pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/python24 add patches from upstream svn rev.65333,...
details: https://anonhg.NetBSD.org/pkgsrc/rev/22872f0a31ac
branches: trunk
changeset: 545483:22872f0a31ac
user: drochner <drochner%pkgsrc.org@localhost>
date: Tue Aug 05 10:13:34 2008 +0000
description:
add patches from upstream svn rev.65333, fix integer overflows in
memory allocation (CVE-2008-2315)
diffstat:
lang/python24/Makefile | 4 +-
lang/python24/distinfo | 9 ++-
lang/python24/patches/patch-ba | 25 ++++++++
lang/python24/patches/patch-bb | 13 ++++
lang/python24/patches/patch-bc | 33 +++++++++++
lang/python24/patches/patch-bd | 15 +++++
lang/python24/patches/patch-be | 44 +++++++++++++++
lang/python24/patches/patch-bf | 19 ++++++
lang/python24/patches/patch-bg | 114 +++++++++++++++++++++++++++++++++++++++++
9 files changed, 273 insertions(+), 3 deletions(-)
diffs (truncated from 325 to 300 lines):
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/Makefile
--- a/lang/python24/Makefile Tue Aug 05 10:12:54 2008 +0000
+++ b/lang/python24/Makefile Tue Aug 05 10:13:34 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.44 2008/07/14 14:42:51 joerg Exp $
+# $NetBSD: Makefile,v 1.45 2008/08/05 10:13:34 drochner Exp $
DISTNAME= Python-2.4.5
PKGNAME= python24-2.4.5
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= lang python
MASTER_SITES= http://www.python.org/ftp/python/2.4.5/
EXTRACT_SUFX= .tar.bz2
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/distinfo
--- a/lang/python24/distinfo Tue Aug 05 10:12:54 2008 +0000
+++ b/lang/python24/distinfo Tue Aug 05 10:13:34 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2008/04/11 10:44:08 drochner Exp $
+$NetBSD: distinfo,v 1.29 2008/08/05 10:13:34 drochner Exp $
SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -23,3 +23,10 @@
SHA1 (patch-ar) = f132998e3e81f3093f9bddf32fe6dcb40fcfa76f
SHA1 (patch-at) = 9d66115cc561c99dcc3478678aa286c1c0c3df6b
SHA1 (patch-au) = d0a234efabe7d6a1f2b1dcbf26780fdc6b452214
+SHA1 (patch-ba) = c9b88da8efc334771eff578585e2e9e7e21a0634
+SHA1 (patch-bb) = 89829819c5a38f3bbd8be1737568f87b9ffbd598
+SHA1 (patch-bc) = e72dc346087f78760e623344e9eff147283c202c
+SHA1 (patch-bd) = f760e4995888e22997d27598872fcf25cb89cbfe
+SHA1 (patch-be) = ce192dc8ec7b53b691288f1fecc8abbd9b61e9ea
+SHA1 (patch-bf) = c0ae4152a0991d1c814462a5a8e925c9a9a6c254
+SHA1 (patch-bg) = 30a6d65a10bc0e6df5229635ad89a27e1093a347
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-ba
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-ba Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-ba,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/gcmodule.c.orig 2006-09-28 19:08:01.000000000 +0200
++++ Modules/gcmodule.c
+@@ -1249,7 +1249,10 @@ PyObject *
+ _PyObject_GC_Malloc(size_t basicsize)
+ {
+ PyObject *op;
+- PyGC_Head *g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
++ PyGC_Head *g;
++ if (basicsize > INT_MAX - sizeof(PyGC_Head))
++ return PyErr_NoMemory();
++ g = PyObject_MALLOC(sizeof(PyGC_Head) + basicsize);
+ if (g == NULL)
+ return PyErr_NoMemory();
+ g->gc.gc_refs = GC_UNTRACKED;
+@@ -1291,6 +1294,8 @@ _PyObject_GC_Resize(PyVarObject *op, int
+ {
+ const size_t basicsize = _PyObject_VAR_SIZE(op->ob_type, nitems);
+ PyGC_Head *g = AS_GC(op);
++ if (basicsize > INT_MAX - sizeof(PyGC_Head))
++ return (PyVarObject *)PyErr_NoMemory();
+ g = PyObject_REALLOC(g, sizeof(PyGC_Head) + basicsize);
+ if (g == NULL)
+ return (PyVarObject *)PyErr_NoMemory();
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-bb
