Refactor patch for properly fixing CVE-2016-5636
This commit is contained in:
parent
220a669a6c
commit
20f301a645
@ -1,16 +0,0 @@
|
|||||||
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
|
|
||||||
index 7240cb4..a139a3f 100644
|
|
||||||
--- a/Modules/zipimport.c
|
|
||||||
+++ b/Modules/zipimport.c
|
|
||||||
@@ -895,6 +895,11 @@ get_data(char *archive, PyObject *toc_entry)
|
|
||||||
PyMarshal_ReadShortFromFile(fp); /* local header size */
|
|
||||||
file_offset += l; /* Start of file data */
|
|
||||||
|
|
||||||
+ if (data_size > LONG_MAX - 1) {
|
|
||||||
+ fclose(fp);
|
|
||||||
+ PyErr_NoMemory();
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
|
|
||||||
data_size : data_size + 1);
|
|
||||||
if (raw_data == NULL) {
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From 0f12cb75c708978f9201c1dd3464d2a8572b4544 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Charalampos Stratakis <cstratak@redhat.com>
|
||||||
|
Date: Fri, 8 Jul 2016 20:24:10 +0200
|
||||||
|
Subject: [PATCH] CVE-2016-5636 fix
|
||||||
|
|
||||||
|
---
|
||||||
|
Modules/zipimport.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Modules/zipimport.c b/Modules/zipimport.c
|
||||||
|
index 7240cb4..2e6a61f 100644
|
||||||
|
--- a/Modules/zipimport.c
|
||||||
|
+++ b/Modules/zipimport.c
|
||||||
|
@@ -861,6 +861,10 @@ get_data(char *archive, PyObject *toc_entry)
|
||||||
|
&date, &crc)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
+ if (data_size < 0) {
|
||||||
|
+ PyErr_Format(ZipImportError, "negative data size");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
fp = fopen(archive, "rb");
|
||||||
|
if (!fp) {
|
||||||
|
@@ -895,6 +899,11 @@ get_data(char *archive, PyObject *toc_entry)
|
||||||
|
PyMarshal_ReadShortFromFile(fp); /* local header size */
|
||||||
|
file_offset += l; /* Start of file data */
|
||||||
|
|
||||||
|
+ if (data_size > LONG_MAX - 1) {
|
||||||
|
+ fclose(fp);
|
||||||
|
+ PyErr_NoMemory();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
raw_data = PyString_FromStringAndSize((char *)NULL, compress == 0 ?
|
||||||
|
data_size : data_size + 1);
|
||||||
|
if (raw_data == NULL) {
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
26
python.spec
26
python.spec
@ -108,7 +108,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
|||||||
Name: %{python}
|
Name: %{python}
|
||||||
# Remember to also rebase python-docs when changing this:
|
# Remember to also rebase python-docs when changing this:
|
||||||
Version: 2.7.11
|
Version: 2.7.11
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||||
@ -848,7 +848,6 @@ Patch187: 00187-add-RPATH-to-pyexpat.patch
|
|||||||
Patch189: 00189-gdb-py-bt-dont-raise-exception-from-eval.patch
|
Patch189: 00189-gdb-py-bt-dont-raise-exception-from-eval.patch
|
||||||
|
|
||||||
# 00190 #
|
# 00190 #
|
||||||
#
|
|
||||||
# Importing get_python_version in bdist_rpm
|
# Importing get_python_version in bdist_rpm
|
||||||
# http://bugs.python.org/issue18045
|
# http://bugs.python.org/issue18045
|
||||||
# rhbz#1029082
|
# rhbz#1029082
|
||||||
@ -856,19 +855,16 @@ Patch189: 00189-gdb-py-bt-dont-raise-exception-from-eval.patch
