From 15f68138d4d0ff56704217369facc8baf03783a5 Mon Sep 17 00:00:00 2001 From: Tudor Florea Date: Tue, 22 Sep 2015 01:38:33 +0200 Subject: python: Backport CVE-2013-1752 fix from upstream Signed-off-by: Tudor Florea --- .../python-2.7.3-CVE-2013-1752-imaplib-fix.patch | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-imaplib-fix.patch (limited to 'meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-imaplib-fix.patch') diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-imaplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-imaplib-fix.patch new file mode 100644 index 0000000000..f4bd84d831 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-imaplib-fix.patch @@ -0,0 +1,37 @@ +Upstream-Status: Backport + +CVE-2013-1752: Change use of readline in imaplib module to limit line length. Patch by Emil Lind. + +Signed-off-by: Tudor Florea + +diff -r ce583eb0bec2 Lib/imaplib.py +--- a/Lib/imaplib.py Thu Feb 21 20:17:54 2013 +0200 ++++ b/Lib/imaplib.py Tue Feb 26 22:36:52 2013 +0100 +@@ -35,6 +35,15 @@ + IMAP4_SSL_PORT = 993 + AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first + ++# Maximal line length when calling readline(). This is to prevent ++# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1) ++# don't specify a line length. RFC 2683 however suggests limiting client ++# command lines to 1000 octets and server command lines to 8000 octets. ++# We have selected 10000 for some extra margin and since that is supposedly ++# also what UW and Panda IMAP does. ++_MAXLINE = 10000 ++ ++ + # Commands + + Commands = { +@@ -237,7 +246,10 @@ + + def readline(self): + """Read line from remote.""" +- return self.file.readline() ++ line = self.file.readline(_MAXLINE + 1) ++ if len(line) > _MAXLINE: ++ raise self.error("got more than %d bytes" % _MAXLINE) ++ return line + + + def send(self, data): -- cgit v1.2.3-54-g00ecf