python: CVE-2014-7185

Fixes buffer() integer overflow leading to out of bounds read This bug is only an issue if offset and size arguments are untrusted. The buffer() was removed from Python 3 and hence Python 3 was not affected by this issue. Reference http://openwall.com/lists/oss-security/2014/09/25/47 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-04-21 13:29:30 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:40 +0200
commit: 2b10e943c879c0a510d4c2dcda127eef76974854 (patch)
tree: 37a010c2b02f683c19cf84780e45f0ac70c7a7e4
parent: 88d894a438adb9f0ef60f578a190bff9f508adac (diff)
download: poky-2b10e943c879c0a510d4c2dcda127eef76974854.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
new file mode 100644
index 0000000000..60ef145c7c
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
@@ -0,0 +1,75 @@
+From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Wed, 12 Nov 2014 01:58:02 -0500
+Subject: [PATCH] python: fix CVE-2014-7185
+Reference: http://bugs.python.org/issue21831
+CVE-2014-7185: Integer overflow in bufferobject.c in Python before
+2.7.8 allows context-dependent attackers to obtain sensitive
+information from process memory via a large size and offset in a
+"buffer" function.
+Upstream-Status: Backport
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ Lib/test/test_buffer.py |    6 ++++++
+ Misc/NEWS               |    3 +++
+ Objects/bufferobject.c  |    2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
+index 6bdc34d..3ac1f8c 100644
+--- a/Lib/test/test_buffer.py
+++ b/Lib/test/test_buffer.py
+@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
+ 
+ """
+ 
+import sys
+ import unittest
+ from test import test_support
+ 
+@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
+                     self.assertEqual(b[start:stop:step],
+                                      s[start:stop:step])
+ 
+    def test_large_buffer_size_and_offset(self):
+        data = bytearray('hola mundo')
+        buf = buffer(data, sys.maxsize, sys.maxsize)
+        self.assertEqual(buf[:4096], "")
+
+ 
+ def test_main():
+     with test_support.check_py3k_warnings(("buffer.. not supported",
+diff --git a/Misc/NEWS b/Misc/NEWS
+index e8778ad..77396c5 100644
+--- a/Misc/NEWS
+++ b/Misc/NEWS
+@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
+ Core and Builtins
+ -----------------
+ 
+- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
+  the buffer type. CVE-2014-7185.
+
+ - Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
+   start byte and the continuation byte(s) are now considered invalid, instead
+   of the number of bytes specified by the start byte.
+diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
+index c52f0bc..c542506 100644
+--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c
+@@ -88,7 +88,7 @@ get_buf(PyBufferObject *self, void **ptr, Py_ssize_t *size,
+             *size = count;
+         else
+             *size = self->b_size;
+-        if (offset + *size > count)
+        if (*size > count - offset)
+             *size = count - offset;
+     }
+     return 1;
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index 28ea2347e3..0d9ca456fe 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -38,6 +38,7 @@ SRC_URI += "\
  file://python-2.7.3-CVE-2014-1912.patch \
  file://json-flaw-CVE-2014-4616.patch \
  file://python2.7.3-nossl3.patch \
+  file://python-2.7.3-CVE-2014-7185.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-04-21 13:29:30 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:40 +0200
commit	2b10e943c879c0a510d4c2dcda127eef76974854 (patch)
tree	37a010c2b02f683c19cf84780e45f0ac70c7a7e4
parent	88d894a438adb9f0ef60f578a190bff9f508adac (diff)
download	poky-2b10e943c879c0a510d4c2dcda127eef76974854.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch new file mode 100644 index 0000000000..60ef145c7c --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-7185.patch
@@ -0,0 +1,75 @@
		1	From 104eb318283dde5203aa6cf7384287bef181e308 Mon Sep 17 00:00:00 2001
		2	From: Wenzong Fan <wenzong.fan@windriver.com>
		3	Date: Wed, 12 Nov 2014 01:58:02 -0500
		4	Subject: [PATCH] python: fix CVE-2014-7185
		5
		6	Reference: http://bugs.python.org/issue21831
		7
		8	CVE-2014-7185: Integer overflow in bufferobject.c in Python before
		9	2.7.8 allows context-dependent attackers to obtain sensitive
		10	information from process memory via a large size and offset in a
		11	"buffer" function.
		12
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		16	---
		17	Lib/test/test_buffer.py \| 6 ++++++
		18	Misc/NEWS \| 3 +++
		19	Objects/bufferobject.c \| 2 +-
		20	3 files changed, 10 insertions(+), 1 deletion(-)
		21
		22	diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py
		23	index 6bdc34d..3ac1f8c 100644
		24	--- a/Lib/test/test_buffer.py
		25	+++ b/Lib/test/test_buffer.py
		26	@@ -4,6 +4,7 @@ For now, tests just new or changed functionality.
		27
		28	"""
		29
		30	+import sys
		31	import unittest
		32	from test import test_support
		33
		34	@@ -21,6 +22,11 @@ class BufferTests(unittest.TestCase):
		35	self.assertEqual(b[start:stop:step],
		36	s[start:stop:step])
		37
		38	+ def test_large_buffer_size_and_offset(self):
		39	+ data = bytearray('hola mundo')
		40	+ buf = buffer(data, sys.maxsize, sys.maxsize)
		41	+ self.assertEqual(buf[:4096], "")
		42	+
		43
		44	def test_main():
		45	with test_support.check_py3k_warnings(("buffer.. not supported",
		46	diff --git a/Misc/NEWS b/Misc/NEWS
		47	index e8778ad..77396c5 100644
		48	--- a/Misc/NEWS
		49	+++ b/Misc/NEWS
		50	@@ -1896,6 +1896,9 @@ What's New in Python 2.7 Release Candidate 1?
		51	Core and Builtins
		52	-----------------
		53
		54	+- Issue #21831: Avoid integer overflow when large sizes and offsets are given to
		55	+ the buffer type. CVE-2014-7185.
		56	+
		57	- Issue #8271: during the decoding of an invalid UTF-8 byte sequence, only the
		58	start byte and the continuation byte(s) are now considered invalid, instead
		59	of the number of bytes specified by the start byte.
		60	diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
		61	index c52f0bc..c542506 100644
		62	--- a/Objects/bufferobject.c
		63	+++ b/Objects/bufferobject.c
		64	@@ -88,7 +88,7 @@ get_buf(PyBufferObject self, void ptr, Py_ssize_t size,
		65	*size = count;
		66	else
		67	*size = self->b_size;
		68	- if (offset + *size > count)
		69	+ if (*size > count - offset)
		70	*size = count - offset;
		71	}
		72	return 1;
		73	--
		74	1.7.9.5
		75


diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb index 28ea2347e3..0d9ca456fe 100644 --- a/meta/recipes-devtools/python/python_2.7.3.bb +++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -38,6 +38,7 @@ SRC_URI += "\
38	file://python-2.7.3-CVE-2014-1912.patch \	38	file://python-2.7.3-CVE-2014-1912.patch \
39	file://json-flaw-CVE-2014-4616.patch \	39	file://json-flaw-CVE-2014-4616.patch \
40	file://python2.7.3-nossl3.patch \	40	file://python2.7.3-nossl3.patch \
		41	file://python-2.7.3-CVE-2014-7185.patch \
41	"	42	"
42		43
43	S = "${WORKDIR}/Python-${PV}"	44	S = "${WORKDIR}/Python-${PV}"