Fix for CVE-2017-1000158 (#1519604)

2017-12-01 10:29:31 +01:00 · 2017-12-01 10:29:31 +01:00 · 6827170b24
parent 4e033a4931
commit 6827170b24
2 changed files with 37 additions and 1 deletions
--- a/00286-pystring-decodeescape-integer-overflow.patch
+++ b/00286-pystring-decodeescape-integer-overflow.patch
@ -0,0 +1,25 @@
+From c3c9db89273fabc62ea1b48389d9a3000c1c03ae Mon Sep 17 00:00:00 2001
+From: Jay Bosamiya <jaybosamiya@gmail.com>
+Date: Sun, 18 Jun 2017 22:11:03 +0530
+Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in
+ PyString_DecodeEscape (#2174)
+
+diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
+index 77dd45e..9b29dc3 100644
+--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
+@@ -970,7 +970,13 @@ PyObject *PyBytes_DecodeEscape(const char *s,
+     char *p, *buf;
+     const char *end;
+     PyObject *v;
+-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
+     v = PyBytes_FromStringAndSize((char *)NULL, newlen);
+     if (v == NULL)
+         return NULL;
--- a/python3.spec
+++ b/python3.spec
@ -112,7 +112,7 @@
 Summary: Version 3 of the Python programming language aka Python 3000
 Name: python3
 Version: %{pybasever}.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python
 Group: Development/Languages

@ -394,6 +394,12 @@ Patch243: 00243-fix-mips64-triplet.patch
 # Fixed upstream: https://bugs.python.org/issue31532
 Patch279: 00279-fix-memory-corruption-due-to-allocator-mix.patch

+# 00286 #
+# CVE-2017-1000158
+# Check & prevent integer overflow in PyString_DecodeEscape
+# Fixed upstream for Python 2 only: https://bugs.python.org/issue30657
+Patch286: 00286-pystring-decodeescape-integer-overflow.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -635,6 +641,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
 %patch206 -p1
 %patch243 -p1
 %patch279 -p1
+%patch286 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1538,6 +1545,10 @@ rm -fr %{buildroot}
 # ======================================================

 %changelog
+* Fri Dec 01 2017 Miro Hrončok <mhroncok@redhat.com> - 3.5.4-3
+- Fix for CVE-2017-1000158
+- rhbz#1519606: https://bugzilla.redhat.com/show_bug.cgi?id=1519604
+
 * Mon Oct 09 2017 Charalampos Stratakis <cstratak@redhat.com> - 3.5.4-2
 - Fix memory corruption due to allocator mix
 Resolves: rhbz#1498207