python: Backport CVE-2013-1752 fix from upstream

This back ported patch fixes CVE-2013-1752 for smtplib (From OE-Core rev: 4af111e94edc93657c94de6b584c099571b4cf40) Signed-off-by: Maxin B. John <maxin.john@enea.com> Reviewed-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Maxin B. John <maxin.john@enea.com> 2014-02-28 12:53:33 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-02-28 14:01:15 +0000
commit: bbe9cb73395655f4e48804e5ab89da9fbc8f5447 (patch)
tree: 74535de87c9da23a7859b7d67380c67218b52384 /meta/recipes-devtools/python
parent: 617819a6bf723c87f776885152cfff8e98d9ffa1 (diff)
download: poky-bbe9cb73395655f4e48804e5ab89da9fbc8f5447.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch
new file mode 100644
index 0000000000..f34ff40ea5
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch
@@ -0,0 +1,101 @@
+Upstream-Status: Backport
+Reference: http://bugs.python.org/issue16042
+CVE-2013-1752: smtplib: Limit amount of data read by limiting the 
+call to readline().  Original patch by Christian Heimes
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+diff -Naur Python-2.7.3-orig/Lib/smtplib.py Python-2.7.3/Lib/smtplib.py
+--- Python-2.7.3-orig/Lib/smtplib.py    2012-04-10 01:07:31.000000000 +0200
+++ Python-2.7.3/Lib/smtplib.py 2014-02-27 14:15:24.444198465 +0100
+@@ -57,6 +57,7 @@
+ SMTP_PORT = 25
+ SMTP_SSL_PORT = 465
+ CRLF = "\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
+ 
+ OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
+ 
+@@ -179,10 +180,14 @@
+         def __init__(self, sslobj):
+             self.sslobj = sslobj
+ 
+-        def readline(self):
+        def readline(self, size=-1):
+            if size < 0:
+                size = None
+             str = ""
+             chr = None
+             while chr != "\n":
+                if size is not None and len(str) >= size:
+                    break
+                 chr = self.sslobj.read(1)
+                 if not chr:
+                     break
+@@ -351,7 +356,7 @@
+             self.file = self.sock.makefile('rb')
+         while 1:
+             try:
+-                line = self.file.readline()
+                line = self.file.readline(_MAXLINE + 1)
+             except socket.error as e:
+                 self.close()
+                 raise SMTPServerDisconnected("Connection unexpectedly closed: "
+@@ -361,6 +366,8 @@
+                 raise SMTPServerDisconnected("Connection unexpectedly closed")
+             if self.debuglevel > 0:
+                 print>>stderr, 'reply:', repr(line)
+            if len(line) > _MAXLINE:
+                raise SMTPResponseException(500, "Line too long.")
+             resp.append(line[4:].strip())
+             code = line[:3]
+             # Check that the error code is syntactically correct.
+diff -Naur Python-2.7.3-orig/Lib/test/test_smtplib.py Python-2.7.3/Lib/test/test_smtplib.py
+--- Python-2.7.3-orig/Lib/test/test_smtplib.py  2012-04-10 01:07:32.000000000 +0200
+++ Python-2.7.3/Lib/test/test_smtplib.py       2014-02-27 14:15:24.448198293 +0100
+@@ -292,6 +292,33 @@
+                             HOST, self.port, 'localhost', 3)
+ 
+ 
+@unittest.skipUnless(threading, 'Threading required for this test.')
+class TooLongLineTests(unittest.TestCase):
+    respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
+
+    def setUp(self):
+        self.old_stdout = sys.stdout
+        self.output = StringIO.StringIO()
+        sys.stdout = self.output
+
+        self.evt = threading.Event()
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.settimeout(15)
+        self.port = test_support.bind_port(self.sock)
+        servargs = (self.evt, self.respdata, self.sock)
+        threading.Thread(target=server, args=servargs).start()
+        self.evt.wait()
+        self.evt.clear()
+
+    def tearDown(self):
+        self.evt.wait()
+        sys.stdout = self.old_stdout
+
+    def testLineTooLong(self):
+        self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
+                          HOST, self.port, 'localhost', 3)
+
+
+ sim_users = {'Mr.A@somewhere.com':'John A',
+              'Ms.B@somewhere.com':'Sally B',
+              'Mrs.C@somewhereesle.com':'Ruth C',
+@@ -511,7 +538,8 @@
+ def test_main(verbose=None):
+     test_support.run_unittest(GeneralTests, DebuggingServerTests,
+                               NonConnectingTests,
+-                              BadHELOServerTests, SMTPSimTests)
+                              BadHELOServerTests, SMTPSimTests,
+                              TooLongLineTests)
+ 
+ if __name__ == '__main__':
+     test_main()
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index ae4a1a6575..aaa72e5e10 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -33,6 +33,7 @@ SRC_URI += "\
  file://CVE-2013-4073_py27.patch \
