pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang/python27 Add patches to fix the remaining two fun...
details: https://anonhg.NetBSD.org/pkgsrc/rev/d1025efee328
branches: trunk
changeset: 635653:d1025efee328
user: he <he%pkgsrc.org@localhost>
date: Mon Jun 09 17:58:31 2014 +0000
description:
Add patches to fix the remaining two functions reported as being
vulnerable to CVE-2013-1752, following the general theme of overflow
of line lengths. This fixes the smtp and pop functions.
Taken / adapted from http://bugs.python.org/issue16041 and
http://bugs.python.org/issue16042.
PKGREVISION bumped.
diffstat:
lang/python27/Makefile | 3 +-
lang/python27/distinfo | 7 ++-
lang/python27/patches/patch-Lib_poplib.py | 43 ++++++++++++++++
lang/python27/patches/patch-Lib_smtplib.py | 51 ++++++++++++++++++++
lang/python27/patches/patch-Lib_test_test__poplib.py | 27 ++++++++++
lang/python27/patches/patch-Lib_test_test_smtplib.py | 50 +++++++++++++++++++
lang/python27/patches/patch-Misc_NEWS | 21 ++++++++
7 files changed, 200 insertions(+), 2 deletions(-)
diffs (247 lines):
diff -r 9f7c22769511 -r d1025efee328 lang/python27/Makefile
--- a/lang/python27/Makefile Mon Jun 09 17:56:53 2014 +0000
+++ b/lang/python27/Makefile Mon Jun 09 17:58:31 2014 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2014/06/02 06:12:03 adam Exp $
+# $NetBSD: Makefile,v 1.42 2014/06/09 17:58:31 he Exp $
.include "dist.mk"
PKGNAME= python27-${PY_DISTVERSION}
+PKGREVISION= 1
CATEGORIES= lang python
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
diff -r 9f7c22769511 -r d1025efee328 lang/python27/distinfo
--- a/lang/python27/distinfo Mon Jun 09 17:56:53 2014 +0000
+++ b/lang/python27/distinfo Mon Jun 09 17:58:31 2014 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2014/06/02 06:12:03 adam Exp $
+$NetBSD: distinfo,v 1.41 2014/06/09 17:58:31 he Exp $
SHA1 (Python-2.7.7.tar.xz) = 5f82557cac5abf18d1df6f8bb2029aa335b321f4
RMD160 (Python-2.7.7.tar.xz) = 988da9490e8d66a2456accdce5dbe9ba875d5a18
@@ -6,6 +6,11 @@
SHA1 (patch-Include_node.h) = 673d148b625711ac47e4bfeb0f5b0d5b31f94d7e
SHA1 (patch-Include_pyerrors.h) = 3eba043c83b1d1df4918524f7b53047a6ed372ae
SHA1 (patch-Lib_distutils_unixccompiler.py) = 39b967dc2ae648143d5841f22602a21063b4d5ea
+SHA1 (patch-Lib_poplib.py) = 5d7f64b028abd2fd43651f27a7f2ce7efe5b0859
+SHA1 (patch-Lib_smtplib.py) = f1118bbc53b4e292eb9a28ef3ef10eb4aa553bc3
+SHA1 (patch-Lib_test_test__poplib.py) = 1bdef76b687d042272e35c08521d4244d2c7fbe1
+SHA1 (patch-Lib_test_test_smtplib.py) = 9e8a7f826c7d0f493746718b49fc27ac97c2cbb1
+SHA1 (patch-Misc_NEWS) = 773d71d171a4d4e915297f723a37f5c5e5ef2bd4
SHA1 (patch-Modules___ssl.c) = aaddaea5bcd6c84d3d896c7c37f710933b8228bc
SHA1 (patch-Modules_getpath.c) = f68b38eb90f974b67ceab3922ce7f92eb77f25c3
SHA1 (patch-aa) = 990e4025bb6a37715e1f5df1831499f0ab08acfa
diff -r 9f7c22769511 -r d1025efee328 lang/python27/patches/patch-Lib_poplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_poplib.py Mon Jun 09 17:58:31 2014 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-Lib_poplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752.
