python: Backport CVE-2013-1752 fix from upstream

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-09-22 01:38:33 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-10-22 05:43:46 +0200
commit: 15f68138d4d0ff56704217369facc8baf03783a5 (patch)
tree: a19ad8e95a548fead58157cea6204b5eb6815237 /meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch
parent: ff46766bf74cb96e103715de232c3cf09a69616e (diff)
download: poky-15f68138d4d0ff56704217369facc8baf03783a5.tar.gz
1 files changed, 149 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch
new file mode 100644
index 0000000000..97c890e777
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch
@@ -0,0 +1,149 @@
+# HG changeset patch
+# User Serhiy Storchaka <storchaka@gmail.com>
+# Date 1382277427 -10800
+# Node ID 44ac81e6d584758ee56a865a7c18d82505be0643
+# Parent  625ece68d79a27d376889579c414ed4b2d8a2649
+Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
+limiting the call to readline().  Original patch by Michał
+Jastrzębski and Giampaolo Rodola.
+diff --git a/Lib/ftplib.py b/Lib/ftplib.py
+--- a/Lib/ftplib.py
+++ b/Lib/ftplib.py
+@@ -55,6 +55,8 @@ MSG_OOB = 0x1                           
+ 
+ # The standard FTP server control port
+ FTP_PORT = 21
+# The sizehint parameter passed to readline() calls
+MAXLINE = 8192
+ 
+ 
+ # Exception raised when an error or invalid response is received
+@@ -101,6 +103,7 @@ class FTP:
+     debugging = 0
+     host = ''
+     port = FTP_PORT
+    maxline = MAXLINE
+     sock = None
+     file = None
+     welcome = None
+@@ -180,7 +183,9 @@ class FTP:
+     # Internal: return one line from the server, stripping CRLF.
+     # Raise EOFError if the connection is closed
+     def getline(self):
+-        line = self.file.readline()
+        line = self.file.readline(self.maxline + 1)
+        if len(line) > self.maxline:
+            raise Error("got more than %d bytes" % self.maxline)
+         if self.debugging > 1:
+             print '*get*', self.sanitize(line)
+         if not line: raise EOFError
+@@ -432,7 +437,9 @@ class FTP:
+         conn = self.transfercmd(cmd)
+         fp = conn.makefile('rb')
+         while 1:
+-            line = fp.readline()
+            line = fp.readline(self.maxline + 1)
+            if len(line) > self.maxline:
+                raise Error("got more than %d bytes" % self.maxline)
+             if self.debugging > 2: print '*retr*', repr(line)
+             if not line:
+                 break
+@@ -485,7 +492,9 @@ class FTP:
+         self.voidcmd('TYPE A')
+         conn = self.transfercmd(cmd)
+         while 1:
+-            buf = fp.readline()
+            buf = fp.readline(self.maxline + 1)
+            if len(buf) > self.maxline:
+                raise Error("got more than %d bytes" % self.maxline)
+             if not buf: break
+             if buf[-2:] != CRLF:
+                 if buf[-1] in CRLF: buf = buf[:-1]
+@@ -710,7 +719,9 @@ else:
+             fp = conn.makefile('rb')
+             try:
+                 while 1:
+-                    line = fp.readline()
+                    line = fp.readline(self.maxline + 1)
+                    if len(line) > self.maxline:
+                        raise Error("got more than %d bytes" % self.maxline)
+                     if self.debugging > 2: print '*retr*', repr(line)
+                     if not line:
+                         break
+@@ -748,7 +759,9 @@ else:
+             conn = self.transfercmd(cmd)
+             try:
+                 while 1:
+-                    buf = fp.readline()
+                    buf = fp.readline(self.maxline + 1)
+                    if len(buf) > self.maxline:
+                        raise Error("got more than %d bytes" % self.maxline)
+                     if not buf: break
+                     if buf[-2:] != CRLF:
+                         if buf[-1] in CRLF: buf = buf[:-1]
+@@ -905,7 +918,9 @@ class Netrc:
+         fp = open(filename, "r")
+         in_macro = 0
+         while 1:
+-            line = fp.readline()
+            line = fp.readline(self.maxline + 1)
+            if len(line) > self.maxline:
+                raise Error("got more than %d bytes" % self.maxline)
+             if not line: break
+             if in_macro and line.strip():
+                 macro_lines.append(line)
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+--- a/Lib/test/test_ftplib.py
+++ b/Lib/test/test_ftplib.py
+@@ -65,6 +65,7 @@ class DummyFTPHandler(asynchat.async_cha
+         self.last_received_data = ''
+         self.next_response = ''
+         self.rest = None
+        self.next_retr_data = RETR_DATA
+         self.push('220 welcome')
+ 
+     def collect_incoming_data(self, data):
+@@ -189,7 +190,7 @@ class DummyFTPHandler(asynchat.async_cha
+             offset = int(self.rest)
+         else:
+             offset = 0
+-        self.dtp.push(RETR_DATA[offset:])
+        self.dtp.push(self.next_retr_data[offset:])
+         self.dtp.close_when_done()
+         self.rest = None
+ 
+@@ -203,6 +204,11 @@ class DummyFTPHandler(asynchat.async_cha
+         self.dtp.push(NLST_DATA)
+         self.dtp.close_when_done()
+ 
+    def cmd_setlongretr(self, arg):
+        # For testing. Next RETR will return long line.