  file://pypirc-secure.patch \
  file://parallel-makeinst-create-bindir.patch \
+  file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Maxin B. John <maxin.john@enea.com>	2014-02-28 12:53:33 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-02-28 14:01:15 +0000
commit	bbe9cb73395655f4e48804e5ab89da9fbc8f5447 (patch)
tree	74535de87c9da23a7859b7d67380c67218b52384 /meta/recipes-devtools/python
parent	617819a6bf723c87f776885152cfff8e98d9ffa1 (diff)
download	poky-bbe9cb73395655f4e48804e5ab89da9fbc8f5447.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch new file mode 100644 index 0000000000..f34ff40ea5 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-smtplib-fix.patch
@@ -0,0 +1,101 @@
		1	Upstream-Status: Backport
		2
		3	Reference: http://bugs.python.org/issue16042
		4
		5	CVE-2013-1752: smtplib: Limit amount of data read by limiting the
		6	call to readline(). Original patch by Christian Heimes
		7
		8	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		9	---
		10	diff -Naur Python-2.7.3-orig/Lib/smtplib.py Python-2.7.3/Lib/smtplib.py
		11	--- Python-2.7.3-orig/Lib/smtplib.py 2012-04-10 01:07:31.000000000 +0200
		12	+++ Python-2.7.3/Lib/smtplib.py 2014-02-27 14:15:24.444198465 +0100
		13	@@ -57,6 +57,7 @@
		14	SMTP_PORT = 25
		15	SMTP_SSL_PORT = 465
		16	CRLF = "\r\n"
		17	+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
		18
		19	OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
		20
		21	@@ -179,10 +180,14 @@
		22	def __init__(self, sslobj):
		23	self.sslobj = sslobj
		24
		25	- def readline(self):
		26	+ def readline(self, size=-1):
		27	+ if size < 0:
		28	+ size = None
		29	str = ""
		30	chr = None
		31	while chr != "\n":
		32	+ if size is not None and len(str) >= size:
		33	+ break
		34	chr = self.sslobj.read(1)
		35	if not chr:
		36	break
		37	@@ -351,7 +356,7 @@
		38	self.file = self.sock.makefile('rb')
		39	while 1:
		40	try:
		41	- line = self.file.readline()
		42	+ line = self.file.readline(_MAXLINE + 1)
		43	except socket.error as e:
		44	self.close()
		45	raise SMTPServerDisconnected("Connection unexpectedly closed: "
		46	@@ -361,6 +366,8 @@
		47	raise SMTPServerDisconnected("Connection unexpectedly closed")
		48	if self.debuglevel > 0:
		49	print>>stderr, 'reply:', repr(line)
		50	+ if len(line) > _MAXLINE:
		51	+ raise SMTPResponseException(500, "Line too long.")
		52	resp.append(line[4:].strip())
		53	code = line[:3]
		54	# Check that the error code is syntactically correct.
		55	diff -Naur Python-2.7.3-orig/Lib/test/test_smtplib.py Python-2.7.3/Lib/test/test_smtplib.py
		56	--- Python-2.7.3-orig/Lib/test/test_smtplib.py 2012-04-10 01:07:32.000000000 +0200
		57	+++ Python-2.7.3/Lib/test/test_smtplib.py 2014-02-27 14:15:24.448198293 +0100
		58	@@ -292,6 +292,33 @@
		59	HOST, self.port, 'localhost', 3)
		60
		61
		62	+@unittest.skipUnless(threading, 'Threading required for this test.')
		63	+class TooLongLineTests(unittest.TestCase):
		64	+ respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
		65	+
		66	+ def setUp(self):
		67	+ self.old_stdout = sys.stdout
		68	+ self.output = StringIO.StringIO()
		69	+ sys.stdout = self.output
		70	+
		71	+ self.evt = threading.Event()
		72	+ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		73	+ self.sock.settimeout(15)
		74	+ self.port = test_support.bind_port(self.sock)
		75	+ servargs = (self.evt, self.respdata, self.sock)
		76	+ threading.Thread(target=server, args=servargs).start()
		77	+ self.evt.wait()
		78	+ self.evt.clear()
		79	+
		80	+ def tearDown(self):
		81	+ self.evt.wait()
		82	+ sys.stdout = self.old_stdout
		83	+
		84	+ def testLineTooLong(self):
		85	+ self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
		86	+ HOST, self.port, 'localhost', 3)
		87	+
		88	+
		89	sim_users = {'Mr.A@somewhere.com':'John A',
		90	'Ms.B@somewhere.com':'Sally B',
		91	'Mrs.C@somewhereesle.com':'Ruth C',
		92	@@ -511,7 +538,8 @@
		93	def test_main(verbose=None):
		94	test_support.run_unittest(GeneralTests, DebuggingServerTests,
		95	NonConnectingTests,
		96	- BadHELOServerTests, SMTPSimTests)
		97	+ BadHELOServerTests, SMTPSimTests,
		98	+ TooLongLineTests)
		99
		100	if __name__ == '__main__':
		101	test_main()


diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb index ae4a1a6575..aaa72e5e10 100644 --- a/meta/recipes-devtools/python/python_2.7.3.bb +++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -33,6 +33,7 @@ SRC_URI += "\
33	file://CVE-2013-4073_py27.patch \	33	file://CVE-2013-4073_py27.patch \
34	file://pypirc-secure.patch \	34	file://pypirc-secure.patch \
35	file://parallel-makeinst-create-bindir.patch \	35	file://parallel-makeinst-create-bindir.patch \
		36	file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
36	"	37	"
37		38
38	S = "${WORKDIR}/Python-${PV}"	39	S = "${WORKDIR}/Python-${PV}"