summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Andresan <Dan.Andresan@enea.com>2018-10-29 12:00:47 +0100
committerGerrit Code Review <gerrit2@sestogerrit02>2018-10-29 12:00:47 +0100
commitc1d3038ebc3595d452dd987ce985446b75b944db (patch)
tree16e1051960cbb9b2c7d64ce6397dcd7b8f76c804
parentb377da4896044bb0c4ea198f767e354340432721 (diff)
parent429266feedb3eccc450d823d207cb1464c4c43dc (diff)
downloadmeta-el-common-c1d3038ebc3595d452dd987ce985446b75b944db.tar.gz
Merge "python: Fix CVEs" into pyro
-rw-r--r--recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch62
-rw-r--r--recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch161
-rw-r--r--recipes-devtools/python/python_2.7.13.bbappend7
3 files changed, 230 insertions, 0 deletions
diff --git a/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
new file mode 100644
index 0000000..b94ae06
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
@@ -0,0 +1,62 @@
1From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Mon, 22 Oct 2018 10:13:00 +0200
4Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
5
6CVE: CVE-2017-1000158
7Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae]
8
9Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
10---
11 Misc/ACKS | 1 +
12 Misc/NEWS | 3 +++
13 Objects/stringobject.c | 8 +++++++-
14 3 files changed, 11 insertions(+), 1 deletion(-)
15
16diff --git a/Misc/ACKS b/Misc/ACKS
17index 952d6dd..6ea6639 100644
18--- a/Misc/ACKS
19+++ b/Misc/ACKS
20@@ -151,6 +151,7 @@ Gregory Bond
21 Matias Bordese
22 Jonas Borgström
23 Jurjen Bos
24+Jay Bosamiya
25 Peter Bosch
26 Dan Boswell
27 Eric Bouck
28diff --git a/Misc/NEWS b/Misc/NEWS
29index b779e82..ab0b687 100644
30--- a/Misc/NEWS
31+++ b/Misc/NEWS
32@@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1?
33 Core and Builtins
34 -----------------
35
36+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
37+ Patch by Jay Bosamiya.
38+
39 - Issue #28847: dumbdbm no longer writes the index file in when it is not
40 changed and supports reading read-only files.
41
42diff --git a/Objects/stringobject.c b/Objects/stringobject.c
43index 4e38735..6c31c5b 100644
44--- a/Objects/stringobject.c
45+++ b/Objects/stringobject.c
46@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
47 char *p, *buf;
48 const char *end;
49 PyObject *v;
50- Py_ssize_t newlen = recode_encoding ? 4*len:len;
51+ Py_ssize_t newlen;
52+ /* Check for integer overflow */
53+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
54+ PyErr_SetString(PyExc_OverflowError, "string is too large");
55+ return NULL;
56+ }
57+ newlen = recode_encoding ? 4*len:len;
58 v = PyString_FromStringAndSize((char *)NULL, newlen);
59 if (v == NULL)
60 return NULL;
61
62
diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
new file mode 100644
index 0000000..6239503
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
1From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
2From: Andreas Wellving <andreas.wellving@enea.com>
3Date: Mon, 22 Oct 2018 13:44:16 +0200
4Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
5 (GH-5955)
6
7* Prevent low-grade poplib REDOS (CVE-2018-1060)
8
9The regex to test a mail server's timestamp is susceptible to
10catastrophic backtracking on long evil responses from the server.
11
12Happily, the maximum length of malicious inputs is 2K thanks
13to a limit introduced in the fix for CVE-2013-1752.
14
15A 2KB evil response from the mail server would result in small slowdowns
16(milliseconds vs. microseconds) accumulated over many apop calls.
17This is a potential DOS vector via accumulated slowdowns.
18
19Replace it with a similar non-vulnerable regex.
20
21The new regex is RFC compliant.
22The old regex was non-compliant in edge cases.
23
24* Prevent difflib REDOS (CVE-2018-1061)
25
26The default regex for IS_LINE_JUNK is susceptible to
27catastrophic backtracking.
28This is a potential DOS vector.
29
30Replace it with an equivalent non-vulnerable regex.
31
32Also introduce unit and REDOS tests for difflib.
33
34CVE: CVE-2018-1060
35CVE: CVE-2018-1061
36Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
37
38Co-authored-by: Tim Peters <tim.peters@gmail.com>
39Co-authored-by: Christian Heimes <christian@python.org>.