+        self.next_retr_data = 'x' * int(arg)
+        self.push('125 setlongretr ok')
+
+ 
+ class DummyFTPServer(asyncore.dispatcher, threading.Thread):
+ 
+@@ -558,6 +564,20 @@ class TestFTPClass(TestCase):
+         # IPv4 is in use, just make sure send_epsv has not been used
+         self.assertEqual(self.server.handler.last_received_cmd, 'pasv')
+ 
+    def test_line_too_long(self):
+        self.assertRaises(ftplib.Error, self.client.sendcmd,
+                          'x' * self.client.maxline * 2)
+
+    def test_retrlines_too_long(self):
+        self.client.sendcmd('SETLONGRETR %d' % (self.client.maxline * 2))
+        received = []
+        self.assertRaises(ftplib.Error,
+                          self.client.retrlines, 'retr', received.append)
+
+    def test_storlines_too_long(self):
+        f = StringIO.StringIO('x' * self.client.maxline * 2)
+        self.assertRaises(ftplib.Error, self.client.storlines, 'stor', f)
+
+ 
+ class TestIPv6Environment(TestCase):
+
author	Tudor Florea <tudor.florea@enea.com>	2015-09-22 01:38:33 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-10-22 05:43:46 +0200
commit	15f68138d4d0ff56704217369facc8baf03783a5 (patch)
tree	a19ad8e95a548fead58157cea6204b5eb6815237 /meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch
parent	ff46766bf74cb96e103715de232c3cf09a69616e (diff)
download	poky-15f68138d4d0ff56704217369facc8baf03783a5.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch new file mode 100644 index 0000000000..97c890e777 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-ftplib-fix.patch
@@ -0,0 +1,149 @@
	1
	2	# HG changeset patch
	3	# User Serhiy Storchaka <storchaka@gmail.com>
	4	# Date 1382277427 -10800
	5	# Node ID 44ac81e6d584758ee56a865a7c18d82505be0643
	6	# Parent 625ece68d79a27d376889579c414ed4b2d8a2649
	7	Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
	8	limiting the call to readline(). Original patch by Michał
	9	Jastrzębski and Giampaolo Rodola.
	10
	11	diff --git a/Lib/ftplib.py b/Lib/ftplib.py
	12	--- a/Lib/ftplib.py
	13	+++ b/Lib/ftplib.py
	14	@@ -55,6 +55,8 @@ MSG_OOB = 0x1
	15
	16	# The standard FTP server control port
	17	FTP_PORT = 21
	18	+# The sizehint parameter passed to readline() calls
	19	+MAXLINE = 8192
	20
	21
	22	# Exception raised when an error or invalid response is received
	23	@@ -101,6 +103,7 @@ class FTP:
	24	debugging = 0
	25	host = ''
	26	port = FTP_PORT
	27	+ maxline = MAXLINE
	28	sock = None
	29	file = None
	30	welcome = None
	31	@@ -180,7 +183,9 @@ class FTP:
	32	# Internal: return one line from the server, stripping CRLF.