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bb Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-bb,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/mmapmodule.c.orig 2008-08-05 12:00:52.000000000 +0200
++++ Modules/mmapmodule.c
+@@ -223,7 +223,7 @@ mmap_read_method(mmap_object *self,
+ return(NULL);
+
+ /* silently 'adjust' out-of-range requests */
+- if ((self->pos + num_bytes) > self->size) {
++ if (num_bytes > self->size - self->pos) {
+ num_bytes -= (self->pos+num_bytes) - self->size;
+ }
+ result = Py_BuildValue("s#", self->data+self->pos, num_bytes);
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-bc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bc Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-bc,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Modules/stropmodule.c.orig 2008-03-02 20:20:32.000000000 +0100
++++ Modules/stropmodule.c
+@@ -214,6 +214,13 @@ strop_joinfields(PyObject *self, PyObjec
+ return NULL;
+ }
+ slen = PyString_GET_SIZE(item);
++ if (slen > INT_MAX - reslen ||
++ seplen > INT_MAX - reslen - seplen) {
++ PyErr_SetString(PyExc_OverflowError,
++ "input too long");
++ Py_DECREF(res);
++ return NULL;
++ }
+ while (reslen + slen + seplen >= sz) {
+ if (_PyString_Resize(&res, sz * 2) < 0)
+ return NULL;
+@@ -251,6 +258,14 @@ strop_joinfields(PyObject *self, PyObjec
+ return NULL;
+ }
+ slen = PyString_GET_SIZE(item);
++ if (slen > INT_MAX - reslen ||
++ seplen > INT_MAX - reslen - seplen) {
++ PyErr_SetString(PyExc_OverflowError,
++ "input too long");
++ Py_DECREF(res);
++ Py_XDECREF(item);
++ return NULL;
++ }
+ while (reslen + slen + seplen >= sz) {
+ if (_PyString_Resize(&res, sz * 2) < 0) {
+ Py_DECREF(item);
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-bd
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bd Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-bd,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/bufferobject.c.orig 2008-03-02 20:20:32.000000000 +0100
++++ Objects/bufferobject.c
+@@ -384,6 +384,10 @@ buffer_repeat(PyBufferObject *self, int
+ count = 0;
+ if (!get_buf(self, &ptr, &size))
+ return NULL;
++ if (count > INT_MAX / size) {
++ PyErr_SetString(PyExc_MemoryError, "result too large");
++ return NULL;
++ }
+ ob = PyString_FromStringAndSize(NULL, size * count);
+ if ( ob == NULL )
+ return NULL;
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-be
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-be Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,44 @@
+$NetBSD: patch-be,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/stringobject.c.orig 2006-10-06 21:26:14.000000000 +0200
++++ Objects/stringobject.c
+@@ -69,6 +69,11 @@ PyString_FromStringAndSize(const char *s
+ return (PyObject *)op;
+ }
+
++ if (size > INT_MAX - sizeof(PyStringObject)) {
++ PyErr_SetString(PyExc_OverflowError, "string is too large");
++ return NULL;
++ }
++
+ /* Inline PyObject_NewVar */
+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ if (op == NULL)
+@@ -104,7 +109,7 @@ PyString_FromString(const char *str)
+
+ assert(str != NULL);
+ size = strlen(str);
+- if (size > INT_MAX) {
++ if (size > INT_MAX - sizeof(PyStringObject)) {
+ PyErr_SetString(PyExc_OverflowError,
+ "string is too long for a Python string");
+ return NULL;
+@@ -907,7 +912,18 @@ string_concat(register PyStringObject *a
+ Py_INCREF(a);
+ return (PyObject *)a;
+ }
++ /* Check that string sizes are not negative, to prevent an
++ overflow in cases where we are passed incorrectly-created
++ strings with negative lengths (due to a bug in other code).
