diff options
author | Joe Slater <joe.slater@windriver.com> | 2022-12-07 14:55:03 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-13 15:23:34 +0000 |
commit | eea9ca003fdc971dc13b545c4b7949f06e1beae8 (patch) | |
tree | fb2b026d9ae56b18e7bfc8864075c97b8ae61536 | |
parent | d513c3043bb0e71f563f06cbf98ac51e9e835391 (diff) | |
download | poky-eea9ca003fdc971dc13b545c4b7949f06e1beae8.tar.gz |
python3: advance to version 3.10.8
Fixes CVE-2022-37460. Also add patch to fix CVE-2022-37454.
(From OE-Core rev: b446dd69b79783ea232514e1c5212595ec28e553)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/python/python3/cve-2022-37454.patch | 108 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.10.8.bb (renamed from meta/recipes-devtools/python/python3_3.10.7.bb) | 4 |
2 files changed, 110 insertions, 2 deletions
diff --git a/meta/recipes-devtools/python/python3/cve-2022-37454.patch b/meta/recipes-devtools/python/python3/cve-2022-37454.patch new file mode 100644 index 0000000000..c019151a64 --- /dev/null +++ b/meta/recipes-devtools/python/python3/cve-2022-37454.patch | |||
@@ -0,0 +1,108 @@ | |||
1 | From 1f66b714c5f2fef80ec5389456ac31756dbfff0e Mon Sep 17 00:00:00 2001 | ||
2 | From: Theo Buehler <botovq@users.noreply.github.com> | ||
3 | Date: Fri, 21 Oct 2022 21:26:01 +0200 | ||
4 | Subject: [PATCH] gh-98517: Fix buffer overflows in _sha3 module (#98519) | ||
5 | |||
6 | This is a port of the applicable part of XKCP's fix [1] for | ||
7 | CVE-2022-37454 and avoids the segmentation fault and the infinite | ||
8 | loop in the test cases published in [2]. | ||
9 | |||
10 | [1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a | ||
11 | [2]: https://mouha.be/sha-3-buffer-overflow/ | ||
12 | |||
13 | Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> | ||
14 | --- | ||
15 | |||
16 | Patch applied without modification. | ||
17 | |||
18 | CVE: CVE-2022-37454 | ||
19 | |||
20 | Upstream-Status: Backport [github.com/cpython/cpython.git 0e4e058602d...] | ||
21 | |||
22 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | ||
23 | --- | ||
24 | Lib/test/test_hashlib.py | 9 +++++++++ | ||
25 | .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 + | ||
26 | Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++------- | ||
27 | 3 files changed, 18 insertions(+), 7 deletions(-) | ||
28 | create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | ||
29 | |||
30 | diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py | ||
31 | index ea31f8b..65330e1 100644 | ||
32 | --- a/Lib/test/test_hashlib.py | ||
33 | +++ b/Lib/test/test_hashlib.py | ||
34 | @@ -491,6 +491,15 @@ class HashLibTestCase(unittest.TestCase): | ||
35 | def test_case_md5_uintmax(self, size): | ||
36 | self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') | ||
37 | |||
38 | + @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') | ||
39 | + @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) | ||
40 | + def test_sha3_update_overflow(self, size): | ||
41 | + """Regression test for gh-98517 CVE-2022-37454.""" | ||
42 | + h = hashlib.sha3_224() | ||
43 | + h.update(b'\x01') | ||
44 | + h.update(b'\x01'*0xffff_ffff) | ||
45 | + self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') | ||
46 | + | ||
47 | # use the three examples from Federal Information Processing Standards | ||
48 | # Publication 180-1, Secure Hash Standard, 1995 April 17 | ||
49 | # http://www.itl.nist.gov/div897/pubs/fip180-1.htm | ||
50 | diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | ||
51 | new file mode 100644 | ||
52 | index 0000000..2d23a6a | ||
53 | --- /dev/null | ||
54 | +++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | ||
55 | @@ -0,0 +1 @@ | ||
56 | +Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). | ||
57 | diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc | ||
