float(m.group(1)) * sizes[m.group(3).lower()]) >++ real_max_memuse = memlimit >+ if memlimit > MAX_Py_ssize_t: >+ memlimit = MAX_Py_ssize_t >+ if memlimit < _2G - 1: >+@@ -389,6 +393,27 @@ >+ return wrapper >+ return decorator >+ >++def precisionbigmemtest(size, memuse, overhead=5*_1M): >++ def decorator(f): >++ def wrapper(self): >++ if not real_max_memuse: >++ maxsize = 5147 >++ else: >++ maxsize = size >++ >++ if real_max_memuse and real_max_memuse < maxsize * memuse: >++ if verbose: >++ sys.stderr.write("Skipping %s because of memory " >++ "constraint\n" % (f.__name__,)) >++ return >++ >++ return f(self, maxsize) >++ wrapper.size = size >++ wrapper.memuse = memuse >++ wrapper.overhead = overhead >++ return wrapper >++ return decorator >++ >+ def bigaddrspacetest(f): >+ """Decorator for tests that fill the address space.""" >+ def wrapper(self): >diff -ruN python25.orig/files/patch-bj python25/files/patch-bj >--- python25.orig/files/patch-bj 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bj 2008-09-07 01:54:52.676296639 -0400 >@@ -0,0 +1,35 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Modules/stropmodule.c.orig 2008-02-14 11:26:18.000000000 +0000 >++++ Modules/stropmodule.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -216,6 +216,13 @@ >+ return NULL; >+ } >+ slen = PyString_GET_SIZE(item); >++ if (slen > PY_SSIZE_T_MAX - reslen || >++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { >++ PyErr_SetString(PyExc_OverflowError, >++ "input too long"); >++ Py_DECREF(res); >++ return NULL; >++ } >+ while (reslen + slen + seplen >= sz) { >+ if (_PyString_Resize(&res, sz * 2) < 0) >+ return NULL; >+@@ -253,6 +260,14 @@ >+ return NULL; >+ } >+ slen = PyString_GET_SIZE(item); >++ if (slen > PY_SSIZE_T_MAX - reslen || >++ seplen > PY_SSIZE_T_MAX - reslen - seplen) { >++ PyErr_SetString(PyExc_OverflowError, >++ "input too long"); >++ Py_DECREF(res); >++ Py_XDECREF(item); >++ return NULL; >++ } >+ while (reslen + slen + seplen >= sz) { >+ if (_PyString_Resize(&res, sz * 2) < 0) { >+ Py_DECREF(item); >diff -ruN python25.orig/files/patch-bk python25/files/patch-bk >--- python25.orig/files/patch-bk 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-bk 2008-09-07 01:54:52.676296639 -0400 >@@ -0,0 +1,27 @@ >+ >+ >+Patch for CVE-2008-2315 taken from Gentoo. >+ >+--- Modules/gcmodule.c.orig 2006-10-09 20:42:33.000000000 +0100 >++++ Modules/gcmodule.c 2008-08-30 10:16:13.000000000 +0100 >+@@ -1318,7 +1318,10 @@ >+ _PyObject_GC_Malloc(size_t basicsize) >+ { >+ PyObject *op; >+- PyGC_Head *g = (PyGC_Head *)PyObject_MALLOC( >++ PyGC_Head *g; >++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) >++ return PyErr_NoMemory(); >++ g = (PyGC_Head *)PyObject_MALLOC( >+ sizeof(PyGC_Head) + basicsize); >+ if (g == NULL) >+ return PyErr_NoMemory(); >+@@ -1361,6 +1364,8 @@ >+ { >+ const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems); >+ PyGC_Head *g = AS_GC(op); >++ if (basicsize > PY_SSIZE_T_MAX - sizeof(PyGC_Head)) >++ return (PyVarObject *)PyErr_NoMemory(); >+ g = (PyGC_Head *)PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize); >+ if (g == NULL) >+ return (PyVarObject *)PyErr_NoMemory(); >diff -ruN python25.orig/files/patch-ca python25/files/patch-ca >--- python25.orig/files/patch-ca 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-ca 2008-09-07 