diff options
author | Kubilay Kocak <koobs@FreeBSD.org> | 2014-03-01 10:52:55 +0000 |
---|---|---|
committer | Kubilay Kocak <koobs@FreeBSD.org> | 2014-03-01 10:52:55 +0000 |
commit | 7a2c2ce6e780ec6a01f1de55c980810b9175edce (patch) | |
tree | 248c85db7a6c42f16f546a42fbbe907b01ec6c8f /lang/python32 | |
parent | af10367a5c907249e89669454a8f887cafc1b712 (diff) | |
download | ports-7a2c2ce6e780ec6a01f1de55c980810b9175edce.tar.gz ports-7a2c2ce6e780ec6a01f1de55c980810b9175edce.zip |
lang/python*: Backport security fix for CVE-2014-1912
A vulnerability was reported [1] in Python's socket module, due to a
boundary error within the sock_recvfrom_into() function, which could be
exploited to cause a buffer overflow.
This could be used to crash a Python application that uses the
socket.recvfrom_info() function or, possibly, execute arbitrary code
with the permissions of the user running vulnerable Python code.
This vulnerable function, socket.recvfrom_into(), was introduced in
Python 2.5. Earlier versions are not affected by this flaw. This is
fixed in upstream branches for version 2.7, 3.1, 3.2 and 3.3.
[1] http://bugs.python.org/issue20246
MFH: 2014Q1
Security: 8e5e6d42-a0fa-11e3-b09a-080027f2d077
Notes
Notes:
svn path=/head/; revision=346614
Diffstat (limited to 'lang/python32')
-rw-r--r-- | lang/python32/Makefile | 2 | ||||
-rw-r--r-- | lang/python32/files/patch-CVE-2014-1912 | 49 |
2 files changed, 50 insertions, 1 deletions
diff --git a/lang/python32/Makefile b/lang/python32/Makefile index 252e22aa6ad0..f4c3fe11c4dd 100644 --- a/lang/python32/Makefile +++ b/lang/python32/Makefile @@ -2,7 +2,7 @@ PORTNAME= python32 PORTVERSION= 3.2.5 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= lang python ipv6 MASTER_SITES= PYTHON MASTER_SITE_SUBDIR= ${PYTHON_MASTER_SITE_SUBDIR} diff --git a/lang/python32/files/patch-CVE-2014-1912 b/lang/python32/files/patch-CVE-2014-1912 new file mode 100644 index 000000000000..a23eba9a8042 --- /dev/null +++ b/lang/python32/files/patch-CVE-2014-1912 @@ -0,0 +1,49 @@ +# HG changeset patch +# User Benjamin Peterson <benjamin@python.org> +# Date 1389671978 18000 +# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c +# Parent 2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6 +complain when nbytes > buflen to fix possible buffer overflow (closes #20246) + +# HG changeset patch +# User Stefan Krah <skrah@bytereef.org> +# Date 1390341520 -3600 +# Node ID e82dcd700e8cfb174d6bf6031fd6666627b20f5f +# Parent 29b1eebecb8ed946e1db8e4bb86310d681cf4a91 +Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts. + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- Lib/test/test_socket.py ++++ Lib/test/test_socket.py +@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 + +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- Modules/socketmodule.c ++++ Modules/socketmodule.c +@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); + |