diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2021-02-01 13:01:33 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-03 21:45:49 +0000 |
commit | 90ae07586743ee43163edd4cc5e7254427e3e7f1 (patch) | |
tree | 3f459c96091235efeadcca7a3a269d5637d9fae6 | |
parent | 0960f15dd8fc49c35f1abba29ce87373559381e0 (diff) | |
download | poky-90ae07586743ee43163edd4cc5e7254427e3e7f1.tar.gz |
python3: fix CVE-2021-3177
(From OE-Core rev: 2ed4f61e9d694fef8ff72b8eeb2163634e96c3bb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/python/python3/CVE-2021-3177.patch | 191 | ||||
-rw-r--r-- | meta/recipes-devtools/python/python3_3.9.1.bb | 1 |
2 files changed, 192 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch new file mode 100644 index 0000000000..a48207162f --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch | |||
@@ -0,0 +1,191 @@ | |||
1 | From c347cbe694743cee120457aa6626712f7799a932 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Miss Islington (bot)" | ||
3 | <31488909+miss-islington@users.noreply.github.com> | ||
4 | Date: Mon, 18 Jan 2021 13:29:31 -0800 | ||
5 | Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode | ||
6 | formatting in ctypes param reprs. (GH-24247) | ||
7 | |||
8 | (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) | ||
9 | |||
10 | Co-authored-by: Benjamin Peterson <benjamin@python.org> | ||
11 | |||
12 | Co-authored-by: Benjamin Peterson <benjamin@python.org> | ||
13 | |||
14 | CVE: CVE-2021-3177 | ||
15 | Upstream-Status: Backport [https://github.com/python/cpython/commit/c347cbe694743cee120457aa6626712f7799a932] | ||
16 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
17 | --- | ||
18 | Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ | ||
19 | .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + | ||
20 | Modules/_ctypes/callproc.c | 51 +++++++------------ | ||
21 | 3 files changed, 64 insertions(+), 32 deletions(-) | ||
22 | create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
23 | |||
24 | diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py | ||
25 | index e4c25fd880cef..531894fdec838 100644 | ||
26 | --- a/Lib/ctypes/test/test_parameters.py | ||
27 | +++ b/Lib/ctypes/test/test_parameters.py | ||
28 | @@ -201,6 +201,49 @@ def __dict__(self): | ||
29 | with self.assertRaises(ZeroDivisionError): | ||
30 | WorseStruct().__setstate__({}, b'foo') | ||
31 | |||
32 | + def test_parameter_repr(self): | ||
33 | + from ctypes import ( | ||
34 | + c_bool, | ||
35 | + c_char, | ||
36 | + c_wchar, | ||
37 | + c_byte, | ||
38 | + c_ubyte, | ||
39 | + c_short, | ||
40 | + c_ushort, | ||
41 | + c_int, | ||
42 | + c_uint, | ||
43 | + c_long, | ||
44 | + c_ulong, | ||
45 | + c_longlong, | ||
46 | + c_ulonglong, | ||
47 | + c_float, | ||
48 | + c_double, | ||
49 | + c_longdouble, | ||
50 | + c_char_p, | ||
51 | + c_wchar_p, | ||
52 | + c_void_p, | ||
53 | + ) | ||
54 | + self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") | ||
55 | + self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") | ||
56 | + self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") | ||
57 | + self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") | ||
58 | + self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") | ||
59 | + self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") | ||
60 | + self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") | ||
61 | + self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") | ||
62 | + self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") | ||
63 | + self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") | ||
64 | + self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") | ||
65 | + self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") | ||
66 | + self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") | ||
67 | + self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") | ||
68 | + self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") | ||
69 | + self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") | ||
70 | + self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") | ||
71 | + self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") | ||
72 | + self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") | ||
73 | + self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") | ||
74 | + | ||
75 | ################################################################ | ||
76 | |||
77 | if __name__ == '__main__': | ||
78 | diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
79 | new file mode 100644 | ||
80 | index 0000000000000..7df65a156feab | ||
81 | --- /dev/null | ||
82 | +++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | ||
83 | @@ -0,0 +1,2 @@ | ||
