From c8f16f3941f17a64cba4c418c37b4ebc857a8a49 Mon Sep 17 00:00:00 2001 From: Tomas Radej Date: Mon, 10 Feb 2014 14:42:12 +0100 Subject: [PATCH] Fixed buffer overflow (upstream patch) Resolves: rhbz#1062374 --- 00192-buffer-overflow.patch | 42 +++++++++++++++++++++++++++++++++++++ python3.spec | 14 ++++++++++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 00192-buffer-overflow.patch diff --git a/00192-buffer-overflow.patch b/00192-buffer-overflow.patch new file mode 100644 index 0000000..73d3ece --- /dev/null +++ b/00192-buffer-overflow.patch @@ -0,0 +1,42 @@ + +# HG changeset patch +# User Benjamin Peterson +# Date 1389672775 18000 +# Node ID 7f176a45211ff3cb85a2fbdc75f7979d642bb563 +# Parent ed1c27b68068c942c6e845bdf8e987e963d50920# Parent 9c56217e5c793685eeaf0ee224848c402bdf1e4c +merge 3.2 (#20246) + +diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py +--- a/Lib/test/test_socket.py ++++ b/Lib/test/test_socket.py +@@ -4538,6 +4538,14 @@ class BufferIOTest(SocketConnectedTest): + + _testRecvFromIntoMemoryview = _testRecvFromIntoArray + ++ def testRecvFromIntoSmallBuffer(self): ++ # See issue #20246. ++ buf = bytearray(8) ++ self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024) ++ ++ def _testRecvFromIntoSmallBuffer(self): ++ self.serv_conn.send(MSG*2048) ++ + + TIPC_STYPE = 2000 + TIPC_LOWER = 200 +diff --git a/Modules/socketmodule.c b/Modules/socketmodule.c +--- a/Modules/socketmodule.c ++++ b/Modules/socketmodule.c +@@ -2935,6 +2935,11 @@ sock_recvfrom_into(PySocketSockObject *s + if (recvlen == 0) { + /* If nbytes was not specified, use the buffer's length */ + recvlen = buflen; ++ } else if (recvlen > buflen) { ++ PyBuffer_Release(&pbuf); ++ PyErr_SetString(PyExc_ValueError, ++ "nbytes is greater than the length of the buffer"); ++ return NULL; + } + + readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr); + diff --git a/python3.spec b/python3.spec index ff415ac..34359f7 100644 --- a/python3.spec +++ b/python3.spec @@ -126,7 +126,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 9%{?dist} +Release: 10%{?dist} License: Python Group: Development/Languages @@ -629,6 +629,13 @@ Patch186: 00186-dont-raise-from-py_compile.patch # See http://bugs.python.org/issue17997#msg194950 for more. Patch187: 00187-change-match_hostname-to-follow-RFC-6125.patch +# 00192 # +# +# Fixing buffer overflow (upstream patch) +# rhbz#1062375 +Patch192: 00192-buffer-overflow.patch + + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora 17 onwards, @@ -890,6 +897,7 @@ done %patch185 -p1 %patch186 -p1 %patch187 -p1 +%patch192 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1738,6 +1746,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Mon Feb 10 2014 Tomas Radej - 3.3.2-10 +- Fixed buffer overflow (upstream patch) +Resolves: rhbz#1062374 + * Tue Feb 04 2014 Bohuslav Kabrda - 3.3.2-9 - Install macros in _rpmconfigdir.