python: Backport CVE-2013-1752 fix from upstream

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2015-09-22 01:38:33 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2015-10-22 05:43:46 +0200
commit: 15f68138d4d0ff56704217369facc8baf03783a5 (patch)
tree: a19ad8e95a548fead58157cea6204b5eb6815237 /meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch
parent: ff46766bf74cb96e103715de232c3cf09a69616e (diff)
download: poky-15f68138d4d0ff56704217369facc8baf03783a5.tar.gz
1 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch
new file mode 100644
index 0000000000..443e137ea5
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch
@@ -0,0 +1,105 @@
+Upstream-Status: Backport
+CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to prevent 
+readline() calls from consuming too much memory. 
+Patch by Jyrki Pulliainen.
+Signed-off-by: Tudor Florea <tudor.florea@enea.com>
+diff -r 936621d33c38 Lib/nntplib.py
+--- a/Lib/nntplib.py    Wed Feb 20 18:19:55 2013 -0500
+++ b/Lib/nntplib.py    Mon Sep 30 23:42:09 2013 +0200
+@@ -37,6 +37,13 @@
+            "error_reply","error_temp","error_perm","error_proto",
+            "error_data",]
+ 
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 3977 limits NNTP line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
+
+ # Exceptions raised when an error or invalid response is received
+ class NNTPError(Exception):
+     """Base class for all nntplib exceptions"""
+@@ -200,7 +207,9 @@
+     def getline(self):
+         """Internal: return one line from the server, stripping CRLF.
+         Raise EOFError if the connection is closed."""
+-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise NNTPProtocolError('line too long')
+         if self.debugging > 1:
+             print '*get*', repr(line)
+         if not line: raise EOFError
+diff -r 936621d33c38 Lib/test/test_nntplib.py
+--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/Lib/test/test_nntplib.py  Mon Sep 30 23:42:09 2013 +0200
+@@ -0,0 +1,65 @@
+import socket
+import threading
+import nntplib
+import time
+
+from unittest import TestCase
+from test import test_support
+
+HOST = test_support.HOST
+
+
+def server(evt, serv, evil=False):
+    serv.listen(5)
+    try:
+        conn, addr = serv.accept()
+    except socket.timeout:
+        pass
+    else:
+        if evil:
+            conn.send("1 I'm too long response" * 3000 + "\n")
+        else:
+            conn.send("1 I'm OK response\n")
+        conn.close()
+    finally:
+        serv.close()
+        evt.set()
+
+
+class BaseServerTest(TestCase):
+    def setUp(self):
+        self.evt = threading.Event()
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.settimeout(3)
+        self.port = test_support.bind_port(self.sock)
+        threading.Thread(
+            target=server,
+            args=(self.evt, self.sock, self.evil)).start()
+        time.sleep(.1)
+
+    def tearDown(self):
+        self.evt.wait()
+
+
+class ServerTests(BaseServerTest):
+    evil = False
+
+    def test_basic_connect(self):
+        nntp = nntplib.NNTP('localhost', self.port)
+        nntp.sock.close()
+
+
+class EvilServerTests(BaseServerTest):
+    evil = True
+
+    def test_too_long_line(self):
+        self.assertRaises(nntplib.NNTPProtocolError,
+                          nntplib.NNTP, 'localhost', self.port)
+
+
+def test_main(verbose=None):
+    test_support.run_unittest(EvilServerTests)
+    test_support.run_unittest(ServerTests)
+
+if __name__ == '__main__':
+    test_main()
author	Tudor Florea <tudor.florea@enea.com>	2015-09-22 01:38:33 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2015-10-22 05:43:46 +0200
commit	15f68138d4d0ff56704217369facc8baf03783a5 (patch)
tree	a19ad8e95a548fead58157cea6204b5eb6815237 /meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch
parent	ff46766bf74cb96e103715de232c3cf09a69616e (diff)
download	poky-15f68138d4d0ff56704217369facc8baf03783a5.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch new file mode 100644 index 0000000000..443e137ea5 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-nntplib-fix.patch
@@ -0,0 +1,105 @@
	1	Upstream-Status: Backport
	2
	3	CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to prevent
	4	readline() calls from consuming too much memory.
