python: CVE-2014-4616

Fix for _json module arbitrary process memory read vulnerability http://bugs.python.org/issue21529 Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index. The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory. Signed-off-by: Benjamin Peterson <benjamin@python.org> Applied to python-native recipe in order to fix the above mentioned vulnerability. Upstream-Status: Backport Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2014-11-26 13:49:06 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:38 +0200
commit: 4ec7570ee9c2226cfa0341c7e0b35362b7b68278 (patch)
tree: f6669d7fd5bfaf05bb295e1e24501de091da3456
parent: 8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (diff)
download: poky-4ec7570ee9c2226cfa0341c7e0b35362b7b68278.tar.gz
2 files changed, 28 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch b/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch
new file mode 100644
index 0000000000..e9a6cca017
--- /dev/null
+++ b/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch
@@ -0,0 +1,27 @@
+python: fix _json module arbitrary process memory read vulnerability
+Upstream-Status: submitted
+Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
+--- a/Modules/_json.c   2014-07-15 15:37:17.151046356 +0200
+++ b/Modules/_json.c   2014-07-15 15:38:37.335605042 +0200
+@@ -1491,7 +1491,7 @@ scan_once_str(PyScannerObject *s, PyObje
+     PyObject *res;
+     char *str = PyString_AS_STRING(pystr);
+     Py_ssize_t length = PyString_GET_SIZE(pystr);
+-    if (idx >= length) {
+    if ( idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
+@@ -1578,7 +1578,7 @@ scan_once_unicode(PyScannerObject *s, Py
+     PyObject *res;
+     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
+-    if (idx >= length) {
+    if ( idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index 0d641720f1..bbe16eb5d2 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -36,6 +36,7 @@ SRC_URI += "\
  file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
  file://python-fix-build-error-with-Readline-6.3.patch \
  file://python-2.7.3-CVE-2014-1912.patch \
+  file://json-flaw-CVE-2014-4616.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2014-11-26 13:49:06 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:38 +0200
commit	4ec7570ee9c2226cfa0341c7e0b35362b7b68278 (patch)
tree	f6669d7fd5bfaf05bb295e1e24501de091da3456
parent	8364d34ae4a1ee0c7645bf0c338ebc297a1f6bdd (diff)
download	poky-4ec7570ee9c2226cfa0341c7e0b35362b7b68278.tar.gz

diff --git a/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch b/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch new file mode 100644 index 0000000000..e9a6cca017 --- /dev/null +++ b/meta/recipes-devtools/python/python/json-flaw-CVE-2014-4616.patch
@@ -0,0 +1,27 @@
		1
		2	python: fix _json module arbitrary process memory read vulnerability
		3
		4	Upstream-Status: submitted
		5
		6	Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
		7
		8	--- a/Modules/_json.c 2014-07-15 15:37:17.151046356 +0200
		9	+++ b/Modules/_json.c 2014-07-15 15:38:37.335605042 +0200
		10	@@ -1491,7 +1491,7 @@ scan_once_str(PyScannerObject *s, PyObje
		11	PyObject *res;
		12	char *str = PyString_AS_STRING(pystr);
		13	Py_ssize_t length = PyString_GET_SIZE(pystr);
		14	- if (idx >= length) {
		15	+ if ( idx < 0 \|\| idx >= length) {
		16	PyErr_SetNone(PyExc_StopIteration);
		17	return NULL;
		18	}
		19	@@ -1578,7 +1578,7 @@ scan_once_unicode(PyScannerObject *s, Py
		20	PyObject *res;
		21	Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
		22	Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
		23	- if (idx >= length) {
		24	+ if ( idx < 0 \|\| idx >= length) {
		25	PyErr_SetNone(PyExc_StopIteration);
		26	return NULL;
		27	}


diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb index 0d641720f1..bbe16eb5d2 100644 --- a/meta/recipes-devtools/python/python_2.7.3.bb +++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -36,6 +36,7 @@ SRC_URI += "\
36	file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \	36	file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
37	file://python-fix-build-error-with-Readline-6.3.patch \	37	file://python-fix-build-error-with-Readline-6.3.patch \
38	file://python-2.7.3-CVE-2014-1912.patch \	38	file://python-2.7.3-CVE-2014-1912.patch \
		39	file://json-flaw-CVE-2014-4616.patch \
39	"	40	"
40		41
41	S = "${WORKDIR}/Python-${PV}"	42	S = "${WORKDIR}/Python-${PV}"