|
|||||||
#Patch190: 00190-get_python_version.patch
|
#Patch190: 00190-get_python_version.patch
|
||||||
|
|
||||||
# 00191 #
|
# 00191 #
|
||||||
#
|
|
||||||
# Disabling NOOP test as it fails without internet connection
|
# Disabling NOOP test as it fails without internet connection
|
||||||
Patch191: 00191-disable-NOOP.patch
|
Patch191: 00191-disable-NOOP.patch
|
||||||
|
|
||||||
# 00192 #
|
# 00192 #
|
||||||
#
|
|
||||||
# Fixing buffer overflow (upstream patch)
|
# Fixing buffer overflow (upstream patch)
|
||||||
# rhbz#1062375
|
# rhbz#1062375
|
||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM
|
||||||
#Patch192: 00192-buffer-overflow.patch
|
#Patch192: 00192-buffer-overflow.patch
|
||||||
|
|
||||||
# 00193 #
|
# 00193 #
|
||||||
#
|
|
||||||
# Enable loading sqlite extensions. This patch isn't needed for
|
# Enable loading sqlite extensions. This patch isn't needed for
|
||||||
# python3.spec, since Python 3 has a configuration option for this.
|
# python3.spec, since Python 3 has a configuration option for this.
|
||||||
# rhbz#1066708
|
# rhbz#1066708
|
||||||
@ -876,13 +872,13 @@ Patch191: 00191-disable-NOOP.patch
|
|||||||
Patch193: 00193-enable-loading-sqlite-extensions.patch
|
Patch193: 00193-enable-loading-sqlite-extensions.patch
|
||||||
|
|
||||||
# 00194 #
|
# 00194 #
|
||||||
#
|
|
||||||
# Fix tests with SQLite >= 3.8.4
|
# Fix tests with SQLite >= 3.8.4
|
||||||
# http://bugs.python.org/issue20901
|
# http://bugs.python.org/issue20901
|
||||||
# http://hg.python.org/cpython/raw-rev/1763e27a182d
|
# http://hg.python.org/cpython/raw-rev/1763e27a182d
|
||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM
|
||||||
#Patch194: 00194-fix-tests-with-sqlite-3.8.4.patch
|
#Patch194: 00194-fix-tests-with-sqlite-3.8.4.patch
|
||||||
|
|
||||||
|
# 00195 #
|
||||||
# Since openssl-1.0.1h-5.fc21 SSLv2 and SSLV3 protocols
|
# Since openssl-1.0.1h-5.fc21 SSLv2 and SSLV3 protocols
|
||||||
# are disabled by default in openssl, according the comment in openssl
|
# are disabled by default in openssl, according the comment in openssl
|
||||||
# patch this affects only SSLv23_method, this patch enables SSLv2
|
# patch this affects only SSLv23_method, this patch enables SSLv2
|
||||||
@ -892,30 +888,37 @@ Patch193: 00193-enable-loading-sqlite-extensions.patch
|
|||||||
# disables only sslv2 all tests pass
|
# disables only sslv2 all tests pass
|
||||||
#Patch195: 00195-enable-sslv23-in-ssl.patch
|
#Patch195: 00195-enable-sslv23-in-ssl.patch
|
||||||
|
|
||||||
|
# 00196 #
|
||||||
# http://bugs.python.org/issue21308
|
# http://bugs.python.org/issue21308
|
||||||
# Backport of ssl module from python3
|
# Backport of ssl module from python3
|
||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM
|
||||||
# Patch196: 00196-ssl-backport.patch
|
# Patch196: 00196-ssl-backport.patch
|
||||||
|
|
||||||
|
# 00197 #
|
||||||
# http://bugs.python.org/issue22023
|
# http://bugs.python.org/issue22023
|
||||||
# Patch seg fault in unicodeobject.c
|
# Patch seg fault in unicodeobject.c
|
||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM
|
||||||
# Patch197: 00197-unicode_fromformat.patch
|
# Patch197: 00197-unicode_fromformat.patch
|
||||||
|
|
||||||
|
# 00198 #
|
||||||
%if 0%{with_rewheel}
|
%if 0%{with_rewheel}
|
||||||
Patch198: 00198-add-rewheel-module.patch
|
Patch198: 00198-add-rewheel-module.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# 00200 #
|
||||||
# test_gdb.test_threads fails when run within rpmbuild
|
# test_gdb.test_threads fails when run within rpmbuild
|
||||||
# I couldnt reproduce the issue outside of rpmbuild, therefore
|
# I couldnt reproduce the issue outside of rpmbuild, therefore
|
||||||
# I skip test for now
|
# I skip test for now
|
||||||
Patch200: 00200-skip-thread-test.patch
|
Patch200: 00200-skip-thread-test.patch
|
||||||
|
|
||||||
# https://bugs.python.org/issue26171
|
# 00209 #
|
||||||
|
# CVE-2016-5636: http://seclists.org/oss-sec/2016/q2/560
|
||||||
|
# rhbz#1345858: https://bugzilla.redhat.com/show_bug.cgi?id=1345858
|
||||||
# https://hg.python.org/cpython/rev/985fc64c60d6/
|
# https://hg.python.org/cpython/rev/985fc64c60d6/
|
||||||
|
# https://hg.python.org/cpython/rev/2edbdb79cd6d
|
||||||
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
# Fix possible integer overflow and heap corruption in zipimporter.get_data()
|
||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM: https://bugs.python.org/issue26171
|
||||||
Patch201: 00201-prevent-buffer-overflow-in-zipimport-module.patch
|
Patch209: 00209-CVE-2016-5636-buffer-overflow-in-zipimport-module-fix.patch
|
||||||
|
|
||||||
# 00210 #
|
# 00210 #
|
||||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||||
@ -1295,7 +1298,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
|
|||||||
%patch198 -p1
|
%patch198 -p1
|
||||||
%endif
|
%endif
|
||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%patch201 -p1
|
%patch209 -p1
|
||||||
%patch210 -p1
|
%patch210 -p1
|
||||||
%patch211 -p1
|
%patch211 -p1
|
||||||
|
|
||||||
@ -2149,6 +2152,9 @@ rm -fr %{buildroot}
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.11-8
|
||||||
|
- Refactor patch for properly fixing CVE-2016-5636
|
||||||
|
|
||||||
* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.11-7
|
* Fri Jul 08 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.11-7
|
||||||
- Fix test_pyexpat failure with Expat version of 2.2.0
|
- Fix test_pyexpat failure with Expat version of 2.2.0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user