	5	Patch by Jyrki Pulliainen.
	6
	7	Signed-off-by: Tudor Florea <tudor.florea@enea.com>
	8
	9	diff -r 936621d33c38 Lib/nntplib.py
	10	--- a/Lib/nntplib.py Wed Feb 20 18:19:55 2013 -0500
	11	+++ b/Lib/nntplib.py Mon Sep 30 23:42:09 2013 +0200
	12	@@ -37,6 +37,13 @@
	13	"error_reply","error_temp","error_perm","error_proto",
	14	"error_data",]
	15
	16	+# maximal line length when calling readline(). This is to prevent
	17	+# reading arbitrary length lines. RFC 3977 limits NNTP line length to
	18	+# 512 characters, including CRLF. We have selected 2048 just to be on
	19	+# the safe side.
	20	+_MAXLINE = 2048
	21	+
	22	+
	23	# Exceptions raised when an error or invalid response is received
	24	class NNTPError(Exception):
	25	"""Base class for all nntplib exceptions"""
	26	@@ -200,7 +207,9 @@
	27	def getline(self):
	28	"""Internal: return one line from the server, stripping CRLF.
	29	Raise EOFError if the connection is closed."""
	30	- line = self.file.readline()
	31	+ line = self.file.readline(_MAXLINE + 1)
	32	+ if len(line) > _MAXLINE:
	33	+ raise NNTPProtocolError('line too long')
	34	if self.debugging > 1:
	35	print 'get', repr(line)
	36	if not line: raise EOFError
	37	diff -r 936621d33c38 Lib/test/test_nntplib.py
	38	--- /dev/null Thu Jan 01 00:00:00 1970 +0000
	39	+++ b/Lib/test/test_nntplib.py Mon Sep 30 23:42:09 2013 +0200
	40	@@ -0,0 +1,65 @@
	41	+import socket
	42	+import threading
	43	+import nntplib
	44	+import time
	45	+
	46	+from unittest import TestCase
	47	+from test import test_support
	48	+
	49	+HOST = test_support.HOST
	50	+
	51	+
	52	+def server(evt, serv, evil=False):
	53	+ serv.listen(5)
	54	+ try:
	55	+ conn, addr = serv.accept()
	56	+ except socket.timeout:
	57	+ pass
	58	+ else:
	59	+ if evil:
	60	+ conn.send("1 I'm too long response" * 3000 + "\n")
	61	+ else:
	62	+ conn.send("1 I'm OK response\n")
	63	+ conn.close()
	64	+ finally:
	65	+ serv.close()
	66	+ evt.set()
	67	+
	68	+
	69	+class BaseServerTest(TestCase):
	70	+ def setUp(self):
	71	+ self.evt = threading.Event()
	72	+ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	73	+ self.sock.settimeout(3)
	74	+ self.port = test_support.bind_port(self.sock)
	75	+ threading.Thread(
	76	+ target=server,
	77	+ args=(self.evt, self.sock, self.evil)).start()
	78	+ time.sleep(.1)
	79	+
	80	+ def tearDown(self):
	81	+ self.evt.wait()
	82	+
	83	+
	84	+class ServerTests(BaseServerTest):
	85	+ evil = False
	86	+
	87	+ def test_basic_connect(self):
	88	+ nntp = nntplib.NNTP('localhost', self.port)
	89	+ nntp.sock.close()
	90	+
	91	+
	92	+class EvilServerTests(BaseServerTest):
	93	+ evil = True
	94	+
	95	+ def test_too_long_line(self):
	96	+ self.assertRaises(nntplib.NNTPProtocolError,
	97	+ nntplib.NNTP, 'localhost', self.port)
	98	+
	99	+
	100	+def test_main(verbose=None):
	101	+ test_support.run_unittest(EvilServerTests)
	102	+ test_support.run_unittest(ServerTests)
	103	+
	104	+if __name__ == '__main__':
	105	+ test_main()