58 | index e10739d..cf92e4d 100644 | ||
59 | --- a/Modules/_sha3/kcp/KeccakSponge.inc | ||
60 | +++ b/Modules/_sha3/kcp/KeccakSponge.inc | ||
61 | @@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat | ||
62 | i = 0; | ||
63 | curData = data; | ||
64 | while(i < dataByteLen) { | ||
65 | - if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { | ||
66 | + if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { | ||
67 | #ifdef SnP_FastLoop_Absorb | ||
68 | /* processing full blocks first */ | ||
69 | |||
70 | @@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat | ||
71 | } | ||
72 | else { | ||
73 | /* normal lane: using the message queue */ | ||
74 | - | ||
75 | - partialBlock = (unsigned int)(dataByteLen - i); | ||
76 | - if (partialBlock+instance->byteIOIndex > rateInBytes) | ||
77 | + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) | ||
78 | partialBlock = rateInBytes-instance->byteIOIndex; | ||
79 | + else | ||
80 | + partialBlock = (unsigned int)(dataByteLen - i); | ||
81 | #ifdef KeccakReference | ||
82 | displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); | ||
83 | #endif | ||
84 | @@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte | ||
85 | i = 0; | ||
86 | curData = data; | ||
87 | while(i < dataByteLen) { | ||
88 | - if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { | ||
89 | + if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { | ||
90 | for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { | ||
91 | SnP_Permute(instance->state); | ||
92 | SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); | ||
93 | @@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte | ||
94 | SnP_Permute(instance->state); | ||
95 | instance->byteIOIndex = 0; | ||
96 | } | ||
97 | - partialBlock = (unsigned int)(dataByteLen - i); | ||
98 | - if (partialBlock+instance->byteIOIndex > rateInBytes) | ||
99 | + if (dataByteLen-i > rateInBytes-instance->byteIOIndex) | ||
100 | partialBlock = rateInBytes-instance->byteIOIndex; | ||
101 | + else | ||
102 | + partialBlock = (unsigned int)(dataByteLen - i); | ||
103 | i += partialBlock; | ||
104 | |||
105 | SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); | ||
106 | -- | ||
107 | 2.32.0 | ||
108 | |||
diff --git a/meta/recipes-devtools/python/python3_3.10.7.bb b/meta/recipes-devtools/python/python3_3.10.8.bb index 2d230793ef..8963ce6dd2 100644 --- a/meta/recipes-devtools/python/python3_3.10.7.bb +++ b/meta/recipes-devtools/python/python3_3.10.8.bb | |||
@@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly | |||
4 | LICENSE = "PSF-2.0" | 4 | LICENSE = "PSF-2.0" |
5 | SECTION = "devel/python" | 5 | SECTION = "devel/python" |
6 | 6 | ||
7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766" | 7 | LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8" |
8 | 8 | ||
9 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | 9 | SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ |
10 | file://run-ptest \ | 10 | file://run-ptest \ |
@@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \ | |||
44 | file://12-distutils-prefix-is-inside-staging-area.patch \ | 44 | file://12-distutils-prefix-is-inside-staging-area.patch \ |
45 | file://0001-Don-t-search-system-for-headers-libraries.patch \ | 45 | file://0001-Don-t-search-system-for-headers-libraries.patch \ |
46 | " | 46 | " |
47 | SRC_URI[sha256sum] = "6eed8415b7516fb2f260906db5d48dd4c06acc0cb24a7d6cc15296a604dcdc48" | 47 | SRC_URI[sha256sum] = "6a30ecde59c47048013eb5a658c9b5dec277203d2793667f578df7671f7f03f3" |
48 | 48 | ||
49 | # exclude pre-releases for both python 2.x and 3.x | 49 | # exclude pre-releases for both python 2.x and 3.x |
50 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" | 50 | UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" |