From 0b48f428a32b22b4eb018f947f4e1adb617beaa6 Mon Sep 17 00:00:00 2001 From: Matej Stuchlik Date: Mon, 30 Jun 2014 08:50:35 +0200 Subject: [PATCH] Fix JSON reading arbitrary process memory (rhbz#1112293) --- 00194-json-add-boundary-check.patch | 37 +++++++++++++++++++++++++++++ python3.spec | 13 +++++++++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 00194-json-add-boundary-check.patch diff --git a/00194-json-add-boundary-check.patch b/00194-json-add-boundary-check.patch new file mode 100644 index 0000000..dcdf348 --- /dev/null +++ b/00194-json-add-boundary-check.patch @@ -0,0 +1,37 @@ + +# HG changeset patch +# User Benjamin Peterson +# Date 1397442496 14400 +# Node ID 4f15bd1ab28fe25c2e381ab05b11b60ce42fe613 +# Parent b49d990aaa9d708a8c3174f6d51b8e069040ffe4# Parent 8130b8c066062bc589d337aebd3da4b156ee7f45 +merge 3.2 + +diff --git a/Lib/test/test_json/test_decode.py b/Lib/test/test_json/test_decode.py +--- a/Lib/test/json_tests/test_decode.py ++++ b/Lib/test/json_tests/test_decode.py +@@ -70,5 +70,9 @@ class TestDecode: + msg = 'escape' + self.assertRaisesRegex(ValueError, msg, self.loads, s) + ++ def test_negative_index(self): ++ d = self.json.JSONDecoder() ++ self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000) ++ + class TestPyDecode(TestDecode, PyTest): pass + class TestCDecode(TestDecode, CTest): pass +diff --git a/Modules/_json.c b/Modules/_json.c +--- a/Modules/_json.c ++++ b/Modules/_json.c +@@ -975,7 +975,10 @@ scan_once_unicode(PyScannerObject *s, Py + kind = PyUnicode_KIND(pystr); + length = PyUnicode_GET_LENGTH(pystr); + +- if (idx >= length) { ++ if (idx < 0) ++ /* Compatibility with Python version. */ ++ idx += length; ++ if (idx < 0 || idx >= length) { + PyErr_SetNone(PyExc_StopIteration); + return NULL; + } + diff --git a/python3.spec b/python3.spec index 50ee0d4..87146f4 100644 --- a/python3.spec +++ b/python3.spec @@ -126,7 +126,7 @@ Summary: Version 3 of the Python programming language aka Python 3000 Name: python3 Version: %{pybasever}.2 -Release: 15%{?dist} +Release: 16%{?dist} License: Python Group: Development/Languages @@ -649,6 +649,12 @@ Patch192: 00192-buffer-overflow.patch # http://bugs.python.org/issue20778 Patch193: 00193-skip-correct-num-of-pycfile-bytes-in-modulefinder.patch +# 00194 +# +# JSON module could read arbitrary process memory +# rhbz#1112293 +Patch194: 00194-json-add-boundary-check.patch + # (New patches go here ^^^) # @@ -915,6 +921,7 @@ done %patch190 -p1 %patch192 -p1 %patch193 -p1 +%patch194 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1773,6 +1780,10 @@ rm -fr %{buildroot} # ====================================================== %changelog +* Mon Jun 30 2014 Matej Stuchlik - 3.3.2-16 +- JSON module could read arbitrary process memory +Resolves: rhbz#1112293 + * Fri May 30 2014 Miro HronĨok - 3.3.2-15 - In config script, use uname -m to write the arch