+From http://bugs.python.org/issue16041.
+
+--- Lib/poplib.py.orig 2014-06-09 11:29:36.000000000 +0000
++++ Lib/poplib.py
+@@ -32,6 +32,12 @@ CR = '\r'
+ LF = '\n'
+ CRLF = CR+LF
+
++# maximal line length when calling readline(). This is to prevent
++# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
++# 512 characters, including CRLF. We have selected 2048 just to be on
++# the safe side.
++_MAXLINE = 2048
++
+
+ class POP3:
+
+@@ -103,7 +109,10 @@ class POP3:
+ # Raise error_proto('-ERR EOF') if the connection is closed.
+
+ def _getline(self):
+- line = self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
++ if len(line) > _MAXLINE:
++ raise error_proto('line too long')
++
+ if self._debugging > 1: print '*get*', repr(line)
+ if not line: raise error_proto('-ERR EOF')
+ octets = len(line)
+@@ -363,7 +372,10 @@ else:
+ line = ""
+ renewline = re.compile(r'.*?\n')
+ match = renewline.match(self.buffer)
++
+ while not match:
++ if len(self.buffer) > _MAXLINE:
++ raise error_proto('line too long')
+ self._fillBuffer()
+ match = renewline.match(self.buffer)
+ line = match.group(0)
diff -r 9f7c22769511 -r d1025efee328 lang/python27/patches/patch-Lib_smtplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_smtplib.py Mon Jun 09 17:58:31 2014 +0000
@@ -0,0 +1,51 @@
+$NetBSD: patch-Lib_smtplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP part.
+From http://bugs.python.org/issue16042.
+
+--- Lib/smtplib.py.orig 2014-05-31 18:58:39.000000000 +0000
++++ Lib/smtplib.py
+@@ -57,6 +57,7 @@ __all__ = ["SMTPException", "SMTPServerD
+ SMTP_PORT = 25
+ SMTP_SSL_PORT = 465
+ CRLF = "\r\n"
++_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
+
+ OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
+
+@@ -179,10 +180,14 @@ else:
+ def __init__(self, sslobj):
+ self.sslobj = sslobj
+
+- def readline(self):
++ def readline(self, size=-1):
++ if size < 0:
++ size = None
+ str = ""
+ chr = None
+ while chr != "\n":
++ if size is not None and len(str) >= size:
++ break
+ chr = self.sslobj.read(1)
+ if not chr:
+ break
+@@ -353,7 +358,7 @@ class SMTP:
+ self.file = self.sock.makefile('rb')
+ while 1:
+ try:
+- line = self.file.readline()
++ line = self.file.readline(_MAXLINE + 1)
+ except socket.error as e:
+ self.close()
+ raise SMTPServerDisconnected("Connection unexpectedly closed: "
+@@ -362,7 +367,9 @@ class SMTP:
+ self.close()
+ raise SMTPServerDisconnected("Connection unexpectedly closed")
+ if self.debuglevel > 0:
+- print>>stderr, 'reply:', repr(line)
++ print >>stderr, 'reply:', repr(line)
++ if len(line) > _MAXLINE:
++ raise SMTPResponseException(500, "Line too long.")
+ resp.append(line[4:].strip())
+ code = line[:3]
+ # Check that the error code is syntactically correct.
diff -r 9f7c22769511 -r d1025efee328 lang/python27/patches/patch-Lib_test_test__poplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test__poplib.py Mon Jun 09 17:58:31 2014 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-Lib_test_test__poplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752.
+From http://bugs.python.org/issue16041.