++ */
+ size = a->ob_size + b->ob_size;
++ if (a->ob_size < 0 || b->ob_size < 0 ||
++ a->ob_size > INT_MAX - b->ob_size) {
++ PyErr_SetString(PyExc_OverflowError,
++ "strings are too large to concat");
++ return NULL;
++ }
++
+ /* Inline PyObject_NewVar */
+ op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + size);
+ if (op == NULL)
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-bf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bf Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-bf,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/tupleobject.c.orig 2006-03-17 20:04:15.000000000 +0100
++++ Objects/tupleobject.c
+@@ -60,11 +60,12 @@ PyTuple_New(register int size)
+ int nbytes = size * sizeof(PyObject *);
+ /* Check for overflow */
+ if (nbytes / sizeof(PyObject *) != (size_t)size ||
+- (nbytes += sizeof(PyTupleObject) - sizeof(PyObject *))
+- <= 0)
++ (nbytes > INT_MAX - sizeof(PyTupleObject) - sizeof(PyObject *)))
+ {
+ return PyErr_NoMemory();
+ }
++ nbytes += sizeof(PyTupleObject) - sizeof(PyObject *);
++
+ op = PyObject_GC_NewVar(PyTupleObject, &PyTuple_Type, size);
+ if (op == NULL)
+ return NULL;
diff -r b52f6b37c596 -r 22872f0a31ac lang/python24/patches/patch-bg
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python24/patches/patch-bg Tue Aug 05 10:13:34 2008 +0000
@@ -0,0 +1,114 @@
+$NetBSD: patch-bg,v 1.1 2008/08/05 10:13:34 drochner Exp $
+
+--- Objects/unicodeobject.c.orig 2006-10-05 20:08:58.000000000 +0200
++++ Objects/unicodeobject.c
+@@ -186,6 +186,11 @@ PyUnicodeObject *_PyUnicode_New(int leng
+ return unicode_empty;
+ }
+
++ /* Ensure we won't overflow the size. */
++ if (length > ((INT_MAX / sizeof(Py_UNICODE)) - 1)) {
++ return (PyUnicodeObject *)PyErr_NoMemory();
++ }
++
+ /* Unicode freelist & memory allocation */
+ if (unicode_freelist) {
+ unicode = unicode_freelist;
+@@ -1040,6 +1045,9 @@ PyObject *PyUnicode_EncodeUTF7(const Py_
+ char * out;
+ char * start;
+
++ if (cbAllocated / 5 != size)
++ return PyErr_NoMemory();
++
+ if (size == 0)
+ return PyString_FromStringAndSize(NULL, 0);
+
+@@ -1638,6 +1646,7 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ {
+ PyObject *v;
+ unsigned char *p;
++ int nsize, bytesize;
+ #ifdef Py_UNICODE_WIDE
+ int i, pairs;
+ #else
+@@ -1662,8 +1671,15 @@ PyUnicode_EncodeUTF16(const Py_UNICODE *
+ if (s[i] >= 0x10000)
+ pairs++;
+ #endif
+- v = PyString_FromStringAndSize(NULL,
+- 2 * (size + pairs + (byteorder == 0)));
++ /* 2 * (size + pairs + (byteorder == 0)) */
++ if (size > INT_MAX ||
++ size > INT_MAX - pairs - (byteorder == 0))
++ return PyErr_NoMemory();
++ nsize = (size + pairs + (byteorder == 0));
++ bytesize = nsize * 2;
++ if (bytesize / 2 != nsize)
++ return PyErr_NoMemory();
++ v = PyString_FromStringAndSize(NULL, bytesize);
+ if (v == NULL)
+ return NULL;
+
+@@ -1977,6 +1993,11 @@ PyObject *unicodeescape_string(const Py_
+ char *p;
+
+ static const char *hexdigit = "0123456789abcdef";
++#ifdef Py_UNICODE_WIDE
++ const int expandsize = 10;
++#else
++ const int expandsize = 6;
++#endif
+
+ /* Initial allocation is based on the longest-possible unichr
+ escape.
+@@ -1992,13 +2013,12 @@ PyObject *unicodeescape_string(const Py_
+ escape.
+ */
+
++ if (size > (INT_MAX - 2 - 1) / expandsize)
++ return PyErr_NoMemory();
++
+ repr = PyString_FromStringAndSize(NULL,
+ 2
+-#ifdef Py_UNICODE_WIDE
+- + 10*size
+-#else
+- + 6*size
+-#endif
++ + expandsize*size
+ + 1);
+ if (repr == NULL)
+ return NULL;
+@@ -2239,12 +2259,16 @@ PyObject *PyUnicode_EncodeRawUnicodeEsca
+ char *q;
+
+ static const char *hexdigit = "0123456789abcdef";
+-
+ #ifdef Py_UNICODE_WIDE
+- repr = PyString_FromStringAndSize(NULL, 10 * size);
Home |
Main Index |
Thread Index |
Old Index