01:54:52.686297072 -0400 >@@ -0,0 +1,62 @@ >+ >+ >+Patch for CVE-2008-3142 taken from Gentoo. >+ >+--- Include/pymem.h.orig 2008-02-14 11:26:18.000000000 +0000 >++++ Include/pymem.h 2008-08-30 10:39:43.000000000 +0100 >+@@ -67,8 +67,12 @@ >+ for malloc(0), which would be treated as an error. Some platforms >+ would return a pointer with no memory behind it, which would break >+ pymalloc. To solve these problems, allocate an extra byte. */ >+-#define PyMem_MALLOC(n) malloc((n) ? (n) : 1) >+-#define PyMem_REALLOC(p, n) realloc((p), (n) ? (n) : 1) >++/* Returns NULL to indicate error if a negative size or size larger than >++ Py_ssize_t can represent is supplied. Helps prevents security holes. */ >++#define PyMem_MALLOC(n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ >++ : malloc((n) ? (n) : 1)) >++#define PyMem_REALLOC(p, n) (((n) < 0 || (n) > PY_SSIZE_T_MAX) ? NULL \ >++ : realloc((p), (n) ? (n) : 1)) >+ #define PyMem_FREE free >+ >+ #endif /* PYMALLOC_DEBUG */ >+@@ -77,24 +81,31 @@ >+ * Type-oriented memory interface >+ * ============================== >+ * >+- * These are carried along for historical reasons. There's rarely a good >+- * reason to use them anymore (you can just as easily do the multiply and >+- * cast yourself). >++ * Allocate memory for n objects of the given type. Returns a new pointer >++ * or NULL if the request was too large or memory allocation failed. Use >++ * these macros rather than doing the multiplication yourself so that proper >++ * overflow checking is always done. >+ */ >+ >+ #define PyMem_New(type, n) \ >+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ >+ ( (type *) PyMem_Malloc((n) * sizeof(type)) ) ) >+ #define PyMem_NEW(type, n) \ >+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >++ ( ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ >+ ( (type *) PyMem_MALLOC((n) * sizeof(type)) ) ) >+ >++/* >++ * The value of (p) is always clobbered by this macro regardless of success. >++ * The caller MUST check if (p) is NULL afterwards and deal with the memory >++ * error if so. This means the original value of (p) MUST be saved for the >++ * caller's memory error handler to not lose track of it. >++ */ >+ #define PyMem_Resize(p, type, n) \ >+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+- ( (p) = (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) ) >++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ >++ (type *) PyMem_Realloc((p), (n) * sizeof(type)) ) >+ #define PyMem_RESIZE(p, type, n) \ >+- ( assert((n) <= PY_SIZE_MAX / sizeof(type)) , \ >+- ( (p) = (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) ) >++ ( (p) = ((n) > PY_SSIZE_T_MAX / sizeof(type)) ? NULL : \ >++ (type *) PyMem_REALLOC((p), (n) * sizeof(type)) ) >+ >+ /* PyMem{Del,DEL} are left over from ancient days, and shouldn't be used >+ * anymore. They're just confusing aliases for PyMem_{Free,FREE} now. >diff -ruN python25.orig/files/patch-cb python25/files/patch-cb >--- python25.orig/files/patch-cb 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-cb 2008-09-07 01:54:52.696296108 -0400 >@@ -0,0 +1,38 @@ >+ >+ >+Patch for CVE-2008-3142 taken from Gentoo. >+ >+--- Objects/obmalloc.c.orig 2008-02-14 11:26:18.000000000 +0000 >++++ Objects/obmalloc.c 2008-08-30 10:39:43.000000000 +0100 >+@@ -727,6 +727,15 @@ >+ uint size; >+ >+ /* >++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. >++ * Most python internals blindly use a signed Py_ssize_t to track >++ * things without checking for overflows or negatives. >++ * As size_t is unsigned, checking for nbytes < 0 is not required. >++ */ >++ if (nbytes > PY_SSIZE_T_MAX) >++ return NULL; >++ >++ /* >+ * This implicitly redirects malloc(0). >+ */ >+ if ((nbytes - 1) < SMALL_REQUEST_THRESHOLD) { >+@@ -1130,6 +1139,15 @@ >+ if (p == NULL) >+ return PyObject_Malloc(nbytes); >+ >++ /* >++ * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes. >++ * Most python internals blindly use a signed Py_ssize_t to track >++ * things without checking for overflows or negatives. >++ * As size_t is unsigned, checking for nbytes < 0 is not required. >++ */ >++ if (nbytes > PY_SSIZE_T_MAX) >++ return NULL; >++ >+ pool = POOL_ADDR(p); >+ if (Py_ADDRESS_IN_RANGE(p, pool)) { >+ /* We're in charge of this block */ >diff -ruN python25.orig/files/patch-cc python25/files/patch-cc >--- python25.orig/files/patch-cc 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-cc 2008-09-07 01:54:52.696296108 -0400 >@@ -0,0 +1,18 @@ >+ >+ >+Patch for CVE-2008-3142 taken from Gentoo. >+ >+--- Modules/almodule.c.orig 2006-09-25 07:53:42.000000000 +0100 >++++ Modules/almodule.c 2008-08-30 10:39:43.000000000 +0100 >+@@ -1633,9 +1633,11 @@ >+ if (nvals < 0) >+ goto cleanup; >+ if (nvals > setsize) { >++ ALvalue *old_return_set = return_set; >+ setsize = nvals; >+ PyMem_RESIZE(return_set, ALvalue, setsize); >+ if (return_set == NULL) { >++ return_set = old_return_set; >+ PyErr_NoMemory(); >+ goto cleanup; >+ } >diff -ruN python25.orig/files/patch-cd python25/files/patch-cd >--- python25.orig/files/patch-cd 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-cd 2008-09-07 01:54:52.706297100 -0400 >@@ -0,0 +1,37 @@ >+ >+ >+Patch for CVE-2008-3142 taken from Gentoo. >+ >+--- Modules/arraymodule.c.orig 2008-02-15 19:11:46.000000000 +0000 >++++ Modules/arraymodule.c 2008-08-30 10:39:43.000000000 +0100 >+@@ -816,6 +816,7 @@ >+ array_do_extend(arrayobject *self, PyObject *bb) >+ { >+ Py_ssize_t size; >++ char *old_item; >+ >+ if (!array_Check(bb)) >+ return array_iter_extend(self, bb); >+@@ -831,10 +832,11 @@ >+ return -1; >+ } >+ size = self->ob_size + b->ob_size; >++ old_item = self->ob_item; >+ PyMem_RESIZE(self->ob_item, char, size*self->ob_descr->itemsize); >+ if (self->ob_item == NULL) { >+- PyObject_Del(self); >+- PyErr_NoMemory(); >++ self->ob_item = old_item; >++ PyErr_NoMemory(); >+ return -1; >+ } >+ memcpy(self->ob_item + self->ob_size*self->ob_descr->itemsize, >+@@ -886,7 +888,7 @@ >+ if (size > PY_SSIZE_T_MAX / n) { >+ return PyErr_NoMemory(); >+ } >+- PyMem_Resize(items, char, n * size); >++ PyMem_RESIZE(items, char, n * size); >+ if (items == NULL) >+ return PyErr_NoMemory(); >+ p = items; >diff -ruN python25.orig/files/patch-ce python25/files/patch-ce >--- python25.orig/files/patch-ce 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-ce 2008-09-07 01:54:52.706297100 -0400 >@@ -0,0 +1,20 @@ >+ >+ >+Patch for CVE-2008-3142 taken from Gentoo. >+ >+--- Modules/selectmodule.c.orig 2006-07-10 02:18:57.000000000 +0100 >++++ Modules/selectmodule.c 2008-08-30 10:39:43.000000000 +0100 >+@@ -349,10 +349,12 @@ >+ { >+ Py_ssize_t i, pos; >+ PyObject *key, *value; >++ struct pollfd *old_ufds = self->ufds; >+ >+ self->ufd_len = PyDict_Size(self->dict); >+- PyMem_Resize(self->ufds, struct pollfd, self->ufd_len); >++ PyMem_RESIZE(self->ufds, struct pollfd, self->ufd_len); >+ if (self->ufds == NULL) { >++ self->ufds = old_ufds; >+ PyErr_NoMemory(); >+ return 0; >+ } >diff -ruN python25.orig/files/patch-da python25/files/patch-da >--- python25.orig/files/patch-da 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-da 2008-09-07 01:54:52.706297100 -0400 >@@ -0,0 +1,45 @@ >+ >+ >+Patch for CVE-2008-2316 taken from Gentoo. >+ >+--- Lib/test/test_hashlib.py.orig 2005-08-21 19:45:59.000000000 +0100 >++++ Lib/test/test_hashlib.py 2008-08-30 10:43:27.000000000 +0100 >+@@ -9,7 +9,7 @@ >+ import hashlib >+ import unittest >+ from test import test_support >+- >++from test.test_support import _4G, precisionbigmemtest >+ >+ def hexstr(s): >+ import string >+@@ -55,7 +55,6 @@ >+ m2.update(aas + bees + cees) >+ self.assertEqual(m1.digest(), m2.digest()) >+ >+- >+ def check(self, name, data, digest): >+ # test the direct constructors >+ computed = getattr(hashlib, name)(data).hexdigest() >+@@ -75,6 +74,21 @@ >+ self.check('md5', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', >+ 'd174ab98d277d9f5a5611c2c9f419d9f') >+ >++ @precisionbigmemtest(size=_4G + 5, memuse=1) >++ def test_case_md5_huge(self, size): >++ if size == _4G + 5: >++ try: >++ self.check('md5', 'A'*size, 'c9af2dff37468ce5dfee8f2cfc0a9c6d') >++ except OverflowError: >++ pass # 32-bit arch >++ >++ @precisionbigmemtest(size=_4G - 1, memuse=1) >++ def test_case_md5_uintmax(self, size): >++ if size == _4G - 1: >++ try: >++ self.check('md5', 'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') >++ except OverflowError: >++ pass # 32-bit arch >+ >+ # use the three examples from Federal Information Processing Standards >+ # Publication 180-1, Secure Hash Standard, 1995 April 17 >diff -ruN python25.orig/files/patch-db python25/files/patch-db >--- python25.orig/files/patch-db 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-db 2008-09-07 01:54:52.706297100 -0400 >@@ -0,0 +1,108 @@ >+ >+ >+Patch for CVE-2008-2316 taken from Gentoo. >+ >+--- Modules/_hashopenssl.c.orig 2006-05-29 22:04:52.000000000 +0100 >++++ Modules/_hashopenssl.c 2008-08-30 10:43:27.000000000 +0100 >+@@ -19,6 +19,8 @@ >+ /* EVP is the preferred interface to hashing in OpenSSL */ >+ #include <openssl/evp.h> >+ >++#define MUNCH_SIZE INT_MAX >++ >+ >+ #ifndef HASH_OBJ_CONSTRUCTOR >+ #define HASH_OBJ_CONSTRUCTOR 0 >+@@ -164,9 +166,18 @@ >+ if (!PyArg_ParseTuple(args, "s#:update", &cp, &len)) >+ return NULL; >+ >++ if (len > 0 && len <= MUNCH_SIZE) { >+ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, >+ unsigned int)); >+- >++ } else { >++ Py_ssize_t offset = 0; >++ while (len) { >++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; >++ EVP_DigestUpdate(&self->ctx, cp + offset, process); >++ len -= process; >++ offset += process; >++ } >++ } >+ Py_INCREF(Py_None); >+ return Py_None; >+ } >+@@ -255,9 +266,20 @@ >+ self->name = name_obj; >+ Py_INCREF(self->name); >+ >+- if (cp && len) >++ if (cp && len) { >++ if (len > 0 && len <= MUNCH_SIZE) { >+ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, >+ unsigned int)); >++ } else { >++ Py_ssize_t offset = 0; >++ while (len) { >++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; >++ EVP_DigestUpdate(&self->ctx, cp + offset, process); >++ len -= process; >++ offset += process; >++ } >++ } >++ } >+ >+ return 0; >+ } >+@@ -328,7 +350,7 @@ >+ static PyObject * >+ EVPnew(PyObject *name_obj, >+ const EVP_MD *digest, const EVP_MD_CTX *initial_ctx, >+- const unsigned char *cp, unsigned int len) >++ const unsigned char *cp, Py_ssize_t len) >+ { >+ EVPobject *self; >+ >+@@ -346,8 +368,20 @@ >+ EVP_DigestInit(&self->ctx, digest); >+ } >+ >+- if (cp && len) >+- EVP_DigestUpdate(&self->ctx, cp, len); >++ if (cp && len) { >++ if (len > 0 && len <= MUNCH_SIZE) { >++ EVP_DigestUpdate(&self->ctx, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, >++ unsigned int)); >++ } else { >++ Py_ssize_t offset = 0; >++ while (len) { >++ unsigned int process = len > MUNCH_SIZE ? MUNCH_SIZE : len; >++ EVP_DigestUpdate(&self->ctx, cp + offset, process); >++ len -= process; >++ offset += process; >++ } >++ } >++ } >+ >+ return (PyObject *)self; >+ } >+@@ -384,8 +418,7 @@ >+ >+ digest = EVP_get_digestbyname(name); >+ >+- return EVPnew(name_obj, digest, NULL, cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, >+- unsigned int)); >++ return EVPnew(name_obj, digest, NULL, cp, len); >+ } >+ >+ /* >+@@ -410,7 +443,7 @@ >+ CONST_ ## NAME ## _name_obj, \ >+ NULL, \ >+ CONST_new_ ## NAME ## _ctx_p, \ >+- cp, Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int)); \ >++ cp, len); \ >+ } >+ >+ /* a PyMethodDef structure for the constructor */ >diff -ruN python25.orig/files/patch-ea python25/files/patch-ea >--- python25.orig/files/patch-ea 1969-12-31 19:00:00.000000000 -0500 >+++ python25/files/patch-ea 2008-09-07 01:54:52.536293091 -0400 >@@ -0,0 +1,59 @@ >+ >+ >+Patch for CVE-2008-3144 taken from Gentoo. >+ >+--- Python/mysnprintf.c.orig 2001-12-21 16:32:15.000000000 +0000 >++++ Python/mysnprintf.c 2008-08-30 10:46:31.000000000 +0100 >+@@ -54,18 +54,28 @@ >+ PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) >+ { >+ int len; /* # bytes written, excluding \0 */ >+-#ifndef HAVE_SNPRINTF >++#ifdef HAVE_SNPRINTF >++#define _PyOS_vsnprintf_EXTRA_SPACE 1 >++#else >++#define _PyOS_vsnprintf_EXTRA_SPACE 512 >+ char *buffer; >+ #endif >+ assert(str != NULL); >+ assert(size > 0); >+ assert(format != NULL); >++ /* We take a size_t as input but return an int. Sanity check >++ * our input so that it won't cause an overflow in the >++ * vsnprintf return value or the buffer malloc size. */ >++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { >++ len = -666; >++ goto Done; >++ } >+ >+ #ifdef HAVE_SNPRINTF >+ len = vsnprintf(str, size, format, va); >+ #else >+ /* Emulate it. */ >+- buffer = PyMem_MALLOC(size + 512); >++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); >+ if (buffer == NULL) { >+ len = -666; >+ goto Done; >+@@ -75,7 +85,7 @@ >+ if (len < 0) >+ /* ignore the error */; >+ >+- else if ((size_t)len >= size + 512) >++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) >+ Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); >+ >+ else { >+@@ -86,8 +96,10 @@ >+ str[to_copy] = '\0'; >+ } >+ PyMem_FREE(buffer); >+-Done: >+ #endif >+- str[size-1] = '\0'; >++Done: >++ if (size > 0) >++ str[size-1] = '\0'; >+ return len; >++#undef _PyOS_vsnprintf_EXTRA_SPACE >+ }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=90081">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 127172
: 90081