python: Fix CVE-2014-1912

A remote user can send specially crafted data to trigger a buffer overflow in socket.recvfrom_into() and execute arbitrary code on the target system. The code will run with the privileges of the target service. This back-ported patch fixes CVE-2014-1912 (From OE-Core rev: 344049ccfa59ae489c35fe0fb7592f7d34720b51) Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Maxin B. John <maxin.john@enea.com> 2014-04-07 17:48:11 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-04-09 09:53:14 +0100
commit: e34ad1e27b7db3237ae0435864cced32133d7025 (patch)
tree: ebd140fed44797b530c929caee7060ccece2106a /meta/recipes-devtools/python
parent: 398a971f92bfe67ab3dad6420a4adf29ace66a55 (diff)
download: poky-e34ad1e27b7db3237ae0435864cced32133d7025.tar.gz
2 files changed, 27 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch
new file mode 100644
index 0000000000..02cc83d314
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch
@@ -0,0 +1,26 @@
+Upstream-Status: Backport
+Reference: http://bugs.python.org/issue20246
+CVE-2014-1912: Python buffer overflow in socket.recvfrom_into()
+lets remote users execute arbitrary code.Original patch by Benjamin Peterson
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+diff -r 40fb60df4755 Modules/socketmodule.c
+--- a/Modules/socketmodule.c    Sun Jan 12 12:11:47 2014 +0200
+++ b/Modules/socketmodule.c    Mon Jan 13 16:36:35 2014 -0800
+@@ -2744,6 +2744,13 @@
+         recvlen = buflen;
+     }
+ 
+    /* Check if the buffer is large enough */
+    if (buflen < recvlen) {
+        PyErr_SetString(PyExc_ValueError,
+                        "buffer too small for requested bytes");
+        goto error;
+    }
+
+     readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
+     if (readlen < 0) {
+         /* Return an error */
diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb
index c7bb9b4131..0d641720f1 100644
--- a/meta/recipes-devtools/python/python_2.7.3.bb
+++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -35,6 +35,7 @@ SRC_URI += "\
  file://parallel-makeinst-create-bindir.patch \
  file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
  file://python-fix-build-error-with-Readline-6.3.patch \
+  file://python-2.7.3-CVE-2014-1912.patch \
 "
 S = "${WORKDIR}/Python-${PV}"
author	Maxin B. John <maxin.john@enea.com>	2014-04-07 17:48:11 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-04-09 09:53:14 +0100
commit	e34ad1e27b7db3237ae0435864cced32133d7025 (patch)
tree	ebd140fed44797b530c929caee7060ccece2106a /meta/recipes-devtools/python
parent	398a971f92bfe67ab3dad6420a4adf29ace66a55 (diff)
download	poky-e34ad1e27b7db3237ae0435864cced32133d7025.tar.gz

diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch new file mode 100644 index 0000000000..02cc83d314 --- /dev/null +++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2014-1912.patch
@@ -0,0 +1,26 @@
		1	Upstream-Status: Backport
		2
		3	Reference: http://bugs.python.org/issue20246
		4
		5	CVE-2014-1912: Python buffer overflow in socket.recvfrom_into()
		6	lets remote users execute arbitrary code.Original patch by Benjamin Peterson
		7
		8	Signed-off-by: Maxin B. John <maxin.john@enea.com>
		9	---
		10	diff -r 40fb60df4755 Modules/socketmodule.c
		11	--- a/Modules/socketmodule.c Sun Jan 12 12:11:47 2014 +0200
		12	+++ b/Modules/socketmodule.c Mon Jan 13 16:36:35 2014 -0800
		13	@@ -2744,6 +2744,13 @@
		14	recvlen = buflen;
		15	}
		16
		17	+ /* Check if the buffer is large enough */
		18	+ if (buflen < recvlen) {
		19	+ PyErr_SetString(PyExc_ValueError,
		20	+ "buffer too small for requested bytes");
		21	+ goto error;
		22	+ }
		23	+
		24	readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
		25	if (readlen < 0) {
		26	/* Return an error */


diff --git a/meta/recipes-devtools/python/python_2.7.3.bb b/meta/recipes-devtools/python/python_2.7.3.bb index c7bb9b4131..0d641720f1 100644 --- a/meta/recipes-devtools/python/python_2.7.3.bb +++ b/meta/recipes-devtools/python/python_2.7.3.bb
@@ -35,6 +35,7 @@ SRC_URI += "\
35	file://parallel-makeinst-create-bindir.patch \	35	file://parallel-makeinst-create-bindir.patch \
36	file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \	36	file://python-2.7.3-CVE-2013-1752-smtplib-fix.patch \
37	file://python-fix-build-error-with-Readline-6.3.patch \	37	file://python-fix-build-error-with-Readline-6.3.patch \
		38	file://python-2.7.3-CVE-2014-1912.patch \
38	"	39	"
39		40
40	S = "${WORKDIR}/Python-${PV}"	41	S = "${WORKDIR}/Python-${PV}"