+
+--- Lib/test/test_poplib.py.orig 2014-06-09 11:29:38.000000000 +0000
++++ Lib/test/test_poplib.py
+@@ -81,7 +81,7 @@ class DummyPOP3Handler(asynchat.async_ch
+
+ def cmd_list(self, arg):
+ if arg:
+- self.push('+OK %s %s' %(arg, arg))
++ self.push('+OK %s %s' % (arg, arg))
+ else:
+ self.push('+OK')
+ asynchat.async_chat.push(self, LIST_RESP)
+@@ -198,6 +198,10 @@ class TestPOP3Class(TestCase):
+ 113)
+ self.assertEqual(self.client.retr('foo'), expected)
+
++ def test_too_long_lines(self):
++ self.assertRaises(poplib.error_proto, self.client._shortcmd,
++ 'echo %s' % (3000 * 'a'))
++
+ def test_dele(self):
+ self.assertOK(self.client.dele('foo'))
+
diff -r 9f7c22769511 -r d1025efee328 lang/python27/patches/patch-Lib_test_test_smtplib.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Lib_test_test_smtplib.py Mon Jun 09 17:58:31 2014 +0000
@@ -0,0 +1,50 @@
+$NetBSD: patch-Lib_test_test_smtplib.py,v 1.1 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP part.
+From http://bugs.python.org/issue16042.
+
+--- Lib/test/test_smtplib.py.orig 2014-05-31 18:58:39.000000000 +0000
++++ Lib/test/test_smtplib.py
+@@ -292,6 +292,32 @@ class BadHELOServerTests(unittest.TestCa
+ HOST, self.port, 'localhost', 3)
+
+
++class TooLongLineTests(TestCase):
++ respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
++
++ def setUp(self):
++ self.old_stdout = sys.stdout
++ self.output = StringIO.StringIO()
++ sys.stdout = self.output
++
++ self.evt = threading.Event()
++ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++ self.sock.settimeout(15)
++ self.port = test_support.bind_port(self.sock)
++ servargs = (self.evt, self.respdata, self.sock)
++ threading.Thread(target=server, args=servargs).start()
++ self.evt.wait()
++ self.evt.clear()
++
++ def tearDown(self):
++ self.evt.wait()
++ sys.stdout = self.old_stdout
++
++ def testLineTooLong(self):
++ self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
++ HOST, self.port, 'localhost', 3)
++
++
+ sim_users = {'Mr.A%somewhere.com@localhost':'John A',
+ 'Ms.B%somewhere.com@localhost':'Sally B',
+ 'Mrs.C%somewhereesle.com@localhost':'Ruth C',
+@@ -511,7 +537,8 @@ class SMTPSimTests(unittest.TestCase):
+ def test_main(verbose=None):
+ test_support.run_unittest(GeneralTests, DebuggingServerTests,
+ NonConnectingTests,
+- BadHELOServerTests, SMTPSimTests)
++ BadHELOServerTests, SMTPSimTests,
++ TooLongLineTests)
+
+ if __name__ == '__main__':
+ test_main()
diff -r 9f7c22769511 -r d1025efee328 lang/python27/patches/patch-Misc_NEWS
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/python27/patches/patch-Misc_NEWS Mon Jun 09 17:58:31 2014 +0000
@@ -0,0 +1,21 @@
+$NetBSD: patch-Misc_NEWS,v 1.3 2014/06/09 17:58:31 he Exp $
+
+Apply a fix for CVE-2013-1752 for the SMTP and Pop parts.
+From http://bugs.python.org/issue16042 and issue16041.
+
+--- Misc/NEWS.orig 2014-06-09 11:29:34.000000000 +0000
++++ Misc/NEWS
+@@ -585,6 +585,13 @@ Library
+ prevent readline() calls from consuming too much memory. Patch by Jyrki
+ Pulliainen.
+
++- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
++ prevent readline() calls from consuming too much memory. Patch by Jyrki
++ Pulliainen.
++
++- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
++ limiting the call to readline(). Original patch by Christian Heimes.
++
+ - Issue #12641: Avoid passing "-mno-cygwin" to the mingw32 compiler, except
+ when necessary. Patch by Oscar Benjamin.
+
Home |
Main Index |
Thread Index |
Old Index