40(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
41Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
42---
43 Lib/difflib.py | 2 +-
44 Lib/poplib.py | 2 +-
45 Lib/test/test_difflib.py | 22 +++++++++++++++++++++-
46 Lib/test/test_poplib.py | 10 ++++++++++
47 Misc/ACKS | 1 +
48 .../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst | 4 ++++
49 6 files changed, 38 insertions(+), 3 deletions(-)
50 create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
51
52diff --git a/Lib/difflib.py b/Lib/difflib.py
53index 1c6fbdb..788a92d 100644
54--- a/Lib/difflib.py
55+++ b/Lib/difflib.py
56@@ -1103,7 +1103,7 @@ class Differ:
57
58 import re
59
60-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
61+def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
62 r"""
63 Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
64
65diff --git a/Lib/poplib.py b/Lib/poplib.py
66index b91e5f7..a238510 100644
67--- a/Lib/poplib.py
68+++ b/Lib/poplib.py
69@@ -274,7 +274,7 @@ class POP3:
70 return self._shortcmd('RPOP %s' % user)
71
72
73- timestamp = re.compile(r'\+OK.*(<[^>]+>)')
74+ timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
75
76 def apop(self, user, secret):
77 """Authorisation
78diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
79index 35f2c36..d8277b7 100644
80--- a/Lib/test/test_difflib.py
81+++ b/Lib/test/test_difflib.py
82@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
83 self.assertEqual(fmt(3,6), '4,6')
84 self.assertEqual(fmt(0,0), '0')
85
86+class TestJunkAPIs(unittest.TestCase):
87+ def test_is_line_junk_true(self):
88+ for line in ['#', ' ', ' #', '# ', ' # ', '']:
89+ self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
90+
91+ def test_is_line_junk_false(self):
92+ for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
93+ self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
94+
95+ def test_is_line_junk_REDOS(self):
96+ evil_input = ('\t' * 1000000) + '##'
97+ self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
98+
99+ def test_is_character_junk_true(self):
100+ for char in [' ', '\t']:
101+ self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
102+
103+ def test_is_character_junk_false(self):
104+ for char in ['a', '#', '\n', '\f', '\r', '\v']:
105+ self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
106
107 def test_main():
108 difflib.HtmlDiff._default_prefix = 0
109 Doctests = doctest.DocTestSuite(difflib)
110 run_unittest(
111 TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
112- TestOutputFormat, Doctests)
113+ TestOutputFormat, TestJunkAPIs)
114
115 if __name__ == '__main__':
116 test_main()
117diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
118index 23d6887..d214375 100644
119--- a/Lib/test/test_poplib.py
120+++ b/Lib/test/test_poplib.py
121@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
122 def test_rpop(self):
123 self.assertOK(self.client.rpop('foo'))
124
125+ def test_apop_REDOS(self):
126+ # Replace welcome with very long evil welcome.
127+ # NB The upper bound on welcome length is currently 2048.
128+ # At this length, evil input makes each apop call take
129+ # on the order of milliseconds instead of microseconds.
130+ evil_welcome = b'+OK' + (b'<' * 1000000)
131+ with test_support.swap_attr(self.client, 'welcome', evil_welcome):
132+ # The evil welcome is invalid, so apop should throw.
133+ self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
134+
135 def test_top(self):
136 expected = ('+OK 116 bytes',
137 ['From: postmaster@python.org', 'Content-Type: text/plain',
138diff --git a/Misc/ACKS b/Misc/ACKS
139index 9cbc230..952d6dd 100644
140--- a/Misc/ACKS
141+++ b/Misc/ACKS
142@@ -314,6 +314,7 @@ Kushal Das
143 Jonathan Dasteel
144 Pierre-Yves David
145 A. Jesse Jiryu Davis
146+Jamie (James C.) Davis
147 Merlijn van Deen
148 John DeGood
149 Ned Deily
150diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
151new file mode 100644
152index 0000000..9ebabb4
153--- /dev/null
154+++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
155@@ -0,0 +1,4 @@
156+Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
157+These regexes formed potential DOS vectors (REDOS). They have been
158+refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
159+Patch by Jamie Davis.
160
161
diff --git a/recipes-devtools/python/python_2.7.13.bbappend b/recipes-devtools/python/python_2.7.13.bbappend
new file mode 100644
index 0000000..d7ec5e2
--- /dev/null
+++ b/recipes-devtools/python/python_2.7.13.bbappend
@@ -0,0 +1,7 @@
1# look for files in the layer first
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4SRC_URI += " \
5 file://CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch \
6 file://CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch \
7 "