Bug 123153

Summary: Integer signedness bug in zlib module of lang/python23 and lang/python24
Product: Ports & Packages Reporter: Nick Barkas <snb>
Component: Individual Port(s)Assignee: Martin Wilke <miwi>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Nick Barkas 2008-04-28 01:10:00 UTC 
Python 2.3 and 2.4 suffer from the same integer signedness bug in the zlib module as was fixed recently in the port python25-2.5.2_2. See http://www.vuxml.org/freebsd/ec41c3e2-129c-11dd-bab7-0016179b2dd5.html

Fix: 

Add the patch currently in lang/python25/files/patch-Modules-zlibmodule.c to lang/python24/files and lang/python23/files. It would also be good to update security/vuxml/vuln.xml to note that the vulnerability also affects python23 and python24 packages with version and port revision numbers before this patch is added.
How-To-Repeat: Run either of the scipts python-2.5.2-zlib-unflush-misallocation.py or python-2.5.2-zlib-unflush-signedness.py attached to the bug reported at http://bugs.python.org/issue2586. Unpatched python 2.3 or 2.4 will crash, just as unpatched python 2.5 will.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-04-28 01:10:08 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->python

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Martin Wilke freebsd_committer freebsd_triage 2008-04-28 08:09:02 UTC 
Responsible Changed
From-To: python->miwi

my part.
Comment 3 dfilter service freebsd_committer freebsd_triage 2008-04-28 08:34:43 UTC 
miwi        2008-04-28 07:34:39 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Update last python entry python23 and python24 also affected
  
  PR:             123153
  Submitted by:   Nick Barkas <snb@threerings.net>
  
  Revision  Changes    Path
  1.1612    +11 -2     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 dfilter service freebsd_committer freebsd_triage 2008-04-28 08:40:04 UTC 
miwi        2008-04-28 07:39:59 UTC

  FreeBSD ports repository

  Modified files:
    lang/python23        Makefile 
    lang/python24        Makefile 
  Added files:
    lang/python23/files  patch-Lib-test-test_zlib.py 
                         patch-Modules-zlibmodule.c 
    lang/python24/files  patch-Lib-test-test_zlib.py 
                         patch-Modules-zlibmodule.c 
  Log:
  - Fix zlib crash from zlib.decompressobj().flush(val)
    when val was not positive. It tried to allocate negative
    or zero memory.  That fails.
  - Bump PORTREVISION
  
  PR:             123153
  Submitted by:   Nick Barkas <snb@threerings.net>
  Security:       http://www.vuxml.org/freebsd/ec41c3e2-129c-11dd-bab7-0016179b2dd5.html
  
  Revision  Changes    Path
  1.152     +1 -0      ports/lang/python23/Makefile
  1.1       +14 -0     ports/lang/python23/files/patch-Lib-test-test_zlib.py (new)
  1.1       +13 -0     ports/lang/python23/files/patch-Modules-zlibmodule.c (new)
  1.162     +1 -0      ports/lang/python24/Makefile
  1.1       +14 -0     ports/lang/python24/files/patch-Lib-test-test_zlib.py (new)
  1.1       +13 -0     ports/lang/python24/files/patch-Modules-zlibmodule.c (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Martin Wilke freebsd_committer freebsd_triage 2008-04-28 08:40:54 UTC 
State Changed
From-To: open->closed

Nick Thanks! Committed. Thanks!