84 | +Avoid static buffers when computing the repr of :class:`ctypes.c_double` and | ||
85 | +:class:`ctypes.c_longdouble` values. | ||
86 | diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c | ||
87 | index b0a36a30248f7..f2506de54498e 100644 | ||
88 | --- a/Modules/_ctypes/callproc.c | ||
89 | +++ b/Modules/_ctypes/callproc.c | ||
90 | @@ -489,58 +489,47 @@ is_literal_char(unsigned char c) | ||
91 | static PyObject * | ||
92 | PyCArg_repr(PyCArgObject *self) | ||
93 | { | ||
94 | - char buffer[256]; | ||
95 | switch(self->tag) { | ||
96 | case 'b': | ||
97 | case 'B': | ||
98 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
99 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
100 | self->tag, self->value.b); | ||
101 | - break; | ||
102 | case 'h': | ||
103 | case 'H': | ||
104 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
105 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
106 | self->tag, self->value.h); | ||
107 | - break; | ||
108 | case 'i': | ||
109 | case 'I': | ||
110 | - sprintf(buffer, "<cparam '%c' (%d)>", | ||
111 | + return PyUnicode_FromFormat("<cparam '%c' (%d)>", | ||
112 | self->tag, self->value.i); | ||
113 | - break; | ||
114 | case 'l': | ||
115 | case 'L': | ||
116 | - sprintf(buffer, "<cparam '%c' (%ld)>", | ||
117 | + return PyUnicode_FromFormat("<cparam '%c' (%ld)>", | ||
118 | self->tag, self->value.l); | ||
119 | - break; | ||
120 | |||
121 | case 'q': | ||
122 | case 'Q': | ||
123 | - sprintf(buffer, | ||
124 | -#ifdef MS_WIN32 | ||
125 | - "<cparam '%c' (%I64d)>", | ||
126 | -#else | ||
127 | - "<cparam '%c' (%lld)>", | ||
128 | -#endif | ||
129 | + return PyUnicode_FromFormat("<cparam '%c' (%lld)>", | ||
130 | self->tag, self->value.q); | ||
131 | - break; | ||
132 | case 'd': | ||
133 | - sprintf(buffer, "<cparam '%c' (%f)>", | ||
134 | - self->tag, self->value.d); | ||
135 | - break; | ||
136 | - case 'f': | ||
137 | - sprintf(buffer, "<cparam '%c' (%f)>", | ||
138 | - self->tag, self->value.f); | ||
139 | - break; | ||
140 | - | ||
141 | + case 'f': { | ||
142 | + PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); | ||
143 | + if (f == NULL) { | ||
144 | + return NULL; | ||
145 | + } | ||
146 | + PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); | ||
147 | + Py_DECREF(f); | ||
148 | + return result; | ||
149 | + } | ||
150 | case 'c': | ||
151 | if (is_literal_char((unsigned char)self->value.c)) { | ||
152 | - sprintf(buffer, "<cparam '%c' ('%c')>", | ||
153 | + return PyUnicode_FromFormat("<cparam '%c' ('%c')>", | ||
154 | self->tag, self->value.c); | ||
155 | } | ||
156 | else { | ||
157 | - sprintf(buffer, "<cparam '%c' ('\\x%02x')>", | ||
158 | + return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", | ||
159 | self->tag, (unsigned char)self->value.c); | ||
160 | } | ||
161 | - break; | ||
162 | |||
163 | /* Hm, are these 'z' and 'Z' codes useful at all? | ||
164 | Shouldn't they be replaced by the functionality of c_string | ||
165 | @@ -549,22 +538,20 @@ PyCArg_repr(PyCArgObject *self) | ||
166 | case 'z': | ||
167 | case 'Z': | ||
168 | case 'P': | ||
169 | - sprintf(buffer, "<cparam '%c' (%p)>", | ||
170 | + return PyUnicode_FromFormat("<cparam '%c' (%p)>", | ||
171 | self->tag, self->value.p); | ||
172 | break; | ||
173 | |||
174 | default: | ||
175 | if (is_literal_char((unsigned char)self->tag)) { | ||
176 | - sprintf(buffer, "<cparam '%c' at %p>", | ||
177 | + return PyUnicode_FromFormat("<cparam '%c' at %p>", | ||
178 | (unsigned char)self->tag, (void *)self); | ||
179 | } | ||
180 | else { | ||
181 | - sprintf(buffer, "<cparam 0x%02x at %p>", | ||
182 | + return PyUnicode_FromFormat("<cparam 0x%02x at %p>", | ||
183 | (unsigned char)self->tag, (void *)self); | ||
184 | } | ||
185 | - break; | ||
186 | } | ||
187 | - return PyUnicode_FromString(buffer); | ||
188 | } | ||
189 | |||
190 | static PyMemberDef PyCArgType_members[] = { | ||
191 | |||
diff --git a/meta/recipes-devtools/python/python3_3.9.1.bb b/meta/recipes-devtools/python/python3_3.9.1.bb index bdeddc4e68..ad032e97ae 100644 --- a/meta/recipes-devtools/python/python3_3.9.1.bb +++ b/meta/recipes-devtools/python/python3_3.9.1.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ | |||
29 | file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \ | 29 | file://0001-Makefile-do-not-compile-.pyc-in-parallel.patch \ |
30 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ | 30 | file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ |
31 | file://0001-Lib-sysconfig.py-use-libdir-values-from-configuratio.patch \ | 31 | file://0001-Lib-sysconfig.py-use-libdir-values-from-configuratio.patch \ |
32 | file://CVE-2021-3177.patch \ | ||
32 | " | 33 | " |
33 | 34 | ||
34 | SRC_URI_append_class-native = " \ | 35 | SRC_URI_append_class-native = " \ |