	33	# Raise EOFError if the connection is closed
	34	def getline(self):
	35	- line = self.file.readline()
	36	+ line = self.file.readline(self.maxline + 1)
	37	+ if len(line) > self.maxline:
	38	+ raise Error("got more than %d bytes" % self.maxline)
	39	if self.debugging > 1:
	40	print 'get', self.sanitize(line)
	41	if not line: raise EOFError
	42	@@ -432,7 +437,9 @@ class FTP:
	43	conn = self.transfercmd(cmd)
	44	fp = conn.makefile('rb')
	45	while 1:
	46	- line = fp.readline()
	47	+ line = fp.readline(self.maxline + 1)
	48	+ if len(line) > self.maxline:
	49	+ raise Error("got more than %d bytes" % self.maxline)
	50	if self.debugging > 2: print 'retr', repr(line)
	51	if not line:
	52	break
	53	@@ -485,7 +492,9 @@ class FTP:
	54	self.voidcmd('TYPE A')
	55	conn = self.transfercmd(cmd)
	56	while 1:
	57	- buf = fp.readline()
	58	+ buf = fp.readline(self.maxline + 1)
	59	+ if len(buf) > self.maxline:
	60	+ raise Error("got more than %d bytes" % self.maxline)
	61	if not buf: break
	62	if buf[-2:] != CRLF:
	63	if buf[-1] in CRLF: buf = buf[:-1]
	64	@@ -710,7 +719,9 @@ else:
	65	fp = conn.makefile('rb')
	66	try:
	67	while 1:
	68	- line = fp.readline()
	69	+ line = fp.readline(self.maxline + 1)
	70	+ if len(line) > self.maxline:
	71	+ raise Error("got more than %d bytes" % self.maxline)
	72	if self.debugging > 2: print 'retr', repr(line)
	73	if not line:
	74	break
	75	@@ -748,7 +759,9 @@ else:
	76	conn = self.transfercmd(cmd)
	77	try:
	78	while 1:
	79	- buf = fp.readline()
	80	+ buf = fp.readline(self.maxline + 1)
	81	+ if len(buf) > self.maxline:
	82	+ raise Error("got more than %d bytes" % self.maxline)
	83	if not buf: break
	84	if buf[-2:] != CRLF:
	85	if buf[-1] in CRLF: buf = buf[:-1]
	86	@@ -905,7 +918,9 @@ class Netrc:
	87	fp = open(filename, "r")
	88	in_macro = 0
	89	while 1:
	90	- line = fp.readline()
	91	+ line = fp.readline(self.maxline + 1)
	92	+ if len(line) > self.maxline:
	93	+ raise Error("got more than %d bytes" % self.maxline)
	94	if not line: break
	95	if in_macro and line.strip():
	96	macro_lines.append(line)
	97	diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
	98	--- a/Lib/test/test_ftplib.py
	99	+++ b/Lib/test/test_ftplib.py
	100	@@ -65,6 +65,7 @@ class DummyFTPHandler(asynchat.async_cha
	101	self.last_received_data = ''
	102	self.next_response = ''
	103	self.rest = None
	104	+ self.next_retr_data = RETR_DATA
	105	self.push('220 welcome')
	106
	107	def collect_incoming_data(self, data):
	108	@@ -189,7 +190,7 @@ class DummyFTPHandler(asynchat.async_cha
	109	offset = int(self.rest)
	110	else:
	111	offset = 0
	112	- self.dtp.push(RETR_DATA[offset:])
	113	+ self.dtp.push(self.next_retr_data[offset:])
	114	self.dtp.close_when_done()
	115	self.rest = None
	116
	117	@@ -203,6 +204,11 @@ class DummyFTPHandler(asynchat.async_cha
	118	self.dtp.push(NLST_DATA)
	119	self.dtp.close_when_done()
	120
	121	+ def cmd_setlongretr(self, arg):
	122	+ # For testing. Next RETR will return long line.
	123	+ self.next_retr_data = 'x' * int(arg)
	124	+ self.push('125 setlongretr ok')
	125	+
	126
	127	class DummyFTPServer(asyncore.dispatcher, threading.Thread):
	128
	129	@@ -558,6 +564,20 @@ class TestFTPClass(TestCase):
	130	# IPv4 is in use, just make sure send_epsv has not been used
	131	self.assertEqual(self.server.handler.last_received_cmd, 'pasv')
	132
	133	+ def test_line_too_long(self):
	134	+ self.assertRaises(ftplib.Error, self.client.sendcmd,
	135	+ 'x' * self.client.maxline * 2)
	136	+
	137	+ def test_retrlines_too_long(self):
	138	+ self.client.sendcmd('SETLONGRETR %d' % (self.client.maxline * 2))
	139	+ received = []
	140	+ self.assertRaises(ftplib.Error,
	141	+ self.client.retrlines, 'retr', received.append)
	142	+
	143	+ def test_storlines_too_long(self):
	144	+ f = StringIO.StringIO('x' * self.client.maxline * 2)
	145	+ self.assertRaises(ftplib.Error, self.client.storlines, 'stor', f)
	146	+
	147
	148	class TestIPv6Environment(TestCase):
	149